adb | Reading

I'm in a tent kind of hard far from the house. It's not really technically all that far from the house but it's in a little alcove of woods. Now I keep hearing the animals I guess making things crackle
And it's mildly freaking me out and I really do need to go to sleep cuz it's after 3:00 and I'm sure people will be up fairly soon.

I guess I'll put earplugs in and hope I don't turn into a snack.

. .. oh cool. When I look out the tent windows I can see fireflies. I have thought they don't go to sleep hours ago.

Too much tree cover and too much
Light from Winchester for stars from here.

Happy 4th. Happy birthday mom. We could see some fireworks far away. Many many sets

I'm still kind of annoyed with myself for not staying over last night too. But that's okay. It's been a good evening.

It's amazing how late I manage to stay up regardless of when I try.

Really weird thing is the birds have never been quiet.

Looking forward to visiting more in the morning. I think I very much do like this little Walmart tent, three sardine. Works well when everything's mostly in the car. Someday I guess I have to try it out in the rain.

vvalkyri

I've been running running running for so long.
And then when I'm not I just lose so much time.
And then it was 4a when I got to sleep last night after figuring I'd go to the Blues because of the DJs but it took me so long that I got there at 1045 and it's over 1130 . . . and the rest was fallen into the phone.

Danced with a couple of the VA Beach guys, but felt off kilter at the dance. Highly aware of not being a sought after partner. Or imagining that.

Could have driven out to the farm where I'm camping tonight after festivities. Probably should have. Ironically if I'd not brought my duffel upstairs there was almost noghting I'd have needed. Have tent and spare and mattress and spare in the car still, and there was laundry that could have become clothes for today and tomorrow. I think bug spray and sunscreen are also still in the car.

It's 2p. I need to get more moving.

I'm sure a lot of this is shock that the BBB passed. And there's SO MUCH bad. So much that people hadn't even really noticed. This'll trigger reconciliation which will affect medicare. Stuff with education. ICE as more funding than defense in several countries. 45mil just for building more detention.

And most states call medicaid something other than medicaid.

Most of the cuts and additional paperwork hoops won't come in until after the midterms. That's of course on purpose.

vvalkyri

. I think I left my keyboard at the house in New Jersey it's a lot harder to write on my phone. I went to sleep at 6:00 after finally getting around to setting up the bed in the tent at like 5:30 a.m. . Got the tent up around dusk.

I'm thinking a lot about memory. Like I extrapolated that I drove amq up at some point because I had stayed over at some point and taken public transit into NYC.

But I remember little about that NYC trip and nothing of driving up together in 19.

If I'd written in dream with maybe I would even be able to find it I have no idea.

It's very tempting to go back to sleep. But it's noon.

I do adore that the tent is comfortable right now and not hot. And I wasn't cold last night either.

Maybe I'll write more sometime.

mjg59

Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.

This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.

But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.

There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.

Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.

I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.

There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.

Someone, please, write a spec for this. Please don't make it be me.

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Aaron D. Ball

Reading

(no subject)

On the things and the stuff or not really

Hi from the mountain

Why is there no consistent single signon API flow?

Profile

December 2010

Page Summary

Style Credit

Expand Cut Tags