Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2020-01-13 13:32:13
Attachments:
smime.p7s
|
Dear Krzysztof, on one of our unity instance we use the group management of unity and service grant access/quotas based on group membership. Some of the service use unity only for account creation and thereafter users have access possibilities which bypass unity. In this cases the group membership information needs to be updated regularly. The administrators of this services asked if unity is able to send push notifications to the group membership as changed. AFAIK unity does not offer this, but can it be covered by groovy script extensions? The administrators also ask if it would be possible to tell which entity has changed and also to provide an access token. The service will use this to update the local (service) user representation with querying the user info endpoint. Would it be possible to put some of this information in the (script based) notification? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-01-14 07:56:58
|
Dear Sander, W dniu 13.01.2020 o 14:32, Sander Apweiler pisze: > Dear Krzysztof, > > on one of our unity instance we use the group management of unity and > service grant access/quotas based on group membership. Some of the > service use unity only for account creation and thereafter users have > access possibilities which bypass unity. In this cases the group > membership information needs to be updated regularly. > > The administrators of this services asked if unity is able to send push > notifications to the group membership as changed. AFAIK unity does not > offer this, but can it be covered by groovy script extensions? Yes, all of that should be possible. Groovy script can get triggered when user is added and removed from any group. After enabling low-level events and their logging check for events around GroupsManagement . addMemberFromParent and removeMember events. http://www.unity-idm.eu/documentation/unity-3.1.0/apidocs/index.html In context you will get EntityParam which you can use in groovy o obtain any information about a user you need. The only downside of it is that you need to check this after each unity update, we do not guarantee stability of those internal interfaces. Though good news is those basic ones change extremely rarely. > The administrators also ask if it would be possible to tell which > entity has changed and also to provide an access token. The service > will use this to update the local (service) user representation with > querying the user info endpoint. Would it be possible to put some of > this information in the (script based) notification? So regarding entity details it is possible. You can also push all relevant attributes of the user with the notification. I'm not sure about what access token you want here. Certainly it is possible to generate something, but I don't have understanding of requirements here (and why not to simply push required info without additional call) HTH Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2020-01-14 10:26:13
Attachments:
smime.p7s
|
On 01/14/20 08:56, Krzysztof Benedyczak wrote: > Dear Sander, > > W dniu 13.01.2020 o 14:32, Sander Apweiler pisze: > > Dear Krzysztof, > > > > on one of our unity instance we use the group management of unity and > > service grant access/quotas based on group membership. Some of the > > service use unity only for account creation and thereafter users have > > access possibilities which bypass unity. In this cases the group > > membership information needs to be updated regularly. > > > > The administrators of this services asked if unity is able to send push > > notifications to the group membership as changed. AFAIK unity does not > > offer this, but can it be covered by groovy script extensions? > > Yes, all of that should be possible. Groovy script can get triggered when > user is added and removed from any group. > > After enabling low-level events and their logging check for events around > GroupsManagement . addMemberFromParent and removeMember events. > > http://www.unity-idm.eu/documentation/unity-3.1.0/apidocs/index.html > > In context you will get EntityParam which you can use in groovy o obtain any > information about a user you need. That sounds good! > The only downside of it is that you need to check this after each unity > update, we do not guarantee stability of those internal interfaces. Though > good news is those basic ones change extremely rarely. Let's hope for the best. > > The administrators also ask if it would be possible to tell which > > entity has changed and also to provide an access token. The service > > will use this to update the local (service) user representation with > > querying the user info endpoint. Would it be possible to put some of > > this information in the (script based) notification? > > So regarding entity details it is possible. You can also push all relevant > attributes of the user with the notification. > > I'm not sure about what access token you want here. Certainly it is possible > to generate something, but I don't have understanding of requirements here > (and why not to simply push required info without additional call) The way we update the information in our tool (FEUDAL) is that whenever a rest enpoint is called, we verify the AT by calling the UserInfoEndpoint. Therefore, we use that to update our user object. There is also the authenticity of information. We cannot accept anybody sending us a JSON with an update on userinfo. We need some kind of authorisation / authentication for this. Therefore, it would be cleanest on our side. If this is unreasonable on the unity side, sending a JSON is ok, but we need some kind of signature on it. Cheers, -- Marcus. |
