Author:
Aguado Corman Asier,Henschel Jack,Short Hannah,Lopienski Sebastian
Abstract
The need for Single Sign-On solutions in command line interfaces is not new to CERN. Different technologies have been introduced and internal solutions have been implemented to allow users to authenticate to remote servers or applications from their console interfaces. In the case of web services, the most common approach was to use cookie-based authentication, for which an internal tool was developed and made available for all the CERN user community. As the authorisation infrastructure evolved and started to fully support the OAuth 2.0 standard, as well as two-factor authentication (2FA), using the internal tool started to show its limitations. In this work, we present the past and present (OAuth-compliant) solutions, and compare them by looking at the advantages and disadvantages we have found. We also present a case study of a service, OpenShift, that implements this new authentication solution for their users.
Reference8 articles.
1. CERN’s Identity and Access Management: A journey to Open Source
2. Hardt D., The OAuth 2.0 Authorization Framework, RFC 6749 (2012), https://www. rfc-editor.org/info/rfc6749
3. Using OAuth 2.0 to Access Google APIs (2023), accessed 04-09-2023, https://developers.google.com/identity/protocols/oauth2
4. Keycloak Server Administration Guide (2023), accessed 04-09-2023, https://www. keycloak.org/docs/latest/server_admin/#_kerberos
5. M’Raihi D., Rydell J., Pei M., Machani S., TOTP: Time-Based One-Time Password Algorithm, RFC 6238 (2011), https://www.rfc-editor.org/info/rfc6238