8:07 a.m.
Hello!
Let me write down some thoughts about how SyncEvolution handles
credentials and authentication, in particular with regards to web
services.
The most pressing need to do something about this comes from Google's
move away from username/password-based authentication towards OAuth2 in
CalDAV/CardDAV. By September there needs to be a SyncEvolution which
supports that, because by that time Google will turn off the old method.
Another motivation was mentioned in a previous discussion of that topic
([1], [2]): username/password sometimes must be set multiple times in
the current config.
Whatever we do about this, let's consider a few things:
* Some services, in particular SyncML, only work with
username/password, so SyncEvolution needs a way to retrieve
both.
* Other services, in particular Google CalDAV/CardDAV, depend on
an OAuth2 based mechanism. SyncEvolution needs to recognize
this, possibly after trying to use them, and then retrieve the
necessary token from an OAuth2 implementation.
* OAuth2 grants access to clients, which identify themselves with
a key. Abuse of that key may lead to blacklisting that key and
thus preventing access to the service. Possibly the creator of
that key will also be banned such that he or she cannot create
new keys. For SyncEvolution that means that sharing the same key
with everyone is a bad idea. Whoever compiles SyncEvolution
should at least have to make a conscious choice about which key
he uses. For binaries that I publish on syncevolution.org, a key
for Google needs to be included. There's no effective measure
for keeping that key secret, so I might as well publish it on
syncevolution.org and allow individuals to use it when compiling
SyncEvolution for themselves.
* Part of the initial usage of an OAuth2 based service is a dialog
via a web browser where the web service confirms that access
should be granted. In that case, the password for the service is
only handed to the web server, not to SyncEvolution itself or
the entity handling OAuth2. Of course, because the password
typically gets entered on the local computer, this is still not
perfectly secure.
* Some users therefore won't care that much where they enter their
password. Quite the opposite, entering the password in advance
is useful in cases where such an interactive login is not
possible or difficult, for example on a server where X is not
running or which has no web browser installed.
* In some cases, a pop-up asking for OAuth2 confirmation is
desirable, sometimes it isn't. Need to define when to use it and
when (and how) to fail with a authentication error.
In [1] I proposed to introduce a new property that describes where
username/password are stored. In retrospect I find that too limited and
unnecessarily complex. Here's a different approach, based on
interpreting the "username" value differently.
So far, "username = <value>" had a username as it had to be given to a
service as <value>. Let's extend that with one indirection:
"username = [<sso-module>:]<identity>|<username>"
<sso-module> is the identifier of some system which can provide more
information about <identity>. There must be a SyncEvolution plugin which
makes that system and its identifier known to SyncEvolution, similar to
how src/backends/[kde|gnome] currently provide access to KWallet and
GNOME keyring.
I can think of five different such backends:
* gSSO = glib-Single-Sign-On - https://01.org/gsso
* uoa = Ubuntu Online Accounts -
http://developer.ubuntu.com/resources/technologies/online-accounts/
* goa = GNOME Online Accounts -
https://developer.gnome.org/goa/stable/
* user = traditional username/password setting, only needed in
cases where the username happens to start with one of the
prefixes above
* id = a central identity managed by SyncEvolution
"user" works without any additional configuration. The "password"
property provides the password. OAuth2 is not supported.
"id" enables sharing of credentials between different parts of a
SyncEvolution config tree without depending on an external system. The
<identity> string is the name of a normal peer config. Username/password
can be stored for that peer as usual. It can even be used for syncing,
if that is desired, but it is not necessary to do so. To mark a peer
which is just used as a placeholder for credentials,
"peerType=credentials" would be used. The GTK UI ignores all peers whose
type it doesn't recognize (to be checked - at least that was the plan at
some point). The "id" mechanism could be extended at some point to also
support OAuth2 natively, perhaps using liboauth.
"gSSO" and "uoa" use the same libaccounts-glib client library and
different implementations on the server side. I've been told that some
of these server-side differences leak through the common client API, so
backends might be very similar, but not quite identical.
Backends for "gSSO", "uoa" and will be expected to map the
<identity>,
a service identifier and a realm (or is it scope?) to a
username/password combination (for a traditional login mechanism,
similar to local password storage in GNOME keyring or KWallet) or the
OAuth2 access token.
For SyncML, the service identifier would be the sync URL. For
WebDAV/CardDAV, it probably will come from the challenge sent by the
server when it asks for authentication. The realm would be the string
that Google uses to identify calendar or contact access.
SyncEvolution must be aware enough of that mechanism to provide the
backend with the client key that it got compiled with for the service
and realm. TBD: passing valid username/password to the backend for later
use, instead of prompting the user.
Let me stop here for today.
To do next:
- Add usage examples for "id".
- Walk through specific flow for Google CalDAV and CardDAV, including
the configure options needed to provide the keys and what the SSO
backend would get from SyncEvolution.
My plan is to work on the infrastructure, a backend using gSSO/id and
the OAuth2 usage in the CalDAV/CardDAV backend. Anything else would
depend on outside contributors.
