)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1c40d0ab9815b949b549a373c5788144e040c244","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Marek Denis \u003cmarek.denis@cern.ch\u003e"},{"line_number":5,"context_line":"CommitDate: 2015-01-19 13:12:17 +0100"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Visual Page for WebSSO"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: I10efb730de483bd18fd203cfe823e33029e79284"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":7,"id":"3a961159_989a1261","line":7,"updated":"2015-01-19 17:19:52.000000000","message":"This is not implementing a Visual Page. This is how to handle the  WebSSO workflow (should be updated for that focus).","commit_id":"809cd939a2a1d1a77c5e2eb1ed89d02c2140c4d8"}],"api/v3/identity-api-v3-os-federation-ext.rst":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"e80492e939b53b2f1ed56462a9df28a04ca9ed28","unresolved":false,"context_lines":[{"line_number":1515,"context_line":""},{"line_number":1516,"context_line":"Endpoint for Web Single Sign On authentication"},{"line_number":1517,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":1518,"context_line":""},{"line_number":1519,"context_line":"::"},{"line_number":1520,"context_line":"    GET /auth/OS-FEDERATION/websso/{saml2,oidc}"},{"line_number":1521,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"1a930d6b_f445eeb3","line":1518,"updated":"2015-01-20 21:37:05.000000000","message":"*New in version 1.2*","commit_id":"5464d6355506c1bf3e11e62da382c8812e6454bd"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"e80492e939b53b2f1ed56462a9df28a04ca9ed28","unresolved":false,"context_lines":[{"line_number":1517,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":1518,"context_line":""},{"line_number":1519,"context_line":"::"},{"line_number":1520,"context_line":"    GET /auth/OS-FEDERATION/websso/{saml2,oidc}"},{"line_number":1521,"context_line":""},{"line_number":1522,"context_line":"For the Web Single Sign On authentication users are expected to enter another"},{"line_number":1523,"context_line":"URL endpoint.  Upon successful authentication, instead of issing standard"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1a930d6b_7411feab","line":1520,"updated":"2015-01-20 21:37:05.000000000","message":"i\u0027d prefer {protocol} instead of {saml2,oidc}","commit_id":"5464d6355506c1bf3e11e62da382c8812e6454bd"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"e80492e939b53b2f1ed56462a9df28a04ca9ed28","unresolved":false,"context_lines":[{"line_number":1520,"context_line":"    GET /auth/OS-FEDERATION/websso/{saml2,oidc}"},{"line_number":1521,"context_line":""},{"line_number":1522,"context_line":"For the Web Single Sign On authentication users are expected to enter another"},{"line_number":1523,"context_line":"URL endpoint.  Upon successful authentication, instead of issing standard"},{"line_number":1524,"context_line":"unscoped token, Keystone will issue a JavaScript code that redirects webbrowser"},{"line_number":1525,"context_line":"to originating Horizon.  Unscoped federated token will be included in the form"},{"line_number":1526,"context_line":"being sent."}],"source_content_type":"text/x-rst","patch_set":8,"id":"1a930d6b_b42286ff","line":1523,"updated":"2015-01-20 21:37:05.000000000","message":"issuing* a*","commit_id":"5464d6355506c1bf3e11e62da382c8812e6454bd"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"e80492e939b53b2f1ed56462a9df28a04ca9ed28","unresolved":false,"context_lines":[{"line_number":1521,"context_line":""},{"line_number":1522,"context_line":"For the Web Single Sign On authentication users are expected to enter another"},{"line_number":1523,"context_line":"URL endpoint.  Upon successful authentication, instead of issing standard"},{"line_number":1524,"context_line":"unscoped token, Keystone will issue a JavaScript code that redirects webbrowser"},{"line_number":1525,"context_line":"to originating Horizon.  Unscoped federated token will be included in the form"},{"line_number":1526,"context_line":"being sent."},{"line_number":1527,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"1a930d6b_347e96e5","line":1524,"updated":"2015-01-20 21:37:05.000000000","message":"1) issue JavaScript* (drop the \u0027a\u0027)\n2) redirects the* web browser*","commit_id":"5464d6355506c1bf3e11e62da382c8812e6454bd"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"e80492e939b53b2f1ed56462a9df28a04ca9ed28","unresolved":false,"context_lines":[{"line_number":1522,"context_line":"For the Web Single Sign On authentication users are expected to enter another"},{"line_number":1523,"context_line":"URL endpoint.  Upon successful authentication, instead of issing standard"},{"line_number":1524,"context_line":"unscoped token, Keystone will issue a JavaScript code that redirects webbrowser"},{"line_number":1525,"context_line":"to originating Horizon.  Unscoped federated token will be included in the form"},{"line_number":1526,"context_line":"being sent."},{"line_number":1527,"context_line":""},{"line_number":1528,"context_line":"Generating Assertions"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1a930d6b_b469a627","line":1525,"updated":"2015-01-20 21:37:05.000000000","message":"to the* originating Horizon. An* unscoped ...","commit_id":"5464d6355506c1bf3e11e62da382c8812e6454bd"}],"specs/kilo/websso-portal.rst":[{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp example \u003chttps://blueprints.launchpad.net/keystone/+spec/webssoportal\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Provide a landing page inside of Keystone that can create a token an post it"},{"line_number":14,"context_line":"back to a requestor to support Federation, Kerberos, and X509 based"},{"line_number":15,"context_line":"authentication for visual Web sites that need to work with Keystone."},{"line_number":16,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_72ca8d6f","line":13,"updated":"2014-11-13 08:07:47.000000000","message":"Do you want to say \"[...]a token AND post it[...]\" instead of \"[...]a token AN post it[...]\"?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"ee283d3e60217a3461c9f3437694592866525bda","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp example \u003chttps://blueprints.launchpad.net/keystone/+spec/webssoportal\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Provide a landing page inside of Keystone that can create a token an post it"},{"line_number":14,"context_line":"back to a requestor to support Federation, Kerberos, and X509 based"},{"line_number":15,"context_line":"authentication for visual Web sites that need to work with Keystone."},{"line_number":16,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_f404807f","line":13,"in_reply_to":"5a890539_72ca8d6f","updated":"2014-12-02 21:59:25.000000000","message":"Done","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":13949,"name":"Antonio Navarro","email":"antonio.navarro@software.dell.com","username":"anavarro"},"change_message_id":"7372d5ed41f7106c2e432c2d5febe8919c5c9c48","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem Description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"With password based authentication, Horizon has been responsible for currying"},{"line_number":22,"context_line":"the shared secret between the user and Keystone.  Cryptographically secure"},{"line_number":23,"context_line":"authentication mechanisms protect against this, as it leads to various"},{"line_number":24,"context_line":"Man-in-the-middle attack scenarios.  If the Horizon server is compromised, it"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_3e196c88","line":21,"updated":"2014-11-24 15:46:06.000000000","message":"Suggest replace \"currying\" with \"carrying\":\n... responsible for carrying the shared ...","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"ee283d3e60217a3461c9f3437694592866525bda","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem Description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"With password based authentication, Horizon has been responsible for currying"},{"line_number":22,"context_line":"the shared secret between the user and Keystone.  Cryptographically secure"},{"line_number":23,"context_line":"authentication mechanisms protect against this, as it leads to various"},{"line_number":24,"context_line":"Man-in-the-middle attack scenarios.  