| Time |
S |
Nick |
Message |
| 00:19 |
|
|
pezra joined #rest |
| 00:22 |
|
|
jackalista joined #rest |
| 00:33 |
|
|
huckleberry78 joined #rest |
| 00:39 |
|
|
pezra joined #rest |
| 00:40 |
|
|
shrink0r joined #rest |
| 01:02 |
|
|
huckleberry78 joined #rest |
| 01:12 |
|
|
pezra joined #rest |
| 01:27 |
|
|
huckleberry78 joined #rest |
| 02:50 |
|
|
lemur joined #rest |
| 05:21 |
|
|
ewalti joined #rest |
| 06:17 |
|
|
_ollie joined #rest |
| 07:11 |
|
|
scflode joined #rest |
| 07:40 |
|
|
ewalti joined #rest |
| 07:51 |
|
|
shrink0r joined #rest |
| 08:07 |
|
|
Left_Turn joined #rest |
| 09:03 |
|
|
quimrstorres joined #rest |
| 09:05 |
|
|
quimrstorres joined #rest |
| 09:12 |
|
|
quimrstorres joined #rest |
| 09:16 |
|
|
quimrsto_ joined #rest |
| 09:29 |
|
|
mezod joined #rest |
| 09:29 |
|
|
interop_madness joined #rest |
| 10:07 |
|
|
shrink0r_ joined #rest |
| 10:09 |
|
|
shrink0r joined #rest |
| 10:15 |
|
|
graste joined #rest |
| 10:27 |
|
|
shrink0r_ joined #rest |
| 10:54 |
|
|
scflode joined #rest |
| 11:16 |
|
|
daxim joined #rest |
| 11:21 |
|
|
scflode joined #rest |
| 11:23 |
|
|
scflode_ joined #rest |
| 11:25 |
|
|
scflode_ joined #rest |
| 11:28 |
|
|
scflode__ joined #rest |
| 12:29 |
|
|
interop_madness joined #rest |
| 12:32 |
|
|
quimrstorres joined #rest |
| 13:20 |
|
|
Andre-B joined #rest |
| 13:32 |
|
|
quimrstorres joined #rest |
| 13:45 |
|
|
nkoza joined #rest |
| 13:51 |
|
|
quimrstorres joined #rest |
| 14:08 |
|
|
shrink0r joined #rest |
| 14:24 |
|
|
quimrstorres joined #rest |
| 14:25 |
|
|
quimrstorres joined #rest |
| 14:26 |
|
|
quimrstorres joined #rest |
| 14:28 |
|
|
quimrstorres joined #rest |
| 14:28 |
|
|
quimrstorres joined #rest |
| 14:30 |
|
|
quimrstorres joined #rest |
| 14:48 |
|
|
quimrsto_ joined #rest |
| 14:50 |
|
|
quimrsto_ joined #rest |
| 16:10 |
|
|
lemur joined #rest |
| 17:09 |
|
|
tieTYT2 joined #rest |
| 17:27 |
|
|
Andre-B joined #rest |
| 17:28 |
|
|
quimrstorres joined #rest |
| 17:38 |
|
|
quimrstorres joined #rest |
| 18:07 |
|
|
jcromartie joined #rest |
| 18:44 |
|
|
ewalti joined #rest |
| 18:47 |
|
|
quimrstorres joined #rest |
| 19:22 |
|
|
shrink0r joined #rest |
| 19:27 |
|
|
quimrstorres joined #rest |
| 19:39 |
|
|
_ollie joined #rest |
| 20:01 |
|
|
jcromartie joined #rest |
| 20:06 |
|
|
quimrstorres joined #rest |
| 20:09 |
|
|
quimrstorres joined #rest |
| 20:20 |
|
|
quimrstorres joined #rest |
| 20:24 |
|
|
quimrstorres joined #rest |
| 20:30 |
|
|
quimrstorres joined #rest |
| 20:33 |
|
|
quimrstorres joined #rest |
| 20:55 |
|
|
quimrstorres joined #rest |
| 20:59 |
|
|
quimrstorres joined #rest |
| 21:08 |
|
|
quimrstorres joined #rest |
| 21:24 |
|
|
sfisque joined #rest |
| 21:26 |
|
sfisque |
so i'll toss this out there and see what bubbles up…. |
| 21:27 |
|
sfisque |
using spring-boot to expose some "rest-ish" endpoints and i have to integrate into a fabric that uses saml (other microservices exposing endpoints that all call each other). what kinds of information would i have to track down in order to get saml up and running in spring-boot |
| 21:28 |
|
saml |
yes |
| 21:39 |
|
whartung |
lol |
| 21:39 |
|
whartung |
Just pay to fly him out sfisque |
| 21:39 |
|
whartung |
:) |
| 21:39 |
|
sfisque |
not my dime |
| 21:39 |
|
whartung |
SAML and "rest-ish" don't really play well together. |
| 21:40 |
|
sfisque |
it already is. problem is, i'm porting a php prod to spring-boot and i'd rather not reinvent the square wheel |
| 21:40 |
|
whartung |
how are you handling the payloads? or are you setting up sessions? |
| 21:41 |
|
sfisque |
