#fedora-flock-T9:343 log

12:04:55 <oddshocks> #startmeeting Fedora authentication
12:04:55 <zodbot> Meeting started Fri Aug  8 12:04:55 2014 UTC.  The chair is oddshocks. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:04:55 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
12:05:00 <oddshocks> #topic intro
12:05:09 <mhroncok> oddshocks: looks good
12:05:19 <oddshocks> Fedauth stands for fedora authentication provider
12:05:32 <oddshocks> mhroncok: am I messing up the #topic command?
12:05:46 <oddshocks> Anyone who has a badge has probably used Fedoauth
12:05:56 <oddshocks> you're asked for a username and password
12:06:06 <mhroncok> oddshocks: #topic should work like that
12:06:16 <mhroncok> oddshocks: not so important anyway
12:06:18 <oddshocks> any time you try to log in to an app run by the fedora infra team should prompt you for a FAS username and pass
12:06:23 <oddshocks> mhroncok: cool
12:06:41 <oddshocks> You either approve or reject your authentication when you log in
12:07:07 <oddshocks> there isn't much difference for the users between FAS 2.0 and 3.0. so this talk goes over what has changed that you DON'T see
12:07:26 <oddshocks> the login is a username and password between the two versions, but there have been a lot of improvements
12:08:06 <oddshocks> please note, this is not for authorization, only authentication: it's up to the app developer to decide what privs. to give to the user
12:08:22 <oddshocks> apps redirect you to fedoauth, which allows you to login and then redirects you to the app
12:08:27 <oddshocks> any questions so far?
12:08:35 <oddshocks> Started this project in Jan 2013
12:08:53 <oddshocks> Pat was not at FudCon that year, but still decided to do something
12:08:59 <oddshocks> (he was kind of bored)
12:09:44 <oddshocks> at that point, we had openid inside of FAS, but it was broken on multiple levels, but it didn't work out because it was very integrated and very not flexible at all. so we looked towareds openID
12:10:21 <oddshocks> we had a lot of apps written in different frameworks which we needed to hook up to FAS, and each hooked up with FAS at every request, which is not what we wanted
12:11:13 <oddshocks> the way we did single login between apps was using the same domain name for the app and same for the cookie, so this didn't transfer over between the apps nicely. so we decided to use openid for everything, for better integration
12:11:45 <oddshocks> since we decided on this, all apps use openid, except for mirrormanger, bodhi, and the wiki, which we are going to upgrade later this year
12:11:49 <oddshocks> 1.0 w
12:12:14 <oddshocks> 1.0 was released on March 5. not huge but it had some issues like Bodhi FAS auth. people started asking for persona to be added to it
12:12:42 <oddshocks> the cookie became more than 4 kilobytes because we started adding more info to it. and this caused browsers to drop the cookie due to the size
12:12:52 <oddshocks> persona was a service created by mozilla
12:13:22 <oddshocks> we needed to re-write auth things because the fas session thing only had cookies. so came along fedoauth 2.0
12:13:35 <oddshocks> pat added more identifiers, like persona
12:13:54 <oddshocks> it was in the same codebase, but they weren't combined well at all.
12:14:11 <oddshocks> pat used the new session system which stored cookies in the database
12:14:29 <oddshocks> you might have logged in but redirected to the login page anyways. it didn't work well with that auth system
12:15:01 <oddshocks> so pat released Fedoauth 3.0. about 2 months old. complete re-write. there are quite a lot more files. the different parts are quite easy to maintain and contribute to.