If the Horizon server is compromised, it"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_f412c0b2","line":21,"in_reply_to":"5a890539_3e196c88","updated":"2014-12-02 21:59:25.000000000","message":"Done","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":23,"context_line":"authentication mechanisms protect against this, as it leads to various"},{"line_number":24,"context_line":"Man-in-the-middle attack scenarios.  If the Horizon server is compromised, it"},{"line_number":25,"context_line":"would grant the attacker access to the password for all users that log in."},{"line_number":26,"context_line":"When coupled with a corporate directory, this poses an unacceptable risk."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"While Kerberos has a mechanism for constrained delegation that minimizes the"},{"line_number":29,"context_line":"risk,  X509 and SAML do not.  In addition, even S4U2Proxy provides a fairly"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_f4d577b9","line":26,"updated":"2014-11-13 16:54:10.000000000","message":"Suggest replace \"unacceptable\" with \"significant\". It is arguably already acceptable as we support this type of stuff already today.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"ee283d3e60217a3461c9f3437694592866525bda","unresolved":false,"context_lines":[{"line_number":23,"context_line":"authentication mechanisms protect against this, as it leads to various"},{"line_number":24,"context_line":"Man-in-the-middle attack scenarios.  If the Horizon server is compromised, it"},{"line_number":25,"context_line":"would grant the attacker access to the password for all users that log in."},{"line_number":26,"context_line":"When coupled with a corporate directory, this poses an unacceptable risk."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"While Kerberos has a mechanism for constrained delegation that minimizes the"},{"line_number":29,"context_line":"risk,  X509 and SAML do not.  In addition, even S4U2Proxy provides a fairly"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_14182cd2","line":26,"in_reply_to":"5a890539_f4d577b9","updated":"2014-12-02 21:59:25.000000000","message":"Done","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":7186,"name":"Matthieu Huin","email":"mhuin@redhat.com","username":"mhu"},"change_message_id":"86e481bb95a7d4a56a564c3e0a790282df54f551","unresolved":false,"context_lines":[{"line_number":40,"context_line":"SAML assertion in order to create the token.  The Keystone server can then"},{"line_number":41,"context_line":"generate sufficient code to POST the token back to Horizon.  While it could"},{"line_number":42,"context_line":"also perform this stage via a redirect, it would have to have the token in the"},{"line_number":43,"context_line":"URL of the redirect, and that would be a security vulnerability."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_eb64c44a","line":43,"updated":"2014-11-13 09:49:48.000000000","message":"Could Horizon and Keystone communicate via SAML ? Keystone can act as an IdP since Juno. The token, roles, accessible projects ... could be sent back as SAML assertions.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":13949,"name":"Antonio Navarro","email":"antonio.navarro@software.dell.com","username":"anavarro"},"change_message_id":"7372d5ed41f7106c2e432c2d5febe8919c5c9c48","unresolved":false,"context_lines":[{"line_number":40,"context_line":"SAML assertion in order to create the token.  The Keystone server can then"},{"line_number":41,"context_line":"generate sufficient code to POST the token back to Horizon.  While it could"},{"line_number":42,"context_line":"also perform this stage via a redirect, it would have to have the token in the"},{"line_number":43,"context_line":"URL of the redirect, and that would be a security vulnerability."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_d9f6c2d6","line":43,"in_reply_to":"5a890539_94c8b323","updated":"2014-11-24 15:46:06.000000000","message":"The communication between Horizon and Keystone is just a secure information exchange.\nWe could define our own protocol and put some extra effort to make sure that we provide all the required security. Or we could use an specific SAML profile and reuse existing code.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":40,"context_line":"SAML assertion in order to create the token.  The Keystone server can then"},{"line_number":41,"context_line":"generate sufficient code to POST the token back to Horizon.  While it could"},{"line_number":42,"context_line":"also perform this stage via a redirect, it would have to have the token in the"},{"line_number":43,"context_line":"URL of the redirect, and that would be a security vulnerability."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_94c8b323","line":43,"in_reply_to":"5a890539_eb64c44a","updated":"2014-11-13 16:54:10.000000000","message":"It is unlikely you\u0027re going to want to do:\n\nSAML -\u003e Horizon -\u003e SAML -\u003e Keystone. There are a lot of intermediary steps that could get fragile and we\u0027re having to do multiple layers of build XML assertions/signing. Horizon shouldn\u0027t need to know *anything* about SAML (or any other Auth mechanism) unless it is standing without keystone.\n\nThis also does not eliminate the replay attack nor the need for the POST capable location within Keystone, it just adds in another step that needs to act as an IDP.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"ee283d3e60217a3461c9f3437694592866525bda","unresolved":false,"context_lines":[{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Provide an HTML based WebSSO landing page in Keystone that performs the"},{"line_number":49,"context_line":"following:"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"If the Keystone server is set with an unabiguous web login mechanism,"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_bf2d7191","line":48,"updated":"2014-12-02 21:59:25.000000000","message":"this is all being re-worked for a new proposed change","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":52,"context_line":"properly perform the steps to request a token for the user.  This means that if"},{"line_number":53,"context_line":"X509 Client certificates are an acceptable form of authentication, and the"},{"line_number":54,"context_line":"user has a proper X509, Keystone should create an unscoped token and post it"},{"line_number":55,"context_line":"back to Horiozn.  The same is true for Kerberos.  Autmoated processing for"},{"line_number":56,"context_line":"Federation is also possible if there is only a single IdP provisioned."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"If multiple Federation mechanisms are provisioned,  the web portal has to be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_92f3799d","line":55,"updated":"2014-11-13 08:07:47.000000000","message":"[...]back to HORIZON.[...] instead of [...]back to HORIOZN.[...]\n\n[...]AUTOMATED processing for[...] instead of [...]AUTMOATED processing for[...]","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":52,"context_line":"properly perform the steps to request a token for the user.  This means that if"},{"line_number":53,"context_line":"X509 Client certificates are an acceptable form of authentication, and the"},{"line_number":54,"context_line":"user has a proper X509, Keystone should create an unscoped token and post it"},{"line_number":55,"context_line":"back to Horiozn.  The same is true for Kerberos.  Autmoated processing for"},{"line_number":56,"context_line":"Federation is also possible if there is only a single IdP provisioned."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"If multiple Federation mechanisms are provisioned,  the web portal has to be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_af78f68f","line":55,"in_reply_to":"5a890539_92f3799d","updated":"2014-11-13 16:54:10.000000000","message":"(NIT): Suggest not using \"The same is true for Kerberos\", and change to say something to the effect of \"This same mechanism can be used for auth mechanisms with similar unambiguous properties such as Kerberos\" - this leavesus open to evaluating new systems not limited to KRB and X509","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":53,"context_line":"X509 Client certificates are an acceptable form of authentication, and the"},{"line_number":54,"context_line":"user has a proper X509, Keystone should create an unscoped token and post it"},{"line_number":55,"context_line":"back to Horiozn.  