not 100% sure - docs are thin at best, kind of flying blind other than oodles of php code that calls into zend framework |
| 21:41 |
|
whartung |
you CAN send AuthnResponses via query parameters, but they're kinda big. |
| 21:41 |
|
sfisque |
and it looks like they are just manually sniffing through headers. i'd rather leverage than roll my own if possible |
| 21:41 |
|
whartung |
SAML doesn't use headers, normally |
| 21:42 |
|
sfisque |
how does it push/pull creds around then? |
| 21:42 |
|
whartung |
I should say the typical SSO work flow doesn't. SAML is much more prevalent in SOAP, being it can be intermixed with the payloads |
| 21:43 |
|
|
Jefffrey joined #rest |
| 21:43 |
|
sfisque |
gotcha |
| 21:44 |
|
whartung |
the typical work flow is: browser hits service, service has no session, so redirects to IdP. Idp logs in user at browser, and stands up a session. Then IdP post a FORM with JS that "submits" it back to the service. Service vets the payload, and logs the user in, standing up a session |
| 21:47 |
|
sfisque |
aye. the issue i'm in is, i have to extract the user from the request (GET/PUT/POST/etc.) and then use those creds (in whatever mechanism) to relay requests to other fabric endpoints to work through a workflow (e.g. user hits endpoint A which then makes calls to endpoints B, C, D to relay chunks of the workflow, and then returns to the user. aka, fabric) |
| 21:47 |
|
sfisque |
in my case, i'm exposing C or D and in turn, i have to call out to M, N, O, and P |
| 21:47 |
|
sfisque |
so there's no "user" so to speak other than an SSO credential |
| 21:47 |
|
sfisque |
or i should say, no "session" |
| 21:48 |
|
sfisque |
other than the creds |
| 21:48 |
|
whartung |
I mean, there's nothing stopping you from cramming a AuthnRequest (or whatever SAML artifact you're using) in to a header. |
| 21:48 |
|
whartung |
it's just that they're typically signed XML - and bulky |
| 21:48 |
|
sfisque |
but you at least game me something to start with. i assume i'll have to configure spring-boot to know something about the idp |
| 21:49 |
|
sfisque |
most of our payloads contain xml anyway (json records where one or more attributes are xml blocks/docs/etc.) |
| 21:49 |
|
sfisque |
dont' ask why. it is what it is, and i have to integrate with it :-P |
| 21:49 |
|
sfisque |
for better or worse |
| 21:50 |
|
whartung |
so, some vocabulary: IdP -- Identity Provider (IdP) (thing with users and passwords). Service Provider (SP) (thing that gives you stuff you want -- i.e. the web site) |
| 21:50 |
|
sfisque |
so the node i'm working on would be SP? |
| 21:51 |
|
whartung |
yes |
| 21:51 |
|
sfisque |
and the credentialling agent is idp |
| 21:51 |
|
sfisque |
do i need to worry about certs, bit strength, etc, or is all of that abstracted away for me by integrating with saml? |
| 21:53 |
|
sfisque |
basically i'm walking through the pdf from the spring saml extension author, and that's helping, but for someone who dislikes spring, it's not a walk in the park :-/ |
| 21:56 |
|
sfisque |
looking at the sample app's idp.xml i guess i do have to worry about that stuff. x509 block |
| 22:07 |
|
whartung |
certs are required to validate the signature |
| 22:07 |
|
sfisque |
gotcha |
| 22:08 |
|
whartung |
a benefit of working with an exsiting infrastructure is that you can just cut and paste their boiler plate payloads to generate and interpret them rather than using something like OpenSAML to build payloads from scratch. |
| 22:08 |
|
whartung |
just treat them as opaque xml and XPath out the stuff you want. |
| 22:08 |
|
whartung |