|
From: Marcus H. <ha...@ki...> - 2020-01-15 11:13:02
Attachments:
smime.p7s
|
On 01/14/20 11:06, Marcus Hardt wrote: > On 01/14/20 08:56, Krzysztof Benedyczak wrote: > > Dear Sander, > > > > W dniu 13.01.2020 o 14:32, Sander Apweiler pisze: > > > Dear Krzysztof, > > > > > > on one of our unity instance we use the group management of unity and > > > service grant access/quotas based on group membership. Some of the > > > service use unity only for account creation and thereafter users have > > > access possibilities which bypass unity. In this cases the group > > > membership information needs to be updated regularly. > > > > > > The administrators of this services asked if unity is able to send push > > > notifications to the group membership as changed. AFAIK unity does not > > > offer this, but can it be covered by groovy script extensions? > > > > Yes, all of that should be possible. Groovy script can get triggered when > > user is added and removed from any group. > > > > After enabling low-level events and their logging check for events around > > GroupsManagement . addMemberFromParent and removeMember events. > > > > http://www.unity-idm.eu/documentation/unity-3.1.0/apidocs/index.html > > > > In context you will get EntityParam which you can use in groovy o obtain any > > information about a user you need. > That sounds good! > > > The only downside of it is that you need to check this after each unity > > update, we do not guarantee stability of those internal interfaces. Though > > good news is those basic ones change extremely rarely. > Let's hope for the best. > > > > The administrators also ask if it would be possible to tell which > > > entity has changed and also to provide an access token. The service > > > will use this to update the local (service) user representation with > > > querying the user info endpoint. Would it be possible to put some of > > > this information in the (script based) notification? > > > > So regarding entity details it is possible. You can also push all relevant > > attributes of the user with the notification. > > > > I'm not sure about what access token you want here. Certainly it is possible > > to generate something, but I don't have understanding of requirements here > > (and why not to simply push required info without additional call) > The way we update the information in our tool (FEUDAL) is that whenever a > rest enpoint is called, we verify the AT by calling the UserInfoEndpoint. > Therefore, we use that to update our user object. > > There is also the authenticity of information. We cannot accept anybody > sending us a JSON with an update on userinfo. We need some kind of > authorisation / authentication for this. > > Therefore, it would be cleanest on our side. > > If this is unreasonable on the unity side, sending a JSON is ok, but we > need some kind of signature on it. Another option for us would be to request refresh-tokens, and use the JSON sent solely to trigger a user update. This is not very clean either, and seems to require most code changes on both sides. -- Marcus. |
|
From: Krzysztof B. <kb...@un...> - 2020-01-20 21:14:21
|
Hi Marcus, W dniu 15.01.2020 o 12:12, Marcus Hardt pisze: > On 01/14/20 11:06, Marcus Hardt wrote: >> On 01/14/20 08:56, Krzysztof Benedyczak wrote: >>> Dear Sander, >>> >>> W dniu 13.01.2020 o 14:32, Sander Apweiler pisze: >>>> Dear Krzysztof, >>>> >>>> on one of our unity instance we use the group management of unity and >>>> service grant access/quotas based on group membership. Some of the >>>> service use unity only for account creation and thereafter users have >>>> access possibilities which bypass unity. In this cases the group >>>> membership information needs to be updated regularly. >>>> >>>> The administrators of this services asked if unity is able to send push >>>> notifications to the group membership as changed. AFAIK unity does not >>>> offer this, but can it be covered by groovy script extensions? >>> Yes, all of that should be possible. Groovy script can get triggered when >>> user is added and removed from any group. >>> >>> After enabling low-level events and their logging check for events around >>> GroupsManagement . addMemberFromParent and removeMember events. >>> >>> http://www.unity-idm.eu/documentation/unity-3.1.0/apidocs/index.html >>> >>> In context you will get EntityParam which you can use in groovy o obtain any >>> information about a user you need. >> That sounds good! >> >>> The only downside of it is that you need to check this after each unity >>> update, we do not guarantee stability of those internal interfaces. Though >>> good news is those basic ones change extremely rarely. >> Let's hope for the best. >> >>>> The administrators also ask if it would be possible to tell which >>>> entity has changed and also to provide an access token. The service >>>> will use this to update the local (service) user representation with >>>> querying the user info endpoint. Would it be possible to put some of >>>> this information in the (script based) notification? >>> So regarding entity details it is possible. You can also push all relevant >>> attributes of the user with the notification. >>> >>> I'm not sure about what access token you want here. Certainly it is possible >>> to generate something, but I don't have understanding of requirements here >>> (and why not to simply push required info without additional call) >> The way we update the information