The same is true for Kerberos.  Autmoated processing for"},{"line_number":56,"context_line":"Federation is also possible if there is only a single IdP provisioned."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"If multiple Federation mechanisms are provisioned,  the web portal has to be"},{"line_number":59,"context_line":"able to distinguish between those that should be publically listed and those"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_0f690abe","line":56,"updated":"2014-11-13 16:54:10.000000000","message":"Remove this sentence.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":7175,"name":"Robbie Harwood","email":"rharwood@redhat.com","username":"frozencemetery"},"change_message_id":"1996fef1743b5ef26c1a918da255b648d3389927","unresolved":false,"context_lines":[{"line_number":55,"context_line":"back to Horiozn.  The same is true for Kerberos.  Autmoated processing for"},{"line_number":56,"context_line":"Federation is also possible if there is only a single IdP provisioned."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"If multiple Federation mechanisms are provisioned,  the web portal has to be"},{"line_number":59,"context_line":"able to distinguish between those that should be publically listed and those"},{"line_number":60,"context_line":"that must be maintained private.  The public list will be displayed as a list"},{"line_number":61,"context_line":"of documented hyperlinks.  Each hyperlink will contain sufficient information"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_5817beed","line":58,"updated":"2014-11-10 17:52:42.000000000","message":"extra space after the comma","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":13949,"name":"Antonio Navarro","email":"antonio.navarro@software.dell.com","username":"anavarro"},"change_message_id":"7372d5ed41f7106c2e432c2d5febe8919c5c9c48","unresolved":false,"context_lines":[{"line_number":57,"context_line":""},{"line_number":58,"context_line":"If multiple Federation mechanisms are provisioned,  the web portal has to be"},{"line_number":59,"context_line":"able to distinguish between those that should be publically listed and those"},{"line_number":60,"context_line":"that must be maintained private.  The public list will be displayed as a list"},{"line_number":61,"context_line":"of documented hyperlinks.  Each hyperlink will contain sufficient information"},{"line_number":62,"context_line":"to complete the token creation process once clicked.  This means redirecting"},{"line_number":63,"context_line":"the user to the IdP, and providing a return link that will create the token"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_b9b0168c","line":60,"updated":"2014-11-24 15:46:06.000000000","message":"A better design would be to have a separate URL for each of the configured mechanisms, and then have a landing page that can be configured to suit the specific deployment needs.\nThat configuration can include:\n  - public/private mechanisms (as presented here)\n  - automatic selection of the mechanism based on the client\u0027s IP Address\n  - Cookie lookup with the preferred mechanism","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"4016719bfb872cc273208fffb7b5c88204c131c6","unresolved":false,"context_lines":[{"line_number":61,"context_line":"of documented hyperlinks.  Each hyperlink will contain sufficient information"},{"line_number":62,"context_line":"to complete the token creation process once clicked.  This means redirecting"},{"line_number":63,"context_line":"the user to the IdP, and providing a return link that will create the token"},{"line_number":64,"context_line":"and post to Horizon, as well as redirecting the user back to Horizon."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"For IdPs that are maintained privately, the user will be able to paste an URL"},{"line_number":67,"context_line":"into a text field that provides sufficient information to redirect the user to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_a822f9b6","line":64,"updated":"2014-11-11 16:17:47.000000000","message":"Do you expect people to go to their Dashboard, click \u0027login with saml\u0027, get redirected to Keystone and there enter their\u0027s Dashboard url again?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":69,"context_line":"it will perform the same steps as it would for the hyperlink of a public url,"},{"line_number":70,"context_line":"as well as set a cookie value with the IdP.  On subsequent visites, Keystone"},{"line_number":71,"context_line":"should read the value from the Cookie to determine if it should display the"},{"line_number":72,"context_line":"private URL or not."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Because Keystone will now have a visual component, it will need to be able to"},{"line_number":75,"context_line":"serve out two additional pages, one with CSS for theming, and one with"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_2f92469f","line":72,"updated":"2014-11-13 16:54:10.000000000","message":"This is not a good UX design. There should be an auth endpoint that can redirect explicitly to the \"private\" IDP (similar to how gerrit works with ubuntu one being the only option). This also opens up for the use-case where DOA has a VHOST that explicitly configures it to point to a \"known\" IDP for horizon.\n\nPlease do not do \"paste in a text box design\".","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Because Keystone will now have a visual component, it will need to be able to"},{"line_number":75,"context_line":"serve out two additional pages, one with CSS for theming, and one with"},{"line_number":76,"context_line":"Javascript for the post back to Keystone.  These will not be generated from"},{"line_number":77,"context_line":"the dynamic content, but instead will be links added on to the response if the"},{"line_number":78,"context_line":"content type is HTML."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_72228d02","line":76,"updated":"2014-11-13 08:07:47.000000000","message":"Is really necessary to use Javascript for the post back?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"1119dec243b5292b3d125f98bdebbcdd2c6893ba","unresolved":false,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Because Keystone will now have a visual component, it will need to be able to"},{"line_number":75,"context_line":"serve out two additional pages, one with CSS for theming, and one with"},{"line_number":76,"context_line":"Javascript for the post back to Keystone.  These will not be generated from"},{"line_number":77,"context_line":"the dynamic content, but instead will be links added on to the response if the"},{"line_number":78,"context_line":"content type is HTML."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_a324410d","line":76,"in_reply_to":"5a890539_72228d02","updated":"2014-11-17 14:11:24.000000000","message":"what else can be used here?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":75,"context_line":"serve out two additional pages, one with CSS for theming, and one with"},{"line_number":76,"context_line":"Javascript for the post back to Keystone.  These will not be generated from"},{"line_number":77,"context_line":"the dynamic content, but instead will be links added on to the response if the"},{"line_number":78,"context_line":"content type is HTML."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"THe Apache server needs to have a diffferent URL for each of the authN modules"},{"line_number":81,"context_line":"that it uses.  For example, a single Keystone server that serves Kerberos and"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_8f2dfa48","line":78,"updated":"2014-11-13 16:54:10.000000000","message":"This is not a requirement. Keystone does not need to serve out CSS for styling. Keystone could support pulling in (via config) CSS from another location.\n\nThe Javascript is likely required, but could be served out directly in the HTML [embeded]. Alternatively, apache can handle the static content for this.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":7175,"name":"Robbie Harwood","email":"rharwood@redhat.com","username":"frozencemetery"},"change_message_id":"1996fef1743b5ef26c1a918da255b648d3389927","unresolved":false,"context_lines":[{"line_number":77,"context_line":"the dynamic content, but instead will be links added on to the response if the"},{"line_number":78,"context_line":"content type is HTML."