Something else not in scope is automatic configuration, like
automatically setting up syncing against all calendars or address books
becoming available once a Google account is available in the central
account system. Such functionality clearly would be useful, but it is
also very system specific.
Such functionality can be implemented by a plugin for
syncevo-dbus-server, similar to how the PIM Manager
(src/dbus/server/pim) runs inside the main event loop of the
syncevo-dbus-server and sets up configs for PBAP syncing for IVI use
cases [3].
[1] https://lists.syncevolution.org/pipermail/syncevolution/2011-May/002257.html
[2] https://bugs.freedesktop.org/show_bug.cgi?id=52917
[3] http://comments.gmane.org/gmane.comp.mobile.syncevolution/4009
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
5:54 a.m.
On Thu, 2013-07-11 at 17:07 +0200, Patrick Ohly wrote:
- Walk through specific flow for Google CalDAV and CardDAV,
including
the configure options needed to provide the keys and what the SSO
backend would get from SyncEvolution.
Let's consider a naive attempt to use Google CalDAV:
$ SYNCEVOLUTION_DEBUG=1 syncevolution --print-items --daemon=no
backend=caldav loglevel=4
syncurl=https://apidata.googleusercontent.com/caldav/v2
The commands fail with "403 Forbidden" and a rather unspecific
application/vnd.google.gdata.error+xml error which points towards the
need to register the app (see google-caldav.log, attached).
From that the client may conclude that it is dealing with a Google
service. But that could be misleading. For example, what if some other
service uses the same error format?
The <extendedHelp>https://code.google.com/apis/console</extendedHelp> is
a bit more Google specific, but looking at the content of a help text
just doesn't feel right.
IMHO this boils down to the need to determine the authorization method
beforehand. According to
https://developers.google.com/accounts/docs/OAuth2InstalledApp
https://developers.google.com/google-apps/calendar/auth
the following pieces of information are needed for OAuth2:
end point: https://accounts.google.com/o/oauth2/auth
scope: https://www.googleapis.com/auth/calendar
client_id: xxxx
redirect_uri: as registered for that client_id
Is the end point something that must be passed to (g)SSO or is it
something that it already knows? What "redirect_uri" should be used when
registering SyncEvolution?
The information above could be provided to SyncEvolution at runtime in
a /usr/share/syncevolution/authentication/google-calendar.ini file. The
content of that file is determined by the packager. In addition, files
could also be searched for in
~/.local/share/syncevolution/authentication
or /etc/syncevolution/authentication. That way, a user and/or system
admin could personalize or add services without having to recompile
SyncEvolution.
To use OAuth2, the user would need to use:
username = gSSO+google-calendar:john.doe@gmail.com
password =
Note the extra "+google-calendar": that tells SyncEvolution to use the
"google-calendar" authentication method. How much it needs to know about
the method is open for debate - it could be treated as key/value store
whose pairs SyncEvolution simply passes through to the SSO backend
without caring about the content, or it could simply pass the string
itself to the backend and let the backend resolve it.
The password was empty above. It could also be set by the user, with the
expectation that the SSO backend then uses that instead of triggering
any prompts.
When used during "--configure", it could be used like this:
syncevolution --configure \
username=gSSO:john.doe@gmail.com \
password=foobar
No peer config needs to be specified on the command line in this case (a
deviation from the current command line syntax!), instead the "foobar"
password and "john.doe(a)gmail.com" string will be handed over to the SSO
backend with the expectation that it'll store the password as securely
as it can for use later on.
At runtime, when given "username = gSSO+<service>:john.doe@gmail.com",
SyncEvolution will ask the backend for the kind of authorization that it
needs to use. Possible options, depending on the actual <service> value
and the .ini file it references:
- traditional username/password, with both provided to SyncEvolution by
the backend
- OAuth2 access token
For service=google-calendar, then answer would always be OAuth2. For
service=credentials, it is username/password. Again it is open for
debate whether there really needs to be a credentials.ini file for that,
or whether just the string alone could have that special meaning.
When using an access token, SyncEvolution must be aware that it will
have to ask for another token when it gets authentication errors. Or how
else would it detect that the token expired?
Does this all sound reasonable so far? Can someone explain how that'll
map to APIs and functionality in gSSO and UOA?
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
8:13 a.m.
On Fri, 2013-07-12 at 14:54 +0200, Patrick Ohly wrote:
The password was empty above. It could also be set by the user, with
the
expectation that the SSO backend then uses that instead of triggering
any prompts.
No-one has commented on this part, right? It is needed for the use case
where SyncEvolution runs on a headless server (like the nightly testing,
or as SyncML<->WebDAV bridge).
I assume that this involves libsignon and signond. How can they be told
what username/password to use when dealing with OAuth2?
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
5 a.m.
On 07/22/2013 06:13 PM, Patrick Ohly wrote:
> The password was empty above. It could also be set by the user,
with the
> expectation that the SSO backend then uses that instead of triggering
> any prompts.
No-one has commented on this part, right? It is needed for the use case
where SyncEvolution runs on a headless server (like the nightly testing,
or as SyncML<->WebDAV bridge).
I assume that this involves libsignon and signond. How can they be told
what username/password to use when dealing with OAuth2?