in our tool (FEUDAL) is that whenever a >> rest enpoint is called, we verify the AT by calling the UserInfoEndpoint. >> Therefore, we use that to update our user object. >> >> There is also the authenticity of information. We cannot accept anybody >> sending us a JSON with an update on userinfo. We need some kind of >> authorisation / authentication for this. >> >> Therefore, it would be cleanest on our side. >> >> If this is unreasonable on the unity side, sending a JSON is ok, but we >> need some kind of signature on it. > Another option for us would be to request refresh-tokens, and use the JSON > sent solely to trigger a user update. This is not very clean either, and > seems to require most code changes on both sides. You can go with any of the described approaches. Personally I'd consider keeping to KISS: adding a unique random token as an authentication of the sender on Unity side + all information consumer will need so no subsequent callback is needed. But if you want to go any harder path you can generate AT/signature/MAC and use it in Groovy script. BTW: good news, you can expect JWT AT in unity 3.4.0. Cheers, Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2020-01-22 08:48:45
Attachments:
smime.p7s
|
On 01/20/20 22:14, Krzysztof Benedyczak wrote: > Hi Marcus, > > W dniu 15.01.2020 o 12:12, Marcus Hardt pisze: > > On 01/14/20 11:06, Marcus Hardt wrote: > > > On 01/14/20 08:56, Krzysztof Benedyczak wrote: > > > > Dear Sander, > > > > > > > > W dniu 13.01.2020 o 14:32, Sander Apweiler pisze: > > > > > Dear Krzysztof, > > > > > > > > > > on one of our unity instance we use the group management of unity and > > > > > service grant access/quotas based on group membership. Some of the > > > > > service use unity only for account creation and thereafter users have > > > > > access possibilities which bypass unity. In this cases the group > > > > > membership information needs to be updated regularly. > > > > > > > > > > The administrators of this services asked if unity is able to send push > > > > > notifications to the group membership as changed. AFAIK unity does not > > > > > offer this, but can it be covered by groovy script extensions? > > > > Yes, all of that should be possible. Groovy script can get triggered when > > > > user is added and removed from any group. > > > > > > > > After enabling low-level events and their logging check for events around > > > > GroupsManagement . addMemberFromParent and removeMember events. > > > > > > > > http://www.unity-idm.eu/documentation/unity-3.1.0/apidocs/index.html > > > > > > > > In context you will get EntityParam which you can use in groovy o obtain any > > > > information about a user you need. > > > That sounds good! > > > > > > > The only downside of it is that you need to check this after each unity > > > > update, we do not guarantee stability of those internal interfaces. Though > > > > good news is those basic ones change extremely rarely. > > > Let's hope for the best. > > > > > > > > The administrators also ask if it would be possible to tell which > > > > > entity has changed and also to provide an access token. The service > > > > > will use this to update the local (service) user representation with > > > > > querying the user info endpoint. Would it be possible to put some of > > > > > this information in the (script based) notification? > > > > So regarding entity details it is possible. You can also push all relevant > > > > attributes of the user with the notification. > > > > > > > > I'm not sure about what access token you want here. Certainly it is possible > > > > to generate something, but I don't have understanding of requirements here > > > > (and why not to simply push required info without additional call) > > > The way we update the information in our tool (FEUDAL) is that whenever a > > > rest enpoint is called, we verify the AT by calling the UserInfoEndpoint. > > > Therefore, we use that to update our user object. > > > > > > There is also the authenticity of information. We cannot accept anybody > > > sending us a JSON with an update on userinfo. We need some kind of > > > authorisation / authentication for this. > > > > > > Therefore, it would be cleanest on our side. > > > > > > If this is unreasonable on the unity side, sending a JSON is ok, but we > > > need some kind of signature on it. > > Another option for us would be to request refresh-tokens, and use the JSON > > sent solely to trigger a user update. This is not very clean either, and > > seems to require most code changes on both sides. > > You can go with any of the described approaches. Personally I'd consider > keeping to KISS: adding a unique random token as an authentication of the > sender on Unity side + all information consumer will need so no subsequent > callback is needed. But if you want to go any harder path you can generate > AT/signature/MAC and use it in Groovy script. @Sander: How do we proceed? From our side, what I'd need would be: - Mandatory: - a json with sub and iss about the user concerning the change - Optional: - Extremely cool: An access token of the person (in that case the above JSON only need to contain the iss (which is automatic in unity 3.4.0)) This you would send (post?) to an endpoint that I'd give you. It's probably the same endpoint for each VO. <offtopic> Regarding VO, I yesterday saw some of the FZJ people praising their future use of the unity VO implementation. Great Success! </offtopic> > BTW: good news, you can expect JWT AT in unity 3.4.0. Very Cool!! -- Marcus. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X