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"THe Apache server needs to have a diffferent URL for each of the authN modules"},{"line_number":81,"context_line":"that it uses.  For example, a single Keystone server that serves Kerberos and"},{"line_number":82,"context_line":"SAML will need to hand out different URLs for each.  This need to dynamically"},{"line_number":83,"context_line":"list authentication mechanisms needs to be reflected in the paste file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_78d39a38","line":80,"updated":"2014-11-10 17:52:42.000000000","message":"\"The\"","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":77,"context_line":"the dynamic content, but instead will be links added on to the response if the"},{"line_number":78,"context_line":"content type is HTML."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"THe Apache server needs to have a diffferent URL for each of the authN modules"},{"line_number":81,"context_line":"that it uses.  For example, a single Keystone server that serves Kerberos and"},{"line_number":82,"context_line":"SAML will need to hand out different URLs for each.  This need to dynamically"},{"line_number":83,"context_line":"list authentication mechanisms needs to be reflected in the paste file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_526e7130","line":80,"updated":"2014-11-13 08:07:47.000000000","message":"[...]to have DIFFERENT Url[...] instead of [...]to have DIFFFERENT Url[...] (3 F\u0027s).","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":7186,"name":"Matthieu Huin","email":"mhuin@redhat.com","username":"mhu"},"change_message_id":"86e481bb95a7d4a56a564c3e0a790282df54f551","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"THe Apache server needs to have a diffferent URL for each of the authN modules"},{"line_number":81,"context_line":"that it uses.  For example, a single Keystone server that serves Kerberos and"},{"line_number":82,"context_line":"SAML will need to hand out different URLs for each.  This need to dynamically"},{"line_number":83,"context_line":"list authentication mechanisms needs to be reflected in the paste file."},{"line_number":84,"context_line":"Each authentication mechanism should have its own paste pipeline, but share a"},{"line_number":85,"context_line":"common set of filters with other mechanisms.  Only extensions relevant to token"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_8b77c039","line":82,"updated":"2014-11-13 09:49:48.000000000","message":"How will this handle multiple auths ? A client can send a payload listing multiple auth methods when authenticating. Or is this irrelevant here ?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":13949,"name":"Antonio Navarro","email":"antonio.navarro@software.dell.com","username":"anavarro"},"change_message_id":"7372d5ed41f7106c2e432c2d5febe8919c5c9c48","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"THe Apache server needs to have a diffferent URL for each of the authN modules"},{"line_number":81,"context_line":"that it uses.  For example, a single Keystone server that serves Kerberos and"},{"line_number":82,"context_line":"SAML will need to hand out different URLs for each.  This need to dynamically"},{"line_number":83,"context_line":"list authentication mechanisms needs to be reflected in the paste file."},{"line_number":84,"context_line":"Each authentication mechanism should have its own paste pipeline, but share a"},{"line_number":85,"context_line":"common set of filters with other mechanisms.  Only extensions relevant to token"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_5405390f","line":82,"updated":"2014-11-24 15:46:06.000000000","message":"We will need a different URL for each SAML IdP that Keystone is configured with (as opposed to one URL for all SAML providers)","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":86,"context_line":"creation (such as OS-FEDRATION) should be exposed in these pipelines.  No other"},{"line_number":87,"context_line":"administrative functions should be exposed by these pipelines, either.  Even"},{"line_number":88,"context_line":"the ability to validate a token is not required, and should be restricted if"},{"line_number":89,"context_line":"practical."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Alternatives"},{"line_number":92,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_2f1c0613","line":89,"updated":"2014-11-13 16:54:10.000000000","message":"This is an enhancement (the separate / common filters) not a hard requirement for this spec.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":7186,"name":"Matthieu Huin","email":"mhuin@redhat.com","username":"mhu"},"change_message_id":"86e481bb95a7d4a56a564c3e0a790282df54f551","unresolved":false,"context_lines":[{"line_number":150,"context_line":"The performance impact should be minimal.  Keystone will be serving out"},{"line_number":151,"context_line":"roughly the same amount of data as it is in during a Horizon login today, with"},{"line_number":152,"context_line":"the addition of some static files.  With proper page lifespace tuning for"},{"line_number":153,"context_line":"these pages, the impact should be nominal."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"Other Deployer Impact"},{"line_number":156,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_8baee083","line":153,"updated":"2014-11-13 09:49:48.000000000","message":"Can this be enforced or at the discretion of the deployer ?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":158,"context_line":"* The token creation process today assumes a single `method` for tokens.  Each"},{"line_number":159,"context_line":"  of the exposed authentication mechanisms should instead allow for a separate"},{"line_number":160,"context_line":"  configured method.  To reduce duplication, this configuration will be"},{"line_number":161,"context_line":"  performed in the paste file as a filter on the auth pipeline."},{"line_number":162,"context_line":"  The Javascript and CSS files for HTML rendering will be specified as"},{"line_number":163,"context_line":"  static resources.  These should each be a list of files that are included in"},{"line_number":164,"context_line":"  the order specified.  While this can be done either in the paste file or the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_cfac62a3","line":161,"updated":"2014-11-13 16:54:10.000000000","message":"I am not convinced we need new paste pipelines for this. I think we can probably get away with doing specialty routing based upon protocols within keystone and a single new auth pipeline.\n\nThe pipeline work is actually less relevant since we *control* the routes. Why do we need a separate pipeline *per* auth mechanism and not just a separate route that can / is configured via data in keystone?\n\nPaste is convenient in some cases but in others, it really isn\u0027t. today we can\u0027t support common filters, so likely we should work with what we have today.\n\nThis also might be a bad deployer UX to need to add paste pipelines / change them for each and every mechanism they want to support.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"ee283d3e60217a3461c9f3437694592866525bda","unresolved":false,"context_lines":[{"line_number":158,"context_line":"* The token creation process today assumes a single `method` for tokens.  Each"},{"line_number":159,"context_line":"  of the exposed authentication mechanisms should instead allow for a separate"},{"line_number":160,"context_line":"  configured method.  To reduce duplication, this configuration will be"},{"line_number":161,"context_line":"  performed in the paste file as a filter on the auth pipeline."},{"line_number":162,"context_line":"  The Javascript and CSS files for HTML rendering will be specified as"},{"line_number":163,"context_line":"  static resources.  These should each be a list of files that are included in"},{"line_number":164,"context_line":"  the order specified.  While this can be done either in the paste file or the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_3f598135","line":161,"in_reply_to":"5a890539_cfac62a3","updated":"2014-12-02 21:59:25.000000000","message":"we don\u0027t this will be removed","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":170,"context_line":"* These changes should not break current  continuous deployment.  