12:15:33 <oddshocks> now we have a bunch of auth modules we can auth against. we can auth against Kerberos and other services even though most fedora systems just auth with FAS
12:15:51 <oddshocks> about to move to SAML since we get more flexibility and single logout, which is requested by a bunch of people
12:16:09 <oddshocks> now trying to add a user panel to FAS, which would allow you to do things like manage your approvals
12:16:33 <oddshocks> planning to allow "remember forever" but allow it to be revoked
12:16:45 <oddshocks> any ideas for more providers are welcome, please contact patrick
12:17:00 <oddshocks> we need a lot of work for these methods inside of fedoauth to provide more flexibility
12:17:28 <oddshocks> there have been a lot of people more interested in deploying this, like GNOME, and other big companies that pat isn't allowed to talk about ;) but they are switching to it
12:17:41 <oddshocks> we might or might not deploy SAML within fedora
12:17:58 <oddshocks> it's a smartcard based system -- physical token with open source software/authentication
12:18:09 <oddshocks> so far, 2 major re-writes of complete codebase
12:18:33 <oddshocks> trying to integrate into freeIPA -- cooperating with them, should be getting more stable
12:18:56 <oddshocks> please: give us your ideas, test, test security, please not in production, but set up your own servers
12:19:12 <oddshocks> there is a test instance. there are instructions in the repo for how to set it up yourse
12:19:15 <oddshocks> lf
12:19:22 <oddshocks> github search for "fedoauth"
12:19:42 <oddshocks> if you tell us you need to use the staging instance for official testing, please ask us
12:19:50 <oddshocks> otherwise set up your own instance
12:19:54 <oddshocks> Any questions?
12:20:03 <oddshocks> (now is the time to ask questions, if you're here in IRC)
12:20:07 <oddshocks> (I will relay them)
12:20:15 <oddshocks> Q: What can fedoauth do for me?
12:20:29 <oddshocks> A: fedoauth provides groups and members in FAS, with timezones
12:21:10 <oddshocks> cont: you can get a list of groups the user is a member of, which is great for developing security stuff for your apps
12:21:31 <oddshocks> toshio reminds us: remember that cookies have their limits: you might request all groups for a user and the cookie might be too big
12:21:46 <oddshocks> pat says: the browser might reject a cookie altogether if the cookie is too big
12:21:56 <oddshocks> Q: can I ask if a user is a member of a group
12:22:20 <oddshocks> A: yes, you can, and that is written in fedoauth. it's up to you if their permissions allow them to do something in your app.
12:22:53 <oddshocks> Q; so the cookie prob isn't strictly related to fedoauth?
12:23:13 <oddshocks> A: right. it's about how you decide to store that info in your app. it's the auth that you have to take into account with your app
12:23:19 <oddshocks> Any further Q's?
12:23:30 <oddshocks> Q: can you elaborate on future plans?
12:23:50 <oddshocks> Q cont: can you sign into FAS w/o password and username, with kerberos tickets?
12:24:28 <oddshocks> A: that's planned for this thursday. to allow kerberos tokens on your deviced
12:24:34 <oddshocks> /s/deviced/devices
12:24:38 <oddshocks> Pat: thanks for your attention!
12:24:47 <oddshocks> toshio: were you wanting to talk about web sylvia?
12:25:12 <oddshocks> A: basically it's a smartcard based system, was planning on bringing cards here for demo, didn't work out though, couldn't ship fast enough
12:25:21 <oddshocks> A: could show you, but you couldnt use it yet
12:25:31 <oddshocks> audience: you have 6 mins, demo :)
12:27:01 <oddshocks> If you want to test this hardware, request it from pat after the con. they arrived 1 day after pat left for the con. please email pat for one of these cards.
12:27:11 <oddshocks> you can use a smarcard reader to use it, or a phone for nfc.
12:27:22 <oddshocks> we might have a phone in this audience to demo this.
12:27:28 <oddshocks> (thanks, Toshio)
12:28:32 <oddshocks> pat didn't want to pay for a test cert for the test instance, that's why there was a warning there on the video
12:29:32 <oddshocks> so it just auth'd with the details on this card
12:30:30 <oddshocks> Pat: it does work.. just not with that card :)
12:30:40 <oddshocks> we are thinking about deploying this in fedora production
12:30:53 <oddshocks> we're thinking about how to get these cards to fedora contributors
12:31:00 <oddshocks> Q: how much does it cost to produce the card
12:31:15 <oddshocks> A: about $50 each if you produce in large quantities
12:31:22 <oddshocks> oh
12:31:25 <oddshocks> nvm
12:31:27 <oddshocks> 50 cents
12:31:44 <oddshocks> ;) (my bad
12:31:46 <oddshocks> )
12:31:50 <oddshocks> *applause*
12:32:24 <oddshocks> anyone wants to contact pat to get a card, feel free to email, or whatever
12:32:28 <oddshocks> will send you one!
12:32:31 <oddshocks> thanks all :)
12:32:45 <oddshocks> message pat for details, or contact me and i'll relay the message
12:40:53 <oddshocks> #endmeeting