Here's the catch: in OAuth2 flows that are used by Google the clients
don't get to specify the username and password at all. It's managed
entirely by the server's user authentication endpoint that provides a
webpage that is opened in the browser: that webpage can either prompt
the user for the username/password, or use an existing session cookie to
skip the prompt and go straight to asking the user to confirm token
grant to a client (e.g. Google is reusing existing login sessions this way).
If you need entirely headless operation, Google supports something
called OAuth2 service accounts:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
This feature is based on an IETF draft:
http://tools.ietf.org/wg/oauth/draft-ietf-oauth-jwt-bearer/ and as it's
a draft we've left it out of our initial OAuth implementation. Basic,
standardized OAuth2 is large enough by itself :)
Alex
7:15 a.m.
On Thu, 2013-07-11 at 17:07 +0200, Patrick Ohly wrote:
* Some services, in particular SyncML, only work with
username/password, so SyncEvolution needs a way to retrieve
both.
Can libsignon be used to retrieve username/password? How?
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
3:23 a.m.
Hi,
-----Original Message-----
From: syncevolution-bounces(a)syncevolution.org [mailto:syncevolution-
bounces(a)syncevolution.org] On Behalf Of Patrick Ohly
Sent: Thursday, July 25, 2013 5:16 PM
To: SyncEvolution
Cc: Laako, Jussi; Alberto Mardegan; ken(a)vandine.org; Kanavin, Alexander
Subject: Re: [SyncEvolution] SyncEvolution + SSO + credentials
On Thu, 2013-07-11 at 17:07 +0200, Patrick Ohly wrote:
> * Some services, in particular SyncML, only work with
> username/password, so SyncEvolution needs a way to retrieve
> both.
Can libsignon be used to retrieve username/password? How?
[Amarnath] I assume
'libsignon' here as 'libgsignon'. And I feel password plugin serves the
purpose.
It retrieves the stored username and password. I added an example to demonstrate this. Can
you please check
if it solves your requirement.
By the way, I suggest to pull the latest changes:
- gsignond(devel)
- libgsignon-glib(examples)
- signonui-gtk
Cheers,
Amarnath
---------------------------------------------------------------------
Intel Finland Oy
Registered Address: PL 281, 00181 Helsinki
Business Identity Code: 0357606 - 4
Domiciled in Helsinki
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
12:53 p.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
Hello!
I've implemented the "id" credentials lookup mechanism and OAuth2
authentication for Google CalDAV/CardDAV, using gSSO. The code is
currently in the "for-master/signon" branch. Be warned, I will rebase
that branch to fix commits before including the code in the "master"
branch.
Right now it works well enough to access contacts and events in Google.
I have not tried to actual set up syncing - it might very well be that
the new Google services behave differently. Besides, Google CardDAV has
not been officially supported and tested before at all.
Running the regression tests also points also did its job and, well,
found regressions... normal syncing is probably broken at the moment.
More comments below.
On Thu, 2013-07-11 at 17:07 +0200, Patrick Ohly wrote:
Whatever we do about this, let's consider a few things:
* Some services, in particular SyncML, only work with
username/password, so SyncEvolution needs a way to retrieve
both.
Could be done via a the signon password plugin, not implemented and I
don't intend to add that. Patches welcome, of course.
* OAuth2 grants access to clients, which identify themselves
with
a key. Abuse of that key may lead to blacklisting that key and
thus preventing access to the service. Possibly the creator of
that key will also be banned such that he or she cannot create
new keys. For SyncEvolution that means that sharing the same key
with everyone is a bad idea. Whoever compiles SyncEvolution
should at least have to make a conscious choice about which key
he uses. For binaries that I publish on syncevolution.org, a key
for Google needs to be included. There's no effective measure
for keeping that key secret, so I might as well publish it on
syncevolution.org and allow individuals to use it when compiling
SyncEvolution for themselves.
Attached the README from the new src/backeds/signon directory where I
explain how SyncEvolution handles that now.
* Some users therefore won't care that much where they
enter their
password. Quite the opposite, entering the password in advance
is useful in cases where such an interactive login is not
possible or difficult, for example on a server where X is not
running or which has no web browser installed.
Pre-seeding the password is not possible. The user has to run with a
signon UI connected to his display when accessing the services for the
first time.
* In some cases, a pop-up asking for OAuth2 confirmation is
desirable, sometimes it isn't. Need to define when to use it and
when (and how) to fail with a authentication error.
SyncEvolution currently doesn't do anything special in this regard. This
means that even background syncs, for example those triggered via the
auto sync mechanism, may trigger the login dialog.
I can think of five different such backends:
* gSSO = glib-Single-Sign-On - https://01.org/gsso
Implemented.
* uoa = Ubuntu Online Accounts -
http://developer.ubuntu.com/resources/technologies/online-accounts/
* goa = GNOME Online Accounts -
https://developer.gnome.org/goa/stable/
Both not implemented.
* user = traditional username/password setting, only needed in
cases where the username happens to start with one of the
prefixes above
* id = a central identity managed by SyncEvolution
Both implemented.
