[Girder-users] OAuth and the Girder API

Zach Mullen zach.mullen at kitware.com
Fri Feb 3 19:48:04 EST 2017 

Hi John,

Responded inline



On Fri, Feb 3, 2017 at 7:36 PM, John Roberts <John.Roberts at hsc.utah.edu>
wrote:

> Now that we have OAuth running, a number of questions came up:
>
>    1. Can we force both web and API authentication to exclusively use
>    OAuth and disallow the standard user/password login page?  Essentially,
>    we'd be offloading authentication and user name/password management
>    entirely to the external OAuth server.
>
> This feature isn't supported at the moment, but it would be
straightforward to write a plugin to do this, or enhance the existing OAuth
plugin to allow it.

>
>    1.
>    2. Does OAuth work with the Girder API?
>       - Would we need to modify girder_client, for example?
>       - What if 2-factor is turned on for the OAuth server?
>
> Yes, all interaction with the Girder server actually goes through the same
HTTP API, and all authenticated API requests use the same secure token
authentication system, regardless of whether the user logged in via OAuth
or a password managed by Girder. If multi-factor authentication is required
on the provider side during the OAuth workflow, I don't think that should
be a problem since I imagine that would be invisible to Girder.

>
>
> My current read of the girder_client is that it will not handle OAuth as a
> means of authentication.  I haven't figured out whether the underlying
> Girder API has a hook for directly invoking the Oauth authentication
> process.
>
Since OAuth is built around interactive user authentication in a web
browser, using it in the girder_client is not possible; instead, we
recommend using the API keys exposed by Girder to allow OAuth users to make
authenticated requests via girder_client.

> My colleague envisions users interacting with data on Girder using API
> calls from a Jupyter hub client.  Perhaps we could manage the
> authentication process using apikeys in that case, if OAuth isn't
> integrated in the Girder API authentication methods.
>
API keys would work in this case. Once you get the authentication token
from either a normal password login or via an API key, you can make
authenticated API requests in a uniform way.

I'm curious what you guys are doing regarding Jupyter integration; we
actually have some other efforts ongoing at the moment to implement Jupyter
+ Girder integration, there may be some opportunity to collaborate here.
Could you describe what you're doing in that regard?

Thanks,

Zach

> Thanks,
> John.
>
> _______________________________________________
> Girder-users mailing list
> Girder-users at public.kitware.com
> http://public.kitware.com/mailman/listinfo/girder-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/girder-users/attachments/20170203/ced5841d/attachment.html>

More information about the Girder-users mailing list