There is demand for Web Only authentication mechanisms. The two leading contenders are OpenID and OAuth. It is quite likely that we can handle both with a singe implementation.
This ticket covers the OAuth implementation.
Does this really make sense? OpenID and OAuth aren't really contenders, they're more of complementary technologies. Let me quote http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing: Open ID gives you one login for multiple sites. Each time you need to log into Zooomr – a site using Open ID – you will be redirected to your Open ID site where you login, and then back to Zooomr. OAuth lets you authorise one website – the consumer – to access your data from another website – the provider. For instance, you want to authorise a printing provider – call it Moo – to grab your photos from a photo repository – call it Flickr. Moo will redirect you to Flickr which will ask you, for instance, “Moo wants to download your Flickr photos. Is that cool?”, and then back to Moo to print your photos. In what way would be the provider/consumer pattern used in IPA?
If you think about it, though, the idea of Moo going to Flickr and asking for a resource requires a secure authentication mechanism in the first place. It is a superset of what OpenID provides.
The mechanism that both OAuth and OpenID use is the same: redirection from auth consumer to auth provider and then back again. What differs is what information is sent.
We've Talked with people on different projects. There are requests for both mechanisms. Fedora Auth Service (FAS) already provides OpenID. Candlepin and Pulp use OAuth. I propose that we view them merely as different protocols that we service from a common code source.
The point is to provide the identity in the form of OpenID from IPA for external consumtion rather than to allow and external identity access IPA and respect OpenID identities from external source. I think it should be clarified in the ticket.
Updated title reflects that the FreeIPA web server acts as an authentication provider to other servers
This will never happen on FreeIPA side. We would rather recommend installing IdP server that is able of FreeIPA integration. [https://fedorahosted.org/ipsilon/] has that support already, http://keycloak.jboss.org/ Keycloak is planning it.
Metadata Update from @admiyo: - Issue assigned to edewata - Issue set to the milestone: Tickets Deferred
Login to comment on this ticket.