"gSSO" and "uoa" use the same libaccounts-glib
client library and
different implementations on the server side. I've been told that some
of these server-side differences leak through the common client API, so
backends might be very similar, but not quite identical.
It would be good to have SyncEvolution .deb files that work on Ubuntu
(with Ubuntu Online Accounts) and on Debian (with gSSO installed by the
user or from the projects repo). Right now this is impossible:
* Even though backends are plugable and the "signon" code could be
compiled once for UOA and once for gSSO, the backends have to be
loaded to find out what they are, and that fails on systems
where both libsignon and libgsignon are installed, because the
libraries provide conflicting symbols.
* Installing accounts .provider and .service files directly
into /usr/share/accounts is difficult. SyncEvolution doesn't
know whether it needs to install for UOA or gSSO (they are
slightly different) and installing "google.provider" may
conflict with other packages.
Backends for "gSSO", "uoa" and will be expected
to map the <identity>,
a service identifier and a realm (or is it scope?) to a
username/password combination (for a traditional login mechanism,
similar to local password storage in GNOME keyring or KWallet) or the
OAuth2 access token.
This is done with libaccounts-glib and suitable config files for it.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
10:26 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
* Installing accounts .provider and .service files directly
into /usr/share/accounts is difficult. SyncEvolution doesn't
know whether it needs to install for UOA or gSSO (they are
slightly different) and installing "google.provider" may
conflict with other packages.
It would be good if it was possible to include several sets of authentication settings in
.service files for different SSO backends (as opposed to just one set as is the case
currently). I'm not a libaccounts expert, but I think
ag_account_service_get_auth_data() could return the settings for the platform's
'default' sso (and identify what it is), and there would be additional methods for
enumerating and retrieving auth settings that would include also their SSO identifier.
Alex
2:57 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/03/2013 09:26 PM, Kanavin, Alexander wrote:
> * Installing accounts .provider and .service files directly into
> /usr/share/accounts is difficult. SyncEvolution doesn't know
> whether it needs to install for UOA or gSSO (they are slightly
> different) and installing "google.provider" may conflict with other
> packages.
It would be good if it was possible to include several sets of
authentication settings in .service files for different SSO backends
(as opposed to just one set as is the case currently). I'm not a
libaccounts expert, but I think ag_account_service_get_auth_data()
could return the settings for the platform's 'default' sso (and
identify what it is), and there would be additional methods for
enumerating and retrieving auth settings that would include also
their SSO identifier.
It is possible to have many "method/mechanism" entries in the "auth"
section of .provider and .service files. So, if your oauth2 plugin needs
different parameters than ours, you can simply call it differently
(like, "goauth2"). The remaining problem is deciding which
authentication method to use; this is specified by the value of the
"auth/method" key, which can be stored in the accounts DB, in the
.service file or in the .provider file (in decreasing order of lookup
preference).
If we cannot eliminate the differences between UOA and Tizen, I'd
recommend that EDS treats them as different entities, and therefore
installs different .service files depending on the parameters passed to
the ./configure script. Then, ag_account_service_get_auth_data() will
return the correct values.
That said, I think that in both cases EDS should *not* install a
.provider file; it should just assume that one is already there.
Ciao,
Alberto
4:24 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
It is possible to have many "method/mechanism" entries in
the "auth"
section of .provider and .service files. So, if your oauth2 plugin
needs different parameters than ours, you can simply call it
differently (like, "goauth2").
If it is possible, I don't see how: ag_account_service_get_auth_data() returns a
single instance of AuthData, and AuthData has a single method for fetching the method and
a single method for fetching the mechanism. Accordingly, the xml format doesn't seem
to allow such setup either:
<?xml version="1.0" encoding="UTF-8" ?>
<provider id="google">
<name>Google</name>
<_description>Includes Gmail, Google Docs, Google+, YouTube and
Picasa</_description>
<icon>google</icon>
<translations>account-plugins</translations>
<domains>.*google\.com</domains>
<template>
<group name="auth">
<setting name="method">oauth2</setting>
<setting name="mechanism">web_server</setting>
<group name="oauth2">
<group name="web_server">
<setting name="Host">accounts.google.com</setting>
....etc
Can you explain?
If we cannot eliminate the differences between UOA and Tizen,
I'd
recommend that EDS treats them as different entities, and therefore
installs different .service files depending on the parameters passed to
the ./configure script. Then, ag_account_service_get_auth_data() will
return the correct values.
I think Patrick would like to have fully run-time detection of available SSO-specific auth
settings and SSO backends. We can of course try to eliminate the differences in oauth
plugins' API, but then we also need to commit to maintaining the compatibility.
Alex
5:30 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/05/2013 02:24 PM, Kanavin, Alexander wrote:
> It is possible to have many "method/mechanism" entries
in the
> "auth" section of .provider and .service files. So, if your oauth2
> plugin needs different parameters than ours, you can simply call
> it differently (like, "goauth2").
