Solutions for non-web OAuth 2.0 authorisation at CERN

Asier Aguado Corman; Jack Henschel; Hannah Short; Sebastian Lopienski

doi:10.1051/epjconf/202429504038

EPJ

a
b
c
d
e
ap
st
h
plus
ds
pv
ti
qt
am
n

Proceedings

Open Access

EPJ Web of Conferences 295, 04038 (2024)
https://doi.org/10.1051/epjconf/202429504038

Solutions for non-web OAuth 2.0 authorisation at CERN

Asier Aguado Corman^*, Jack Henschel, Hannah Short^** and Sebastian Lopienski^***

CERN

^* e-mail: asier@aguado.email
^** e-mail: hannah.short@cern.ch
^*** e-mail: sebastian.lopienski@cern.ch

Published online: 6 May 2024

Abstract

The need for Single Sign-On solutions in command line interfaces is not new to CERN. Different technologies have been introduced and internal solutions have been implemented to allow users to authenticate to remote servers or applications from their console interfaces. In the case of web services, the most common approach was to use cookie-based authentication, for which an internal tool was developed and made available for all the CERN user community. As the authorisation infrastructure evolved and started to fully support the OAuth 2.0 standard, as well as two-factor authentication (2FA), using the internal tool started to show its limitations. In this work, we present the past and present (OAuth-compliant) solutions, and compare them by looking at the advantages and disadvantages we have found. We also present a case study of a service, OpenShift, that implements this new authentication solution for their users.

© The Authors, published by EDP Sciences, 2024

This is an Open Access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.