[arvados-dev] API Authentication Options from C#

Albrecht, Tom tom.albrecht at roche.com
Wed Jul 19 08:49:32 EDT 2017 

Hi Tom,

thanks a lot for this direct explanation. I had kind of guessed that this
is why there is no direct API authentication and you are forced to use a
browser, but here all my colleagues were focused on finding workarounds to
still log in without a browser. But it is good to know that this is
purposely prevented and even if we did find a workaround, that may be
closed in a future release. So now I will need fully focus on finding a
browser-based solution.

In the meantime, I already tried out something using a browser window, but
got this error message:
Refused to display 'https://sso.ardev.XXX.com/users/ldap_sign_in' in a
frame because it set 'X-Frame-Options' to 'DENY'.

That seems to be another security feature to prevent shenanigans with the
login page. Is there any way to allow the X-Frame-Options, or is this also
built in to Arvados, never to be changed?

Best regards

Tom


On Wed, Jul 19, 2017 at 2:26 PM, Tom Morris <tfmorris at curoverse.com> wrote:

> Hi Tom,
>
> [Adding a 3rd Tom to the conversation just to make things even more
> confusing]
>
> The whole point of the browser redirect scheme built in to the OAuth2
> authentication flow is to prevent the user's password from being exposed to
> untrusted code which could snoop it. Authentication is done by Google or
> your corporate SSO or whoever controls the actual credentials and that's
> the only component that gets to see the password.
>
> Perhaps you could look at using something like the .Net WebBrowser class
> in your application? I'm not a C# or .Net expert, so I'm afraid I can't
> help out with the details.
>
> Best regards,
> Tom (the 3rd)
>
> --
> Tom Morris
> Director, Product Management
> Curoverse
>
>
> On Wed, Jul 19, 2017 at 2:31 AM, Albrecht, Tom <tom.albrecht at roche.com>
> wrote:
>
>> Hi Tom,
>>
>> thanks so much for taking time to answer my question. As far as I
>> understand, you describe the login procedure laid out in
>> http://doc.arvados.org/api/tokens.html.
>>
>> The core of my question actually concerns navigating to
>> https://your-apiserver-host/login
>> <https://your-apiserver-host/login?return_to=https://your-application-host/any/desired/path>.
>> Am I right that this *requires *an actual *web browser* like Internet
>> Explorer or Chrome? I am calling the API from a C# application without a UI
>> or Web Browser, so ideally I would like to be able to log in without
>> actually displaying a web page in an actual browser once I got the username
>> and password, e.g. on the command line or a simple .net GUI. Do you see a
>> way to do this?
>> I saw the suggestion in the documentation to copy-paste the token from
>> the work bench to the command line to define an environment variable, but
>> that does not seem appropriate for our users. Other APIs offer the option
>> to pass https://your-apiserver-host/login
>> <https://your-apiserver-host/login?return_to=https://your-application-host/any/desired/path>
>> /?username=XXX?password=XXX, but it seems like Arvados purposely does
>> not allow this possibility.
>>
>> Best regards
>>
>> Thomas
>>
>> On Tue, Jul 18, 2017 at 10:22 PM, Tom Clegg <tom at curoverse.com> wrote:
>>
>>> Hi Thomas,
>>>
>>> Your application can give the user a link/redirect to a URL like this:
>>>
>>> https://your-apiserver-host/login?return_to=https://your-app
>>> lication-host/any/desired/path
>>>
>>> (Of course the "return_to" value should be suitably escaped.)
>>>
>>> After a successful login, the user will be redirected to
>>> https://your-application-host/any/desired/path?api_token=X, where X is
>>> of course the newly issued token, and your application can take it
>>> from there -- typically saving X in a session store and redirecting to
>>> a cleaned URL so the api_token doesn't remain in the browser's
>>> Location bar.
>>>
>>> This is the same procedure Arvados Workbench uses, so it might be
>>> helpful to refer to the Workbench code as examples. Here are some of
>>> the relevant bits.
>>>
>>> https://github.com/curoverse/arvados/blob/master/apps/workbe
>>> nch/app/controllers/application_controller.rb#L511
>>>
>>> https://github.com/curoverse/arvados/blob/master/apps/workbe
>>> nch/app/models/arvados_api_client.rb#L232-L244
>>>
>>> https://github.com/curoverse/arvados/blob/master/apps/workbe
>>> nch/app/controllers/application_controller.rb#L586-L597
>>>
>>> --
>>> Tom Clegg
>>> Chief Architect
>>> Curoverse
>>>
>>>
>>> On Tue, Jul 18, 2017 at 3:52 AM, Albrecht, Tom <tom.albrecht at roche.com>
>>> wrote:
>>> > Hi,
>>> >
>>> > I hope you point me in a direction to achieve an elegant
>>> authentication for
>>> > my Arvados API application.
>>> >
>>> > I am developing a plugin for a third-party software to download data
>>> from
>>> > our Arvados server. The software dictates the language and platform:
>>> C# /
>>> > .net and Windows. I managed to access the data using .net's
>>> > System.Net.HttpWebRequest class. What remains to be done is
>>> implementing an
>>> > elegant authentication.
>>> >
>>> > As a workaround, I logged into the Arvados Workbench using my browser
>>> and
>>> > copy-pasted the authentication token into my application. This works
>>> but is
>>> > not as user-friendly as I would like it to be. So my question is how to
>>> > achieve the authentication more elegantly without a web browser, for
>>> > instance by passing username and password to the API up front or using
>>> some
>>> > kind of single sign-on functionality available in .net.
>>> >
>>> > Do you have any suggestions?
>>> >
>>> > Best regards
>>> >
>>> > Thomas
>>> >
>>>
>>
>> --
>>
>> *Thomas Albrecht, PhD*
>>
>> Senior Scientist
>>
>> SIAD Solution Delivery & Architecture, pRED Informatics
>>
>> Roche Pharma Research and Early Development
>>
>>
>> Roche Innovation Center Basel
>>
>>
>> F. Hoffmann-La Roche Ltd
>> Grenzacherstrasse 124
>> 4070 Basel
>>
>> Switzerland
>>
>>
>> Building: 92 / 7.01.09
>>
>> Phone: +41 61 687 9804 <+41%2061%20687%2098%2004>
>>
>>
>> *Confidentiality Note: This message is intended only for the use of the
>> named recipient(s) and may contain confidential and/or proprietary
>> information. If you are not the intended recipient, please contact the
>> sender and delete this message. Any unauthorized use of the information
>> contained in this message is prohibited.*
>>
>> _______________________________________________
>> arvados-dev mailing list
>> arvados-dev at arvados.org
>> http://lists.arvados.org/mailman/listinfo/arvados-dev
>>
>>
>
>
>


-- 

*Thomas Albrecht, PhD*

Senior Scientist

SIAD Solution Delivery & Architecture, pRED Informatics

Roche Pharma Research and Early Development


Roche Innovation Center Basel


F. Hoffmann-La Roche Ltd
Grenzacherstrasse 124
4070 Basel

Switzerland


Building: 92 / 7.01.09

Phone: +41 61 687 9804


*Confidentiality Note: This message is intended only for the use of the
named recipient(s) and may contain confidential and/or proprietary
information. If you are not the intended recipient, please contact the
sender and delete this message. Any unauthorized use of the information
contained in this message is prohibited.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.arvados.org/pipermail/arvados-dev/attachments/20170719/32069a1a/attachment.html>

More information about the arvados-dev mailing list