Skip to content Skip to navigation

JIRA Issue

[#XCI-443] XSEDE does not allow applications to see or use XSEDE user passwords

[XCI-443] XSEDE does not allow applications to see or use XSEDE user passwords Created: 08/25/2018  Updated: 08/25/2018

Status: Proposed
Project: XSEDE Cyberinfrastructure Integration
Component/s: None
Fix Version/s: None

Type: XCI Documentation Priority: Major
Reporter: Lee Liming Assignee: Unassigned
Resolution: Unresolved Votes: 0

XSEDE Priority: -
Public activity link: https://software.xsede.org/display/xci-443
Devel Repository: https://software.xsede.org/svn/xci/activities/xci-443/trunk/
Use Cases:
IDM-07: Login to a locally installed application with XSEDE username/password
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
<Activity Lead Name – Last, First> 6 six weeks of effort to lead and implement the activity (required) none
<User Doc Drafter – Last, First> 0.2 one day of effort to draft user documentation (required ) none
TBD (tester) 1 one week of effort to test the software none
... ... .. none
Deliverables:
Due by Activity Deliverable
DSR Design document*
TRR Implemented Software Capability
TRR Other type of deliverable
TRR Deployment plan*
TRR Test plan*
TRR User documentation*
TRR (post) TRR Baseline* (Shava)
Deployment Deployment Baseline* (Shava)
Deployment Test Report* (Shava)
  • Click on "Deliverables" tab for URL.
Lead Tester: Shava Smallen

 Description   

Use case IDM-07 describes a locally installed application asking the user for his/her XSEDE username and password, then using them to authenticate the user with XSEDE. XSEDE does not, as a matter of policy, allow applications to do this because it exposes the user's XSEDE password to the application which creates a significant security risk, both for XSEDE and for the application user.

Instead, XSEDE supports Globus Auth's client credentials grant, by which the user authenticates directly with XSEDE (or another identity provider) and the application is given a secure code that it can use to retrieve the user's identity information without having access to the user's password.