If it is possible, I don't see how:
ag_account_service_get_auth_data() returns a single instance of
AuthData, and AuthData has a single method for fetching the method
and a single method for fetching the mechanism. Accordingly, the xml
format doesn't seem to allow such setup either:
<?xml version="1.0" encoding="UTF-8" ?> <provider
id="google">
<name>Google</name> <_description>Includes Gmail, Google Docs,
Google+, YouTube and Picasa</_description> <icon>google</icon>
<translations>account-plugins</translations>
<domains>.*google\.com</domains>
<template> <group name="auth"> <setting
name="method">oauth2</setting> <setting
name="mechanism">web_server</setting> <group
name="oauth2"> <group
name="web_server"> <setting
name="Host">accounts.google.com</setting> ....etc
Can you explain?
You can have many methods, but only one will be used:
<group name="auth">
<setting name="method">oauth2</setting>
<setting name="mechanism">web_server</setting>
<!-- The two lines above select the actual method/mechanism to be used -->
<group name="oauth2">
...
</group>
<group name="goauth2">
...
</group>
<group name="password">
...
</group>
...and more methods...
</group>
As you can see, you can have many groups defined, but you also need to
tell which one will be used (or you can omit that information in the
.service file, if you store it directly in the accounts DB).
> If we cannot eliminate the differences between UOA and Tizen,
I'd
> recommend that EDS treats them as different entities, and
> therefore installs different .service files depending on the
> parameters passed to the ./configure script. Then,
> ag_account_service_get_auth_data() will return the correct values.
I think Patrick would like to have fully run-time detection of
available SSO-specific auth settings and SSO backends. We can of
course try to eliminate the differences in oauth plugins' API, but
then we also need to commit to maintaining the compatibility.
I don't think it would be too hard. We just have to discuss any upcoming
changes on the mailing list, before implementing them.
On the other hand, it may be that for some reason we might *want* EDS to
behave differently, for example for deciding which scopes to request and
when, so for that case we might need to have different .service files
anyway.
Ciao,
Alberto
5:52 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/05/2013 03:30 PM, Alberto Mardegan wrote:
You can have many methods, but only one will be used:
<group name="auth">
<setting name="method">oauth2</setting>
<setting name="mechanism">web_server</setting>
<!-- The two lines above select the actual method/mechanism to be used -->
<group name="oauth2">
...
</group>
<group name="goauth2">
...
</group>
<group name="password">
...
</group>
...and more methods...
</group>
As you can see, you can have many groups defined, but you also need to
tell which one will be used (or you can omit that information in the
.service file, if you store it directly in the accounts DB).
Aah, now I get it, makes sense.
Gsignond plugin is using "oauth" for method and "oauth2" or
"oauth1" for
mechanism. I didn't keep the original names for method and mechanisms
for these reasons:
- "oauth2" as a method name is confusing because the plugin also
supports OAuth1
- the combined mechanisms list is "web_server", "user_agent",
"PLAINTEXT" and "HMAC-SHA1". The first two are flow names from early
drafts of OAuth2 (they're no longer used in the final standard or in
google's documentation, and the final standard also specifies additional
flows), the latter two are signature methods from OAuth1.
I thought I'd better replace this with something simple, and have
version-specific flow parameters separately (GrantType and ResponseType
for Oauth2, and SignatureMethod for OAuth1).
I don't think it would be too hard. We just have to discuss any
upcoming
changes on the mailing list, before implementing them.
You can find the documentation for the glib plugin here, so you can see
what else has changed:
http://code.google.com/p/accounts-sso/source/browse/src/gsignond-oauth-pl...
Alex
11:29 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Mon, 2013-08-05 at 15:52 +0300, Alexander Kanavin wrote:
On 08/05/2013 03:30 PM, Alberto Mardegan wrote:
> I don't think it would be too hard. We just have to discuss any upcoming
> changes on the mailing list, before implementing them.
You can find the documentation for the glib plugin here, so you can see
what else has changed:
http://code.google.com/p/accounts-sso/source/browse/src/gsignond-oauth-pl...
As far as SyncEvolution is concerned, it doesn't care what the method or
mechanism is called. It just uses what is enabled for a service or
provider in the account.
The consensus is that SyncEvolution should not install its own .provider
or .service files, right? In that case it is not necessary to make
the .provider and/or .service files compatible with both gSSO and UOA.
This is something that the system integrator or users must get right.
EDS is not installing the google.provider on Ubuntu. Why is it
installing the .service files for it? That part does not make sense to
me.
SyncEvolution only cares about the methods that it needs to call
(signon_auth_service_new, signon_auth_session_process_async/finish,
signon_identity_new, signon_identity_store_credentials_with_info,
signon_identity_create_session) and a few well-known key names
("UiPolicy", "ForceTokenRefresh", "AccessToken").
Would it be possible on a common API and then also name the shared
library implementing that API the same, like libsignon? Then
SyncEvolution could compile and link against either gSSO or UOA while
still being compatible with the other.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
11:43 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
Would it be possible on a common API and then also name the shared
library implementing that API the same, like libsignon? Then
SyncEvolution could compile and link against either gSSO or UOA while
still being compatible with the other.
Libsignon was forked, tweaked and renamed to libgsignon by Jussi, and he's on holiday
for another week - I really don't know the motivation.
Same goes for executable access control by default, you need to wait one week for the best
answer.
