On 08/04/2011 01:26 AM, Mark McLoughlin wrote:
On Wed, 2011-08-03 at 19:43 -0400, Dmitri Pal wrote:
On 08/03/2011 10:45 AM, Mark McLoughlin wrote:
On Fri, 2011-07-29 at 18:57 +0100, Martyn Taylor wrote:
We intend to use OAuth across components for authentication. This would require adding OAuth Provider support to conductor and OAuth client support to each component accessing protected resources. Katello already supports a OAuth (two-legged) which hopefully means relatively straight forward integration once we have the other parts in place.
I think there's been some confusion about OAuth, what Katello uses it for and what we would use it for.
In Katello's case, it is actually an OAuth consumer and uses it when authenticating against Candlepin and Pulp's REST APIs.
Two-legged means that Candlepin/Pulp don't authenticate a user, but rather authenticate Katello using a shared secret. Katello passes Candlepin/Pulp the username via a HTTP header.
IMHO, the comparable case for us is Conductor authenticating against IWHD and Image Factory.
Exactly! I am just struggling with understanding why and how it is better than say SSL? Is it faster? Is there a good key management infrastructure and tools? If yes - great if no should we be worried about this and pick other credentials that we already have tools for?
I assume two legged OAuth was chosen over X.509 client certificates purely for the sake of simplicity.
Yes. It assumes a common namespace for users, and that is all.
-- bk