Section C states that this design will allow XSEDE to retire weblogin.xsede.org.
The XSEDE User Portal currently uses a 2-legged OAuth login flow (aka "username/password") provided by weblogin.xsede.org.
- Does CILogon provide a 2-legged service that XUP could use? (I think the answer is no?)
- Is there a plan to change XUP from using 2-legged OAuth to using 3-legged OAuth? (I think the answer is no?)
If XUP needs 2-legged OAuth logins and CILogon doesn't provide them, that means XUP will need to continue using weblogin.xsede.org for those, so this design will not allow weblogin.xsede.org to be retired. Is that right?
If this is the case, it raises another design issue. Specifically, can Globus Auth handle XSEDE identities being asserted both by the 2-legged weblogin.xsede.org and the 3-legged CILogon? I suspect the answer is "yes" because the 2-legged login flow doesn't result in an EPPN or EPTID that could conflict with the new EPPN & EPTID returned by CILogin, which is how Globus keeps track of identities from CILogon IDPs. Still, it's probably a scenario that should be reviewed with the Globus team to make sure it will work, and if there's anything that needs to be changed or configured in Globus Auth to make sure it works, we'll need that to be done.