In order to"},{"line_number":171,"context_line":"  test these mechanisms, CI will need a series of Federation protocol"},{"line_number":172,"context_line":"  implementations, to include X509 Client certificate support, Kerberos, SAML,"},{"line_number":173,"context_line":"  and additional protoclas as supported.  The focus should be on testing the"},{"line_number":174,"context_line":"  Integration with Horizon."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_f2c03de2","line":173,"updated":"2014-11-13 08:07:47.000000000","message":"[...]additional PROTOCOLS as[...] instead of [...]additional PROTOCLAS as[...]","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":179,"context_line":"The biggest impact should be a restructuring of the paste file to reduce"},{"line_number":180,"context_line":"duplication and to better support the specific URLs for each authentication"},{"line_number":181,"context_line":"mechanism.  This will change where in the file filters are configured if those"},{"line_number":182,"context_line":"filters are common actrosss multiple pipelines."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_126f89fe","line":182,"updated":"2014-11-13 08:07:47.000000000","message":"Should we mention here something about the developer impact in Horizon?","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8533,"name":"Marcos Fermín Lobo","email":"lobo@lukos.org","username":"mlobo"},"change_message_id":"3c9946782237dbd5133a00116dd1af7ac8574ada","unresolved":false,"context_lines":[{"line_number":207,"context_line":"* Refactor paste file to reduce duplication of common filters."},{"line_number":208,"context_line":"* Splite the v3 service APIs into separate pipelines."},{"line_number":209,"context_line":"* Remove POST /v3/auth/tokens from the remainder of the auth pipeline"},{"line_number":210,"context_line":"* split configuration of the auth plugin off the token provider and make into"},{"line_number":211,"context_line":"  a filter"},{"line_number":212,"context_line":"* Replace the json filter with a content-type filter than can render either"},{"line_number":213,"context_line":"  html or JSON based on the accepts header.  This will be used for the portions"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_d24b4185","line":210,"updated":"2014-11-13 08:07:47.000000000","message":"\"Split\" (capitalize)","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":208,"context_line":"* Splite the v3 service APIs into separate pipelines."},{"line_number":209,"context_line":"* Remove POST /v3/auth/tokens from the remainder of the auth pipeline"},{"line_number":210,"context_line":"* split configuration of the auth plugin off the token provider and make into"},{"line_number":211,"context_line":"  a filter"},{"line_number":212,"context_line":"* Replace the json filter with a content-type filter than can render either"},{"line_number":213,"context_line":"  html or JSON based on the accepts header.  This will be used for the portions"},{"line_number":214,"context_line":"  of Keytone exposed for visual web use only."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_341c5f13","line":211,"updated":"2014-11-13 16:54:10.000000000","message":"These first 4 items are not really relevant to this spec. They can be improvements but are not really \"needed\". These should be removed from the spec.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6379466ac8b9de9e2cf5160c5f8453e57567cbc9","unresolved":false,"context_lines":[{"line_number":211,"context_line":"  a filter"},{"line_number":212,"context_line":"* Replace the json filter with a content-type filter than can render either"},{"line_number":213,"context_line":"  html or JSON based on the accepts header.  This will be used for the portions"},{"line_number":214,"context_line":"  of Keytone exposed for visual web use only."},{"line_number":215,"context_line":"* Create a simple renderer for HTML content"},{"line_number":216,"context_line":"* Extend the IDP entity to indicate whether a given IDP is public or private"},{"line_number":217,"context_line":"* Create a JSON home entity to describe what the landing page for the IDP list"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_14e843e1","line":214,"updated":"2014-11-13 16:54:10.000000000","message":"This can be handled as a one off for this spec, or can be done as a conversion to a mechanism that is much smarter (as discussed at the summit). This is again not really required for this task, but it an improvement (at best) down the line.","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":13949,"name":"Antonio Navarro","email":"antonio.navarro@software.dell.com","username":"anavarro"},"change_message_id":"7372d5ed41f7106c2e432c2d5febe8919c5c9c48","unresolved":false,"context_lines":[{"line_number":226,"context_line":"* This blueprint depends only on existing OS-FEDERATION based work."},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"* Once this is implemented, Django-openstack-auth will need a configuration"},{"line_number":229,"context_line":"  option to be able to triggere the redirect and to handle the posting of the"},{"line_number":230,"context_line":"  token back from Keystone."},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"* This feature should not require any external dependencies."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a890539_743eb58c","line":229,"updated":"2014-11-24 15:46:06.000000000","message":"sugget replace \"triggere\" with trigger:\n--- to be able to trigger the redirect ...","commit_id":"1a439b2cc9aa421691b9497ef8b71a5484b84956"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"453837a83dc0af3c082b511a0787958d42552a98","unresolved":false,"context_lines":[{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Keystone will implement a discovery page that allows the user to select from"},{"line_number":47,"context_line":"multiple forms of login. Initially these will be:"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* Username and Password"},{"line_number":50,"context_line":"* Kerberos"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_53f5bd82","line":47,"updated":"2015-01-12 22:43:09.000000000","message":"Keystone should not implement any discovery page. In fact, Keystone should not implement any webpage that user will see and type any input there. If there is anything with \u003chtml\u003e\u003c/html\u003e tags returned by Keystone it should be only because a specific web browser behaviour is enforced this way.\n\nKeystone should implement new endpoints (not matter whether via new routes or new pipelines), and one of them should be:\n\n/v3/OS-FEDERATION/websso/saml2 and /v3/OS-FEDERATION/websso/oidc (as we will support only saml2 and oidc for now).","commit_id":"346a598ad5680aa391efa01cb8cf0ab5f51f2ee9"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"453837a83dc0af3c082b511a0787958d42552a98","unresolved":false,"context_lines":[{"line_number":46,"context_line":"Keystone will implement a discovery page that allows the user to select from"},{"line_number":47,"context_line":"multiple forms of login. Initially these will be:"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* Username and Password"},{"line_number":50,"context_line":"* Kerberos"},{"line_number":51,"context_line":"* Federation via SAML"},{"line_number":52,"context_line":"* Federation via OpenID Connect"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_f3330911","line":49,"updated":"2015-01-12 22:43:09.000000000","message":"i\u0027d leave this user case as-is, or move it to another spec.","commit_id":"346a598ad5680aa391efa01cb8cf0ab5f51f2ee9"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"453837a83dc0af3c082b511a0787958d42552a98","unresolved":false,"context_lines":[{"line_number":150,"context_line":"* allow login with token"},{"line_number":151,"context_line":"* perform a validate token call"},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"`keystone`"},{"line_number":154,"context_line":"* Changes to middleware to allow for HTML in the response."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_7371d9dd","line":153,"updated":"2015-01-12 22:43:09.000000000","message":"- add a way to register trusted WebUIs where client\u0027s browser is allowed to be redirected with an unscoped token.