Alex
10:45 p.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/05/2013 09:29 PM, Patrick Ohly wrote:
As far as SyncEvolution is concerned, it doesn't care what the
method or
mechanism is called. It just uses what is enabled for a service or
provider in the account.
Excellent, this is indeed the right way to do it.
The consensus is that SyncEvolution should not install its own
.provider
or .service files, right? In that case it is not necessary to make
the .provider and/or .service files compatible with both gSSO and UOA.
This is something that the system integrator or users must get right.
EDS is not installing the google.provider on Ubuntu. Why is it
installing the .service files for it? That part does not make sense to
me.
Because .service files (can) contain app-specific information, such as
the scopes and the client id/secret. Also, the authentication
method/mechanism could be app-specific.
You could reasonably claim that the .service files should be part of the
Ubuntu packaging, but then one could stretch your arguments a bit and
claim that the whole UOA plugin should be part of the packaging, then. I
guess it's a matter of convenience, that since you ship the code for
working with UOA, you also ship a .service file for it; at least as a
working example. Then indeed there's still the possibility that
packagers will choose to patch your .service file or use a different
one, but I think that it would be good for SyncEvolution to provide all
the necessary data so that after a "make install" in an Ubuntu
installation the user/developer gets the UOA integration somehow working.
Ciao,
Alberto
11:57 p.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Tue, 2013-08-06 at 08:45 +0300, Alberto Mardegan wrote:
On 08/05/2013 09:29 PM, Patrick Ohly wrote:
> As far as SyncEvolution is concerned, it doesn't care what the method or
> mechanism is called. It just uses what is enabled for a service or
> provider in the account.
Excellent, this is indeed the right way to do it.
> The consensus is that SyncEvolution should not install its own .provider
> or .service files, right? In that case it is not necessary to make
> the .provider and/or .service files compatible with both gSSO and UOA.
> This is something that the system integrator or users must get right.
>
> EDS is not installing the google.provider on Ubuntu. Why is it
> installing the .service files for it? That part does not make sense to
> me.
Because .service files (can) contain app-specific information, such as
the scopes and the client id/secret. Also, the authentication
method/mechanism could be app-specific.
Hmm, okay. It just seems preposterous for a simple app to provide a
"google-contacts.service" or "google-carddav.service". This is not
Highlander where there can be only one (app using such a service). A
"google-syncevolution.service" would make more sense taking that into
account, but leads to a worse user experience.
but I think that it would be good for SyncEvolution to provide all
the necessary data so that after a "make install" in an Ubuntu
installation the user/developer gets the UOA integration somehow working.
I agree, that would be good. At the moment, the code does not install
account template files, it merely ships them as examples. That could be
changed, of course, perhaps depending on a configure flag.
But I need to point out something that I already told Ken: I don't have
much time for this (business travel this week, vacation starting next
week). I can justify working on gSSO and Tizen integration, but for
everything else I depend on other developers providing patches.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
12:04 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/06/2013 09:57 AM, Patrick Ohly wrote:
Hmm, okay. It just seems preposterous for a simple app to provide a
"google-contacts.service" or "google-carddav.service". This is not
Highlander where there can be only one (app using such a service). A
"google-syncevolution.service" would make more sense taking that into
account, but leads to a worse user experience.
Yes, I recommend namespacing the .service file with your application
name, to avoid conflicts.
But I need to point out something that I already told Ken: I
don't have
much time for this (business travel this week, vacation starting next
week). I can justify working on gSSO and Tizen integration, but for
everything else I depend on other developers providing patches.
Sure, that's understood. We already benefit a lot from the work you are
doing on gSSO, we'll mostly reuse that and contribute patches for the
UOA integration.
Ciao,
Alberto
11:33 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Mon, 2013-08-05 at 15:30 +0300, Alberto Mardegan wrote:
On the other hand, it may be that for some reason we might *want* EDS
to
behave differently, for example for deciding which scopes to request and
when, so for that case we might need to have different .service files
anyway.
SyncEvolution does indeed need different scopes than EDS, at least at
the moment. In the future I suspect that EDS will also need the CalDAV
scope for calendar, not just the GData scope that they currently ask
for.
One could still use the same .service file, for example by asking for
CardDAV and GData access to contacts in google-contacts.service, if less
user interaction is considered more desirable than fine-grained granting
of permissions.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
4:54 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Fri, 2013-08-02 at 21:53 +0200, Patrick Ohly wrote:
Right now it works well enough to access contacts and events in
Google.
I have not tried to actual set up syncing - it might very well be that
the new Google services behave differently. Besides, Google CardDAV has
not been officially supported and tested before at all.
Running the regression tests also points also did its job and, well,
found regressions... normal syncing is probably broken at the moment.
For other peers, syncing works again with a quick fix commit that I
cooked up other the weekend. If you were waiting, now is a good time to
try the "for-master/signon" branch. There are still some issues left,
but I hope that they don't get in the way.
I am traveling this week, so I might not get around to looking into this
more.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
11:36 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Fri, 2013-08-02 at 21:53 +0200, Patrick Ohly wrote:
Add --daemon=no to the command line to prevent shifting the actual
command executing into syncevo-dbus-server and (from there)
syncevo-dbus-helper.
