CILogon as authentication option for Ask.CI

Meta Discussion
1

Currently Ask.CI supports local Discourse accounts and login with Google. What are your thoughts on adding CILogon as an option?

  • The drawback is Discourse currently lets you only configure one oauth2 authentication option. So if you wanted to support other custom oauth2 IDPs you would need to configure Discourse with a single custom oauth2 IDP that acted as an identity broker for the others.
  • The benefit is everyone that has credentials via a method supported by CILogon can use that, without creating a separate account on Ask.CI. This could be especially beneficial for the institution specific categories (Stanford, Brown, Yale, Harvard all have IDPs via CILogon). We have successfully used CILogon with our discourse instance at https://discourse.osc.edu/.

You would take these steps.

  1. Go to https://www.cilogon.org/oidc and then from there navigate to the register page for client registration.
  2. Fill out the form:
  3. Client name: Ask.Cyberinfrastructure
  4. Email address:
  5. Home URL: https://ask.cyberinfrastructure.org
  6. Callback URLs: https://ask.cyberinfrastructure.org/auth/oauth2_basic/callback
  7. Is this a public client? No - leave unchecked
  8. Scopes: email, openid, profile, org.cilogon.userinfo
  9. Upon clicking register, the response page will display the client id and client secret. Save these.
  10. Wait for the email from CILogon that confirms your registration.
  11. Configure Ask.CI Discourse by going to https://ask.cyberinfrastructure.org/admin/site_settings/category/login and:
    1. oauth2 enabled: “Custom OAuth2 is enabled” checked
    2. oauth2 client id: the client id you saved from CILogon
    3. oauth2 client secret: the client secret you saved from CILogon
    4. below is a screenshot of the rest of the settings on the login page related to oauth2 that worked for OSC’s Discourse with CILogon

configuring_discourse_with_cilogon
configuring_discourse_with_cilogon538×1195 95.3 KB

6

@rpwagner actually this is a good example of the drawback with using the oauth2 plugin. If it only allows 1 IDP then the two options would either be CILogon by itself, or Globus Auth which would then provide the CILogon option. I think the drawback for Globus Auth is that for a user that has credentials supported by CILogon but not a Globus account, they would need to go through the extra step of creating a Globus account before being able to access Ask.CI with their campus credentials via CILogon, and that may introduce similar confusion for some users that the Ask.CI local accounts can introduce as @guilfoos mentions.

8

That’s true, it does require creating a Globus account. The tradeoff is that there are more IdPs and my team and I spend time supporting uses like this. But @vsoch is correct, I’m super biased.

2

This requires a custom plugin I am guessing (we don’t have those fields in our settings). https://github.com/discourse/discourse-oauth2-basic. If @jma gives the A-OK I can look into adding the plugin and setting up CILogin.

3

@ericfranz - thanks for adding this detail.

@vsoch - this is what I was (perhaps clumsily) asking about at the BoF. Letting our users authenticate with their OSC HPC credentials would be wonderful; any service with a login that doesn’t accept their HPC credentials generates a steady stream of service tickets (and confusion). And we already allow use of CILogon to tie their HPC credentials to their home institution so they can log into our web services with their Ohio State or University of Cincinnati credentials. So they’re familiar with CILogon and I think this would ease adoption.

4

@guilfoos I am in total support! @jma is master and commander, so we just need her blessing first :pray:

5

Would you be willing to consider Globus? We include the CILogon identity providers, plus others.

9

I am in total support! Sorry I missed this earlier!

7

@rpwagner is only slightly biased :slight_smile: