OIDC Fed – Use cases from the relying parties: EGI Check-in & EUDAT B2ACCESS Authentication and Authorisation for Research and Collaboration Nicolas Liampotis JRA1 Integrated AAI Developments/EGI Check-in GRNET Shiraz Memon EUDAT B2ACCESS JSC 42nd EUGridPMA meeting/Prague, CZ 22 Jan 2018

EGI Check-in / EUDAT B2ACCESS Overview Check-in / B2ACCESS: Multi-protocol identity and access management solutions: Developed in close collaboration with the AARC project in order to implement the recommendations of the AARC Blueprint Architecture and Policy Framework Registered in eduGAIN in order to make connected services available to +2,000 universities and research institutes with little or no administrative overhead Allow the use of OIDC as alternative to SAML2 for integrating services: To support modern web standards (REST and JSON) To enable federated access for non- browser based resources, such as CLI tools and APIs

EGI Check-in / EUDAT B2ACCESS OIDC Client Registration and Management Three alternative means of OIDC client registration Approval-based client registration via email Approval-based client registration via registration Form Automatic client registration via registration form Only for testing/development environment!

EGI Check-in / EUDAT B2ACCESS Approval-based client registration via email OIDC Client Operators send an email containing a registration request to the OP Administrators The request contains redirect/return URI and purpose of the application OP Administrators review the client details and either register or reject the registration request The OP Administrators send encrypted email reply containing client credentials and OIDC metadata information

EGI Check-in / EUDAT B2ACCESS Approval-based client registration via registration form OIDC Client Operators fill in registration form accessible via the OP web site The form requires redirect/return URI, purpose of the application, username, password (client id/secret credentials), and other optional information OP Administrators approve/reject the registration request and Client Operators receive an email notification

Only for testing/devel environment! EGI Check-in / EUDAT B2ACCESS Automatic client registration via registration form OIDC client operators fill in registration form accessible via the OP web site The form requires redirect/return URI, purpose of the application, username, password (the client credentials), and other optional information The client is registered automatically and operators receive an email notification Only for testing/devel environment!

EGI Check-in / EUDAT B2ACCESS In a nutshell OP adopt different approaches depending on the deployment environment: Testing/Development: Automatic registration Production: Approval-based registration Problem: Automatic registration is not a trusted approach Approval-based approaches are trusted but cannot scale (administrators are contacted for every OIDC client registration request) Goal: “SCALABLE” and “TRUSTED” registration mechanism for OIDC clients Approach Trusted Scalable Approval-based ✔️ X Automatic OIDC Fed

nliam@grnet.gr