Warning: gsignond limits access to the identity to the executable which created
it. One has to use different accounts for syncevolution with and without
--daemon=no and another account when using valgrind.
Let me highlight this observation here and ask: is this kind of access
control by executable path really useful on a normal Linux desktop? I
believe GNOME Keyring had something like that in the past and moved away
from it because it didn't not add any real security.
In this case, with gSSO, it really gets in the way.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
12:23 p.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
Let me highlight this observation here and ask: is this kind of
access
control by executable path really useful on a normal Linux desktop? I
believe GNOME Keyring had something like that in the past and moved
away from it because it didn't not add any real security.
In this case, with gSSO, it really gets in the way.
For testing purposes I think you can bypass this check by a) compiling gsignond with
--enable-debug;
b) setting SSO_KEYCHAIN_SYSCTX environment variable to the path+name of the executable -
that's how we run unit tests.
Alex
12:01 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Mon, 2013-08-05 at 19:23 +0000, Kanavin, Alexander wrote:
> Let me highlight this observation here and ask: is this kind of
access
> control by executable path really useful on a normal Linux desktop? I
> believe GNOME Keyring had something like that in the past and moved
> away from it because it didn't not add any real security.
>
> In this case, with gSSO, it really gets in the way.
For testing purposes I think you can bypass this check by a) compiling gsignond with
--enable-debug;
b) setting SSO_KEYCHAIN_SYSCTX environment variable to the path+name of the executable -
that's how we run unit tests.
Is that extra complexity really useful?
Can I relax access and allow a set of apps sharing the identity? I
noticed a "security context" parameter in the API. Currently I am
passing NULL there.
I also don't understand how that fits with the single CredentialsId that
gets stored in accounts (see discussion with Alberto). That means that
there is a single signond identity that all apps using a certain
provider (not service!) are meant to use. Won't that fail when there is
a per-app access control on the identity?
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
3:10 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
Is that extra complexity really useful?
Access control is a security requirement of Tizen IVI.
Can I relax access and allow a set of apps sharing the identity? I
noticed a "security context" parameter in the API. Currently I am
passing NULL there.
Yes you can. Each identity includes an access control list of executable paths that are
allowed to use it (the creator of the identity is added there by default). When you create
and store an identity, add all the executables that will use it to the ACL (the creator of
the identity can also update the list later). On Tizen, SMACK labels are used instead.
The app security context parameter is for supporting access control in runtimes, where the
runtime is passing the name of the script it's executing through that parameter, so
the access control module has both the name (or SMACK label) of the runtime and the script
name.
I also don't understand how that fits with the single
CredentialsId
that gets stored in accounts (see discussion with Alberto). That means
that there is a single signond identity that all apps using a certain
provider (not service!) are meant to use. Won't that fail when there is
a per-app access control on the identity?
It won't fail if they're on the ACL :)
Alex
4:53 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Tue, 2013-08-06 at 10:10 +0000, Kanavin, Alexander wrote:
> Is that extra complexity really useful?
Access control is a security requirement of Tizen IVI.
I get that. But I was running on a normal Linux desktop, where access
control via executable path doesn't really gain much in terms of
security, does it?
> Can I relax access and allow a set of apps sharing the identity?
I
> noticed a "security context" parameter in the API. Currently I am
> passing NULL there.
Yes you can. Each identity includes an access control list of
executable paths that are allowed to use it (the creator of the
identity is added there by default). When you create and store an
identity, add all the executables that will use it to the ACL (the
creator of the identity can also update the list later). On Tizen,
SMACK labels are used instead.
For my own reference:
http://docs.accounts-sso.googlecode.com/git/libsignon-glib/html/SignonIde...
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
4:57 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
I get that. But I was running on a normal Linux desktop, where
access
control via executable path doesn't really gain much in terms of
security, does it?
I don't feel qualified to debate this; the default access control is Jussi's work
and I don't know his reasons.
Alex
12:10 p.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/06/2013 02:53 PM, Patrick Ohly wrote:
> Yes you can. Each identity includes an access control list of
> executable paths that are allowed to use it (the creator of the
> identity is added there by default). When you create and store an
> identity, add all the executables that will use it to the ACL (the
> creator of the identity can also update the list later). On Tizen,
> SMACK labels are used instead.
For my own reference:
http://docs.accounts-sso.googlecode.com/git/libsignon-glib/html/SignonIde...
Oh, and something I've found out just now: there is a wildcard which you
can place into the ACL ("*" for both system and app context) when
creating the identity. Then the ACL check is off. I haven't tested it,
but it should work.
Alex
5:32 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
I get that. But I was running on a normal Linux desktop, where
access
control via executable path doesn't really gain much in terms of
security, does it?
It works pretty well, as long as system is installed through signed packages and user
doesn't have root privileges.
But you have wild cards if you prefer to give world-access. But generally I dislike idea
of random applications being able to access my Google password, because it is used for
example to authorize credit card purcheses in Play store and in AdWords...
