Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling

From: David Zeuthen <david fubar dk>
To: Stef Walter <stefw collabora co uk>
Cc: "Sviatko, StephenX A" <stephenx a sviatko intel com>, David Woodhouse <dwmw2 infradead org>, gnome-keyring-list gnome org, "Rossi, Christopher" <christopher rossi intel com>
Subject: Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
Date: Fri, 29 Apr 2011 07:22:20 -0400

Hi,

On Thu, Apr 28, 2011 at 8:55 AM, Stef Walter <stefw collabora co uk> wrote:
> So before adding this into the daemon, I'd like to see whether the
> configuration and ticket renewal parts of it fit better into the new
> online accounts system David is working on.
>
>  * The online accounts system also has a daemon.
>  * Has logic for expired tokens/tickets, renewal, etc.
>
> David, what do you think? I got the impression that the online accounts
> work for more than just web accounts. Is that right?

Yes, while it's still up in the air what the Gnome Online Accounts
effort is going to end with doing (I'm still in the process of
limiting scope and figuring out what to do for 3.2), the intent is
definitely that apps like Evolution and Thunderbird can and should use
it to a) figure out the user has N accounts that are 'email like'; and
b) obtain credentials to access said account. The main point about
GOA, what matters most to me anyway, is that the user should never
ever authenticate more than once and everything should be set up.

This is of course, to a degree, too abstract to be useful to you at
this point... so I think my thoughts, at this point, are best
illustrated by example. Suppose I have my Facebook, GMail and Yahoo
accounts set up. Then org.gnome.OnlineAccounts would export three
objects with a set of interfaces as described in [1]. Now, lets look
at the org.gnome.OnlineAccounts.Messages interface. I'd expect this
interface to implement the following methods

 org.gnome.OnlineAccounts.Messages {
   methods:
     Array<struct Message> GetRecent(int num_recent);

     UnixFD GetAuthenticationImapConnection();
   properties:
     bool SupportsIMAP;
     String IMAPAddress;
     // maybe other details needed
 }

where GetRecent() is a *simple* interface for getting the latest
@num_recent messages. Maybe GNOME Shell would present this in an
indicator, I don't know. A real mail app, however, would just want an
IMAP connection and do its own thing as it has been done since the
beginning of time.... note, however, that the service in question may
not support IMAP - for example, Facebook "mail" (yes, I hate it too -
but that's how my sister sends me "mail") is not available via IMAP
but e.g. GMail is.

Anyway, the thinking here is that we can have the provider-specific
code in goa-daemon(8) return an authenticated IMAP connection to the
user via the GetAuthenticationImapConnection() method (passing a file
descriptor). Or if that's too much effort, we can just provide the
IMAP server address and the app (e.g. Evo) could do its own thing. For
the GMail case the app would get the a) email address of the user; and
b) the OAuth access token; from GOA and then use this when doing IMAP
auth cf. http://code.google.com/apis/gmail/oauth/

The nice thing about GetAuthenticationImapConnection() is that the
user will never ever need to get their hands on the user credentials.
OK, so for OAuth the access token is short-lived anyway (typically a
couple of hours but FB tokens can actually live until the user
deauthorizes the app) but the less exposed the better. The bad thing
is that doing IMAP inside goa-daemon(8) might not be ideal but if it's
only the authentication bits then maybe it's not too bad. I don't
know. Btw, I'm considering that we have similar
GetAuthenticationXMPP(), GetAuthenticationSMTP() methods for other
standardized services.

OK, so this is some hand-waving but I think all this is pretty
feasible. Not sure how it maps to what you guys were talking about
wrt. Exchange. For the record, I definitely think that GOA should
support Exchange (my iPhone does that!). But I just don't know a lot
about it.

Anyway, hope this helps.

Cheers,
David

[1] :

 /org/gnome/OnlineAccounts/Accounts/gmail_zeutnen_at_gmail_dot_com
   org.gnome.OnlineAccounts.Account
   org.gnome.OnlineAccounts.GoogleAccount
   org.gnome.OnlineAccounts.OAuth2Based
   org.gnome.OnlineAccounts.Messages
   org.gnome.OnlineAccounts.Chat
   org.gnome.OnlineAccounts.Events
   ...

 /org/gnome/OnlineAccounts/Accounts/facebook_davidz25
   org.gnome.OnlineAccounts.Account
   org.gnome.OnlineAccounts.FacebookAccount
   org.gnome.OnlineAccounts.OAuth2Based
   org.gnome.OnlineAccounts.Messages
   org.gnome.OnlineAccounts.Chat
   org.gnome.OnlineAccounts.Events
   ...

 /org/gnome/OnlineAccounts/Accounts/yahoo_dzeuthen_at_yahoo_dot_com
   org.gnome.OnlineAccounts.Account
   org.gnome.OnlineAccounts.YahooAccount
   org.gnome.OnlineAccounts.OAuthBased
   org.gnome.OnlineAccounts.Messages
   org.gnome.OnlineAccounts.Chat
   ...

Follow-Ups:
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Zeuthen
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse

References:
- gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: Stef Walter
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: Stef Walter
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: Stef Walter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]