Agenda, Discussion, and Action Items

Agenda & Discussion


Review OOD web architecture:


Which OAuth Tokens

Where to store them

Which OAuth Tokens for SSH to SP resources

Managing OOD portal local accounts

What about Scott Sakai's concerns

As an aside, a -major- hurdle to getting some other kind of authentication
adopted is that it requires maintaining and running non-standard software
in the critical path of authentication. If none of the
capability-restricting features of SciTokens will be used, pursuing an SSH
CA would speed adoption immensely. This is NOT an x509 PKI.
Rather than requiring extra binaries on the system, to accept SSH
certificates, modern OpenSSH requires one or two lines to the sshd config
file, and a file with the CA's public key.
I have developed an identity bridge that consumes Globus Auth access
tokens, and produces SSH CA certificates, with the intent that it can be
used for our OOD deployment. It's specific to SDSC's NSF resources, but
the process might be adapted to something that would work XSEDE-wide.

Try to fund OOD staff to help?

Action Items