Presentation on how to integrate OIDC Device code flow with iRODS command line authentication

1. iRODS
PAM (Interactive)

2. Topics
● Short intro of SRAM
● https://github.com/HarryKodden/SRAM-iRODS-Showcase
● User flows

3. Short introduction on SRAM
SURF Research Access Management
Offers access to collaborating researchers working together on specific topics,
using services federatively authenticating using their (trusted-) home institute
Identity Providers
Big advantages:
● No additional account creation
● When home institute offers MFA, that is used,
● When home institute does not offer MFA, SRAM will offer 2nd factor to make
sure every researcher is properly authenticated before using the services
offered via SRAM.

4. SRAM - iRODS Showcase
This is a docker cluster, containing following services:
● database (postgres 9.1)
● icat : iRODS Server 4.3.0 on ubuntu 20.04
● icommands: 4.3.0 on ubuntu 20.04
● davrods (latest on irods-runtime & irods-dev 4.3.0)
The show case make use of submodule: https://github.com/HarryKodden/iRODS-
Development-Bootstrapper.git
With this packages all packages can be build on the requested version

5. User provisioning…
The icommands container is running a cron job that
syncs with the LDAP of SRAM to provision /
deprovision all identities of researchers that are
active members of a certain collaboration.
For each such member:
● a home directory is created /home/jdoe
● when the member has a SSH Public key
registered in SRAM, that public key is added to
the /home/jdoe/.ssh/authorized_keys file
● the user is registered at the irods server.
● in the home directory a subfolder is created
`.irods` and within that directory a file
`irods_environment.json`, containing:
https://github.com/HarryKodden/irods-ldap-sync
{
"irods_host": "icat",
"irods_port": 1247,
"irods_user_name": "jdoe",
"irods_zone_name": "tempZone",
"irods_authentication_scheme": "pam_interactive",
"irods_ssl_ca_certificate_file": "/var/lib/ssl/irods.crt"
}
https://github.com/stefan-wolfsheimer/irods_auth_pam_interactive

6. User flow…
Researcher starts the connecting to the icommands terminal session
ssh jdoe@icommands
then he starts a connection with iRODS, for example by initiating command `ils’
This will kick in the the pam_interactive authentication scheme…
$ ils

7. 3 demonstration flows…
1. SRAM Token flow - This is a custom SRAM flow
2. (SRAM) OIDC - Authorization Code Flow - This is a OIDC standard flow
3. (SRAM) OIDC - Device Code Flow - This is a OIDC standard flow

8. Long versus short loop…
The PAM flows asking user to step out and complete a web flow may become
irritating when it kicks in too often. (long loop)
When using the OAUTH refresh token mechanism we can offer a much friendlier
user experience. The Server then asks for token refreshment without asking
additional user input. (short loop)
In order for this to be a safe option depends on the binding of a session secret
(with a certain lifetime) that can be passed from icammands to icat server.
We the secure (ssl-) connection between icommands and icat server we can pass
such a secret. The secret could be locally stored in ~/.irodsA on the icommands
home directory.