only thing you need to worrying about is XML-SIG |
| 22:09 |
|
|
fumanchu joined #rest |
| 22:11 |
|
whartung |
but if you are using java, OpenSAML is the lib to use for SAML |
| 22:12 |
|
sfisque |
aye, i'm just trying to find an integration point with spring-boot to reduce my cohesion. i'd liek to juse wire up a few beans and just have it work, know what i mean. the documentation for saml is kind of dense |
| 22:14 |
|
whartung |
oh, yes it is |
| 22:14 |
|
whartung |
and has all sorts of new words |
| 22:15 |
|
whartung |
do you have an existing system right? |
| 22:15 |
|
sfisque |
the xml config for the spring binding isnt too bad. but i'm going to have to track down lots of bits (idp host, etc.) |
| 22:15 |
|
whartung |
if you can dump what it's sending back and forth, that'll get you a long way |
| 22:15 |
|
whartung |
just treat is as Bla Bla XML: "bla bla bla bla Oh, the user name! bla bla bla" |
| 22:15 |
|
sfisque |
sort of. the integration system is in constant churn (let's just say i'm walking into a war zone and the enemy is running amok behind the lines) |
| 22:16 |
|
sfisque |
so i'm kind of in isolation until i can get the ported version stood up in some functional manner. |
| 22:17 |
|
sfisque |
i have most of the end poitns stubbed or fully operational, but no security coming in or going out to the other endpoints (aka, cant talk to them yet) |
| 22:17 |
|
sfisque |
that's what i'm trying to solve now. once i can get the auth/auth layer stuff in place, i can get slotted into the integration testing fabric |
| 22:18 |
|
sfisque |
well, "staging" |
| 22:18 |
|
whartung |
yea |
| 22:18 |
|
sfisque |
an integration/dev fabric is "in the works" /cry |
| 22:18 |
|
whartung |
just saying if you cacn see the wire traffic of the working app, it can help clarify things |
| 22:19 |
|
sfisque |
yah, i'll have to harass someone for that. i was hoping i could just annotate my endpoints with whatever bit i need for creds (header/token/param/etc/) and just do a "blah.getCreds(); makeExternalCall( creds ); |
| 22:19 |
|
sfisque |
once i get the libs all wired up |
| 22:20 |
|
sfisque |
i'd like to NOT have to run "more" xpath extractions. already have tons of those for the workflow bits (massaging payloads, etc.) |
| 22:21 |
|
sfisque |
diving back into the docs. |
| 22:21 |
|
* sfisque |
lights a cigar, slots a clip, and hunkers off into the dusk |
| 22:21 |
|
whartung |
later Hannibal |
| 22:36 |
|
* sfisque |
cries |
| 22:36 |
|
sfisque |
looks like the idp is "homegrown" and not a 3rd party like shib |
| 22:36 |
|
whartung |
that may or may not be easier to configure |
| 22:37 |
|
whartung |
Shib is a pain if you don't know SAML |
| 22:37 |
|
sfisque |
aye but it means the protocol is probably proprietary so i'm probably stuck rolling my own (aka porting the php auth stuff over straight , rather than tossing it out and leveraging ) |
| 22:38 |
|
* sfisque |
dies a little inside |
| 22:38 |
|
whartung |
could be a home grown saml |
| 22:39 |
|
sfisque |
my guess is yes. from what i've experienced in the php code, there was a lot of "not invented here" generated by the consulting firm that produced these bits |
| 22:39 |
|
sfisque |
\o/ |
| 22:39 |
|
sfisque |
w1n! |
| 22:39 |
|
sfisque |
NOT |
| 22:42 |
|
fumanchu |
insult: when you write your own. consult: when someone else tricks you into letting them write it for twice the price. |
| 22:43 |
|
sfisque |
very punny >.< |
| 22:49 |
|
whartung |
I'm decoding ASN.1 :) |
| 23:41 |
|
|
happyface joined #rest |
| 23:59 |
|
pdurbin |
sfisque: homegrown? so it isn't quite SAML? |