\n- add new endpoints: /v3/OS-FEDERATION/websso/{saml2, oidc} (protected by mod_shib, mod_oidc respectively), handling websso request for SAML2 or OIDC. \n- add logic associating an issuer of an assertion/claim with an identity_provider object registered in Keystone\u0027s backend (via remote_id attribute).","commit_id":"346a598ad5680aa391efa01cb8cf0ab5f51f2ee9"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"352272b883aff3b18b29e9d87b16606d5baf5c85","unresolved":false,"context_lines":[{"line_number":35,"context_line":"* Keystone redirects the user to Horizon."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The Keystone server needs to enable the redirect to the IdP, and accept back"},{"line_number":38,"context_line":"the SAML assertion in order to create the token. The Keystone server can then"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_83165bf0","line":38,"updated":"2015-01-16 15:26:14.000000000","message":"this sentence died","commit_id":"ad22d370ce74a885e0e0e98eef81522da3737754"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"47217489d69de10247ad0771b5977fc5cc91c4aa","unresolved":false,"context_lines":[{"line_number":35,"context_line":"* Keystone redirects the user to Horizon."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The Keystone server needs to enable the redirect to the IdP, and accept back"},{"line_number":38,"context_line":"the SAML assertion in order to create the token. The Keystone server can then"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_59e0c9cb","line":38,"in_reply_to":"3a961159_83165bf0","updated":"2015-01-18 11:51:17.000000000","message":"amen.","commit_id":"ad22d370ce74a885e0e0e98eef81522da3737754"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"352272b883aff3b18b29e9d87b16606d5baf5c85","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preffered authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_a3e8b7df","line":43,"updated":"2015-01-16 15:26:14.000000000","message":"preferred*","commit_id":"ad22d370ce74a885e0e0e98eef81522da3737754"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"47217489d69de10247ad0771b5977fc5cc91c4aa","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preffered authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_79958530","line":43,"in_reply_to":"3a961159_a3e8b7df","updated":"2015-01-18 11:51:17.000000000","message":"hah,i knew one letter was doubled!","commit_id":"ad22d370ce74a885e0e0e98eef81522da3737754"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1c40d0ab9815b949b549a373c5788144e040c244","unresolved":false,"context_lines":[{"line_number":38,"context_line":"the SAML assertion in order to create the token."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a961159_b8c50e40","line":41,"updated":"2015-01-19 17:19:52.000000000","message":"We need a diagram as discussed at the mid-cycle.","commit_id":"809cd939a2a1d1a77c5e2eb1ed89d02c2140c4d8"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1c40d0ab9815b949b549a373c5788144e040c244","unresolved":false,"context_lines":[{"line_number":57,"context_line":"Javascript that performs a HTTP POST to the original webUI."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"Stretch goal, the final target URL will be validated against a list of"},{"line_number":60,"context_line":"acceptable WebUI hosts, to avoid Phishing attacks."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Alternatives"},{"line_number":63,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3a961159_38d91e29","line":60,"updated":"2015-01-19 17:19:52.000000000","message":"Remove the stretch goal(s).","commit_id":"809cd939a2a1d1a77c5e2eb1ed89d02c2140c4d8"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"586a39f00efb03b2c7a9efae56887a59ef084afb","unresolved":false,"context_lines":[{"line_number":76,"context_line":"    +----------------------------------------------------------------+"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"The work flow is as follows::"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":82,"context_line":"    2) Horizon issues an HTTP 301 Redirect response pointing the user to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1a930d6b_0046b4bf","line":79,"updated":"2015-01-21 00:40:59.000000000","message":"we can drop the :: to just a single one","commit_id":"e3c3c9604b8a7bff224462ec0e3ff349e00e3fc1"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"586a39f00efb03b2c7a9efae56887a59ef084afb","unresolved":false,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"The work flow is as follows::"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":82,"context_line":"    2) Horizon issues an HTTP 301 Redirect response pointing the user to"},{"line_number":83,"context_line":"       the Keystone endpoint."},{"line_number":84,"context_line":"    3) The browser redirects the user to a Keystone ``websso`` endpoint,"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1a930d6b_4017dca3","line":81,"updated":"2015-01-21 00:40:59.000000000","message":"untab these back","commit_id":"e3c3c9604b8a7bff224462ec0e3ff349e00e3fc1"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"586a39f00efb03b2c7a9efae56887a59ef084afb","unresolved":false,"context_lines":[{"line_number":178,"context_line":""},{"line_number":179,"context_line":"`django_openstack_auth`"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"* Add a new WEBSSO_ENABLED option"},{"line_number":182,"context_line":"* New button that allows a user to select a federation log-in"},{"line_number":183,"context_line":"* Allow login with token"},{"line_number":184,"context_line":"* Perform a validate token call"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1a930d6b_80ed448e","line":181,"updated":"2015-01-21 00:40:59.000000000","message":"these need to be adjusted","commit_id":"e3c3c9604b8a7bff224462ec0e3ff349e00e3fc1"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"15eb624c4d2761aeaf906bb9751bd10fdec059c7","unresolved":false,"context_lines":[{"line_number":24,"context_line":"authentication mechanisms protect against this, as it leads to various"},{"line_number":25,"context_line":"Man-in-the-middle attack scenarios. If the Horizon server is compromised, it"},{"line_number":26,"context_line":"would grant the attacker access to the password for all users that log in."},{"line_number":27,"context_line":"When coupled with a corporate directory, this poses a significant risk."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The proper sequence is"},{"line_number":30,"context_line":"* Horizon redirects the browser to Keystone"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_4ab3e409","line":27,"updated":"2015-01-26 05:54:54.000000000","message":"Great problem description!","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"15eb624c4d2761aeaf906bb9751bd10fdec059c7","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The proper sequence is"},{"line_number":30,"context_line":"* Horizon redirects the browser to Keystone"},{"line_number":31,"context_line":"* Keystone redirects to Discovery Service or default IdP"},{"line_number":32,"context_line":"* The User authenticates via an IdP specific mechanism"},{"line_number":33,"context_line":"* The IdP redirects the browser back to Keystone"},{"line_number":34,"context_line":"* Keystone generates Javascript code to POST a token back to Horizon"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_ca2d14aa","line":31,"updated":"2015-01-26 05:54:54.000000000","message":"Instead of a directory service can we support just having a single default IDP listed on the horizon page or have a list of buttons representing possible IDPs similar to what is done on https://members.oreilly.com/account/login?partner\u003d","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"15eb624c4d2761aeaf906bb9751bd10fdec059c7","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_eac3b054","line":43,"updated":"2015-01-26 05:54:54.000000000","message":"Is there a blueprint opened for the Horizon portion of this that you can reference?","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"a27cacb9cbe86c01dbaf3559f86a30e19c70befe","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_db016407","line":43,"in_reply_to":"1a930d6b_eac3b054","updated":"2015-01-26 09:03:42.000000000","message":"nothing i would be aware of. Is Horizon blueprint required for completing this spec?","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"15eb624c4d2761aeaf906bb9751bd10fdec059c7","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   request."