Speakers
Description
Although the initial authentication and authorization mechanisms of the EGI Federated Cloud were based on X.509 certificates and VOMS proxies, it has been shown to be an obstacle for the integration of additional components, such as Platform and Software as a Service components or simply web portals.Nowadays, EGI.eu is transitioning its Authentication and Authorization infrastructure from X.509 certificates and proxies towards the use of the EGI Check-In and the OpenID Connect standard. The most widely used Cloud Management Framework in the EGI Federated Cloud is OpenStack, an open source cloud software system whose development is community driven. The Identity component of the OpenStack cloud distribution (code named Keystone) is a REST service that leverages the Apache HTTP server and a 3rd party module named “mod_auth_openid” to provide OpenID Connect authentication to an OpenStack Cloud. Due to the current status of these components, the OIDC standard is not purely implemented and this makes it impossible to configure two different providers at a single resource center to be used from command line tools.
Supported by EGI Strategic and Innovation Fund, IFCA advanced computing and e-Science group has implemented a keystone plugin to enable Open ID configurations in a standard-manner, which will also make possible to consume Oauth 2.0 tokens and make requests to the corresponding Oauth 2.0 introspection endpoints even from a command line interface. Furthermore, it solved the limitation to configure only one provider at a single resource.
The proposed demonstration will show how to install, configure and deploy this plugin in an OpenStack instance.
Plugin available at: [https://github.com/IFCA/keystone-oidc-auth-plugin]
