Status on:
- Brian Van Klaveren 's demonstration of the integration of authentication with WebDAV
- This week's work on integration of the Portal with the authentication proxy
Authentication integration
Issues with the proxy buffer size — tokens and cookies are > 4KB
Tried to configure per-location; Matt tried to do it at the ingress level but had problems; applying configuration at the server block level in Inginx works
Loi gets token from X-Auth-Request header
Loi modified ingress rules to add an auth URL in the K8s configuration to enable authentication
Two issues: timeout is set to 10 minutes and may not be working quite right; Loi can store X-Auth-Request for every request and would then always have a fresh token to pass to DAX services, or can get a refresh token but he needs CILogon OAuth2 client secret
Refresh token would have to be managed by Portal
- Using tokens from web requests is not sufficient as Portal may issue DAX requests autonomously long after the last web request
Token re-issuer could be used to extend lifetime of tokens, but not quite done yet, and integrating into the authorizer is only a short-term solution
Custom code needed in notebook to manage tokens at all; could build in refresh token handling
Refresh token handling can use client secret or not (by using PKCE); long-term solution is using PKCE
Frossie: Do we have an enumeration of authentication interactions? Discuss offline with timelines; meeting set for 2019-01-25
Fritz: Do we need refresh functionality within DAX APIs? DAX will get a 24 hour or longer reissued token for every request
Loi can use the current functionality with 15 minute lifetime, accessing WebDAV and DAX services (via configured new ingress)
Perhaps use token reissuer for non-DAX clients? But token would leave our domain
WebDAV from clients
Need to set up a page to issue tokens
Token would have to be pasted into a client in the username or password field
- But works today within a web browser
Authentication has only a 15 minute lifetime for now
Only pointing at /datasets for now
Do a public demo?