},{"line_number":90,"context_line":"5) The browser sends a \u003csaml2:Request\u003e request and authenticates with the"},{"line_number":91,"context_line":"   IdP."},{"line_number":92,"context_line":"6) Once authentication is successful, the IdP issues a SAML assertion or"},{"line_number":93,"context_line":"   OpenID Connect claim, and redirects user back to the"},{"line_number":94,"context_line":"   ``/auth/OS-FEDERATION/websso/{saml2,oidc}``."},{"line_number":95,"context_line":"7) The browser redirect the user back to Keystone again, with the SAML"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_8a794cca","line":92,"updated":"2015-01-26 05:54:54.000000000","message":"I\u0027m confused on how 6 and 7 are written. The way it reads it sounds like there are two consecutive redirects from the IDP to Keystone.  In six it says redirects back to /auth/OS-FEDERATION/websso/{saml,oidc} which to me sounds like a redirect to keystone and then 7 says redirect to keystone again. Are there really to consecutive redirects to keystone or is one and you described it in halves?","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"a27cacb9cbe86c01dbaf3559f86a30e19c70befe","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   request."},{"line_number":90,"context_line":"5) The browser sends a \u003csaml2:Request\u003e request and authenticates with the"},{"line_number":91,"context_line":"   IdP."},{"line_number":92,"context_line":"6) Once authentication is successful, the IdP issues a SAML assertion or"},{"line_number":93,"context_line":"   OpenID Connect claim, and redirects user back to the"},{"line_number":94,"context_line":"   ``/auth/OS-FEDERATION/websso/{saml2,oidc}``."},{"line_number":95,"context_line":"7) The browser redirect the user back to Keystone again, with the SAML"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_bfb00344","line":92,"in_reply_to":"1a930d6b_8a794cca","updated":"2015-01-26 09:03:42.000000000","message":"in fact, it\u0027s one redirect, i just needed a way to show that it\u0027s not keystone poiting to IdP, but it always goes as a redirect and webbrowser (client in general) plays very important role in that process.\nIn fact, 2 and 3 are a one redirect, so is 4-5, 6-7 and finally 8-9. I will change the spec so we call it 2a/2b, 3a/3b.","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"15eb624c4d2761aeaf906bb9751bd10fdec059c7","unresolved":false,"context_lines":[{"line_number":94,"context_line":"   ``/auth/OS-FEDERATION/websso/{saml2,oidc}``."},{"line_number":95,"context_line":"7) The browser redirect the user back to Keystone again, with the SAML"},{"line_number":96,"context_line":"   assertion or OpenID Connect claim."},{"line_number":97,"context_line":"8) Keystone issues JavaScript code that executes upon loading by the"},{"line_number":98,"context_line":"   browser. The unscoped federated token is included in the HTML form."},{"line_number":99,"context_line":"9) The user is being redirected back to the Horizon webpage, with the"},{"line_number":100,"context_line":"   unscoped federated token in the request."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_ca7fd4a9","line":97,"updated":"2015-01-26 05:54:54.000000000","message":"Can you provide an example of this JavasScript code would look like?","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"a27cacb9cbe86c01dbaf3559f86a30e19c70befe","unresolved":false,"context_lines":[{"line_number":94,"context_line":"   ``/auth/OS-FEDERATION/websso/{saml2,oidc}``."},{"line_number":95,"context_line":"7) The browser redirect the user back to Keystone again, with the SAML"},{"line_number":96,"context_line":"   assertion or OpenID Connect claim."},{"line_number":97,"context_line":"8) Keystone issues JavaScript code that executes upon loading by the"},{"line_number":98,"context_line":"   browser. The unscoped federated token is included in the HTML form."},{"line_number":99,"context_line":"9) The user is being redirected back to the Horizon webpage, with the"},{"line_number":100,"context_line":"   unscoped federated token in the request."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_1b204cab","line":97,"in_reply_to":"1a930d6b_45567707","updated":"2015-01-26 09:03:42.000000000","message":"++","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"e2cc3b0bc2293ae6d3e6c99db56ff9b5d2c442a5","unresolved":false,"context_lines":[{"line_number":94,"context_line":"   ``/auth/OS-FEDERATION/websso/{saml2,oidc}``."},{"line_number":95,"context_line":"7) The browser redirect the user back to Keystone again, with the SAML"},{"line_number":96,"context_line":"   assertion or OpenID Connect claim."},{"line_number":97,"context_line":"8) Keystone issues JavaScript code that executes upon loading by the"},{"line_number":98,"context_line":"   browser. The unscoped federated token is included in the HTML form."},{"line_number":99,"context_line":"9) The user is being redirected back to the Horizon webpage, with the"},{"line_number":100,"context_line":"   unscoped federated token in the request."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1a930d6b_45567707","line":97,"in_reply_to":"1a930d6b_ca7fd4a9","updated":"2015-01-26 06:05:14.000000000","message":"It\u0027s mentioned here: https://review.openstack.org/#/c/139110/1/keystone/contrib/federation/controllers.py","commit_id":"6ae209c1828ca770c1deeaa5b90c6859e99cb570"},{"author":{"_account_id":10335,"name":"Marco Fargetta","email":"marco.fargetta@ct.infn.it","username":"fmarco76"},"change_message_id":"d96f0aa8562b5b1b23ed5a06108b4eedc57904f0","unresolved":false,"context_lines":[{"line_number":56,"context_line":"It\u0027s important to mention that ``{protocol}`` variables must be registered (and"},{"line_number":57,"context_line":"tied to ``identity provider`` object issuing assertions) via the"},{"line_number":58,"context_line":"``OS-FEDERATION`` API."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"The algorithm for identifying ``mapping`` to be used:"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"::"}],"source_content_type":"text/x-rst","patch_set":13,"id":"1a930d6b_9907df17","line":59,"updated":"2015-01-26 11:49:09.000000000","message":"Could be possible to move the selection of the authentication method in keystone? In this way there is not need to modify horizon when a new protocol is added. User could always go in ``/v3/OS-FEDERATION/websso/login`` and then you could (provide username and password or) select the protocol to use","commit_id":"7ddb081a1d3a15ab30455315418bca4f2d6ccd8f"},{"author":{"_account_id":9576,"name":"Thai Tran","email":"tqtran@us.ibm.com","username":"tqtran"},"change_message_id":"6103055cdd47cf0fcad72856a81192c59ab335aa","unresolved":false,"context_lines":[{"line_number":23,"context_line":"the shared secret between the user and Keystone. Cryptographically secure"},{"line_number":24,"context_line":"authentication mechanisms protect against this, as it leads to various"},{"line_number":25,"context_line":"Man-in-the-middle attack scenarios. If the Horizon server is compromised, it"},{"line_number":26,"context_line":"would grant the attacker access to the password for all users that log in."},{"line_number":27,"context_line":"When coupled with a corporate directory, this poses a significant risk."