If someone steals and changes password of Google or Facebook account it is lot of trouble
to gain access back and meanwhile someone can burn lot of money from the attached credit
card unless you close the credit card, in which case there's other trouble
involved...
---------------------------------------------------------------------
Intel Finland Oy
Registered Address: PL 281, 00181 Helsinki
Business Identity Code: 0357606 - 4
Domiciled in Helsinki
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
11:48 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Mon, 2013-08-12 at 12:32 +0000, Laako, Jussi wrote:
> I get that. But I was running on a normal Linux desktop, where
access
> control via executable path doesn't really gain much in terms of
> security, does it?
It works pretty well, as long as system is installed through signed
packages and user doesn't have root privileges.
Which is not a normal Linux desktop, is it?
But you have wild cards if you prefer to give world-access. But
generally I dislike idea of random applications being able to access
my Google password, because it is used for example to authorize credit
card purcheses in Play store and in AdWords...
I agree, handing out the password to any app would be bad. But that's
not the case in this particular scenario (OAuth2 login into a very
specific set of services), it is? In this case, all that the extra apps
could get access to is the calendar or contact data - which is already
available locally without protection, if the user is running
SyncEvolution to sync said data.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
1:18 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
Which is not a normal Linux desktop, is it?
Isn't it? At least it's like openSUSE or Ubuntu. Only Windows users tend to use
their computer as admin.
As long as you 1) use SMACK/SELinux/AppArmor correctly configured and/or 2) run gsignond
as some other user id both the API access and the database are protected.
The ACL side works as long as malicious application cannot gain root privileges behind
user's back to replace your /usr/bin/myapp. This protection is not to protect access
from the user like DRM is, but it is intended to protect user's data from (malicious)
applications.
I agree, handing out the password to any app would be bad. But
that's
not the case in this particular scenario (OAuth2 login into a very
specific set of services), it is? In this case, all that the extra apps
could get access to is the calendar or contact data - which is already
available locally without protection, if the user is running
SyncEvolution to sync said data.
Depends on what kind of methods you allow with *:* access, if "password" is
allowed, then any application can just ask for the plaintext password.
You still have to pay attention to secure the database side from direct access, either
through system level access control/isolation, or through a suitable secret storage
extension.
---------------------------------------------------------------------
Intel Finland Oy
Registered Address: PL 281, 00181 Helsinki
Business Identity Code: 0357606 - 4
Domiciled in Helsinki
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
6:26 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On Tue, 2013-08-13 at 08:18 +0000, Laako, Jussi wrote:
> Which is not a normal Linux desktop, is it?
Isn't it? At least it's like openSUSE or Ubuntu. Only Windows users
tend to use their computer as admin.
As long as you 1) use SMACK/SELinux/AppArmor correctly configured
and/or 2) run gsignond as some other user id both the API access and
the database are protected.
That's the key point: is any Linux desktop set up to protect the signon
database like that? I don't doubt that it is doable, I'm just wondering
whether it is done.
If it is, great, then access control is worth it. If not, then it adds
no additional security and just makes the system less usable (can't use
valgrind, can't use my self-compiled binary unless I install it).
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
10:13 p.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
On 08/25/2013 04:26 PM, Patrick Ohly wrote:
On Tue, 2013-08-13 at 08:18 +0000, Laako, Jussi wrote:
>> Which is not a normal Linux desktop, is it?
>
> Isn't it? At least it's like openSUSE or Ubuntu. Only Windows users
> tend to use their computer as admin.
>
> As long as you 1) use SMACK/SELinux/AppArmor correctly configured
> and/or 2) run gsignond as some other user id both the API access and
> the database are protected.
That's the key point: is any Linux desktop set up to protect the signon
database like that? I don't doubt that it is doable, I'm just wondering
whether it is done.
Not yet, but we are making good progress in Ubuntu towards this goal. I
hope it lands on the desktop on the 14.04 release (next April).
Ciao,
Alberto
1:52 a.m.
New subject: [SyncEvolution] SyncEvolution + SSO + credentials - first code drop
That's the key point: is any Linux desktop set up to protect the
signon
database like that? I don't doubt that it is doable, I'm just wondering
whether it is done.
If it is, great, then access control is worth it. If not, then it adds
no additional security and just makes the system less usable (can't use
valgrind, can't use my self-compiled binary unless I install it).
Now the databases are protected even on a normal Unix without any extra security
frameworks. All databases are stored in a directories accessible only to user root and
group gsignond. Gsignond will setgid itself to gsignond and no users should be member of
that group.
Users can of course mess their own things, but the point is that random application X
shouldn't be able to gain root access on the device without user's permission. And
that would be required to break the security. That's where the line goes.
---------------------------------------------------------------------
Intel Finland Oy
Registered Address: PL 281, 00181 Helsinki
Business Identity Code: 0357606 - 4
Domiciled in Helsinki
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
3230
days inactive
3276
days old
syncevolution@synevolution.org
31 comments
6 participants
participants (6)
-
Alberto Mardegan -
Alexander Kanavin -
Kanavin, Alexander
-
Laako, Jussi -
Patrick Ohly -
Valluri, Amarnath