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The proper sequence is"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_bae55add","line":26,"updated":"2015-01-26 18:17:53.000000000","message":"I don\u0027t believe Horizon stores the password anywhere. It\u0027s forwarded to keystone in exchange for a token. If the server is compromised, any number of damage is possible (much like if the keystone server is compromised).","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"37017fe36c715b0016fb5321ca2490e1c4c56c74","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The proper sequence is"},{"line_number":30,"context_line":"* Horizon redirects the browser to Keystone"},{"line_number":31,"context_line":"* Keystone redirects to Discovery Service or default IdP"},{"line_number":32,"context_line":"* The User authenticates via an IdP specific mechanism"},{"line_number":33,"context_line":"* The IdP redirects the browser back to Keystone"},{"line_number":34,"context_line":"* Keystone generates Javascript code to POST a token back to Horizon"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_4471f942","line":31,"updated":"2015-01-26 21:34:05.000000000","message":"leftover from patch set 11: Instead of a directory service can we support just having a single default IDP listed on the horizon page or have a list of buttons representing possible IDPs similar to what is done on https://members.oreilly.com/account/login?partner\u003d\n\nOr is the answer what we do in keystone is isolated from such issues?","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"39b73a01f91cb5ddcf8354dc8a99731fa8764498","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The proper sequence is"},{"line_number":30,"context_line":"* Horizon redirects the browser to Keystone"},{"line_number":31,"context_line":"* Keystone redirects to Discovery Service or default IdP"},{"line_number":32,"context_line":"* The User authenticates via an IdP specific mechanism"},{"line_number":33,"context_line":"* The IdP redirects the browser back to Keystone"},{"line_number":34,"context_line":"* Keystone generates Javascript code to POST a token back to Horizon"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_c6fb1f45","line":31,"in_reply_to":"1a930d6b_4471f942","updated":"2015-01-27 06:42:23.000000000","message":"i don\u0027t think so, keystone *really* doesn\u0027t want to own code that generates that, and horizon doesn\u0027t have the ability to figure out what buttons to have.\n\nthe single default IDP can be listed/shown, and maybe another option to go to a directory service (WHICH may have all those buttons and links and widgets you describe).\n\nwe mentioned at the mid-cycle that this could be a stackforge project, but definitely NOT owned by either team, since most orgs will have a discovery service set up, like CERN did.","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"aa1cecb896ccf783401c84d3c961c19e750aaab3","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The proper sequence is"},{"line_number":30,"context_line":"* Horizon redirects the browser to Keystone"},{"line_number":31,"context_line":"* Keystone redirects to Discovery Service or default IdP"},{"line_number":32,"context_line":"* The User authenticates via an IdP specific mechanism"},{"line_number":33,"context_line":"* The IdP redirects the browser back to Keystone"},{"line_number":34,"context_line":"* Keystone generates Javascript code to POST a token back to Horizon"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_41b479f1","line":31,"in_reply_to":"1a930d6b_c6fb1f45","updated":"2015-01-27 07:05:23.000000000","message":"K. Thats fine. Single default IDP in Horizon would be a great start","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"37017fe36c715b0016fb5321ca2490e1c4c56c74","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_1fef38ea","line":43,"updated":"2015-01-26 21:34:05.000000000","message":"This needs a blueprint in Horizon but that should not block this spec. I have asked Thai Tran to add the corresponding Horizon blueprint (or reuse one if one exists). Once we get that we should reference it in here","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"9d619272b3bffb5fc572dca5d0b954e0e4311605","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_c176a905","line":43,"in_reply_to":"1a930d6b_067d27e8","updated":"2015-01-27 07:20:11.000000000","message":"Done","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"39b73a01f91cb5ddcf8354dc8a99731fa8764498","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Proposed Change"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_067d27e8","line":43,"in_reply_to":"1a930d6b_1fef38ea","updated":"2015-01-27 06:42:23.000000000","message":"it\u0027s got a horizon blueprint now! https://blueprints.launchpad.net/horizon/+spec/federated-identity we should mention this somewhere.","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"37017fe36c715b0016fb5321ca2490e1c4c56c74","unresolved":false,"context_lines":[{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"},{"line_number":47,"context_line":"forms of login. Initially these will be:"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_3f9a346e","line":44,"updated":"2015-01-26 21:34:05.000000000","message":"typo \"a\" between to and different","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"9d619272b3bffb5fc572dca5d0b954e0e4311605","unresolved":false,"context_lines":[{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Horizon would implement a way to choose preferred authentication method."},{"line_number":44,"context_line":"Technically, user would be redirected to different route at the Keystone"},{"line_number":45,"context_line":"server."},{"line_number":46,"context_line":"Keystone will implement additional routes/endpoints that allow for different"},{"line_number":47,"context_line":"forms of login. Initially these will be:"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_e171e50c","line":44,"in_reply_to":"1a930d6b_3f9a346e","updated":"2015-01-27 07:20:11.000000000","message":"Done","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"37017fe36c715b0016fb5321ca2490e1c4c56c74","unresolved":false,"context_lines":[{"line_number":50,"context_line":"* Federation via OpenID Connect"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"For SAML and OpenID Connect, the Horizon (or compatible WebUI)  will redirect"},{"line_number":53,"context_line":"to appropriate protected Keystone URL (depending on the implementation, either"},{"line_number":54,"context_line":"``/v3/OS-FEDERATION/websso/{protocol}?origin\u003dhttps%3A//horizon.example.com`` or"},{"line_number":55,"context_line":"``/v3/auth/websso/{protocol}?origin\u003dhttps%3A//horizon.example.com``)."},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_7fbd9cb6","line":53,"updated":"2015-01-26 21:34:05.000000000","message":"typo, put a \"the\" between  \"to\" and \"appropriate\"","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"9d619272b3bffb5fc572dca5d0b954e0e4311605","unresolved":false,"context_lines":[{"line_number":50,"context_line":"* Federation via OpenID Connect"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"For SAML and OpenID Connect, the Horizon (or compatible WebUI)  will redirect"},{"line_number":53,"context_line":"to appropriate protected Keystone URL (depending on the implementation, either"},{"line_number":54,"context_line":"``/v3/OS-FEDERATION/websso/{protocol}?origin\u003dhttps%3A//horizon.example.com`` or"},{"line_number":55,"context_line":"``/v3/auth/websso/{protocol}?origin\u003dhttps%3A//horizon.example.com``)."},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_81574157","line":53,"in_reply_to":"1a930d6b_7fbd9cb6","updated":"2015-01-27 07:20:11.000000000","message":"Done","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"ca2eff9e98714d5397b9d4ebaabceda6219fcd30","unresolved":false,"context_lines":[{"line_number":70,"context_line":"    4) Fetch mapping id identified by identity_provider and protocol"},{"line_number":71,"context_line":"    ids."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"JavaScript that performs a HTTP POST to the original webUI. The URL that"},{"line_number":74,"context_line":"Keystone will POST user back will be stored in the initial URL."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"The proposed work flow is depicted on an ASCII diagram below."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_f6c0d651","line":73,"updated":"2015-01-26 22:23:16.000000000","message":"Don\u0027t think this would not work.  POST-ing to Horizon from another site, Django would reject the request with CSRF error.","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"9d619272b3bffb5fc572dca5d0b954e0e4311605","unresolved":false,"context_lines":[{"line_number":70,"context_line":"    4) Fetch mapping id identified by identity_provider and protocol"},{"line_number":71,"context_line":"    ids."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"JavaScript that performs a HTTP POST to the original webUI. The URL that"},{"line_number":74,"context_line":"Keystone will POST user back will be stored in the initial URL."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"The proposed work flow is depicted on an ASCII diagram below."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_81058147","line":73,"in_reply_to":"1a930d6b_2d120962","updated":"2015-01-27 07:20:11.000000000","message":"I mentioned this in PS 15","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"d95d3eaa7ce9d83ceef9a4315a1bf64f7c7a5377","unresolved":false,"context_lines":[{"line_number":70,"context_line":"    4) Fetch mapping id identified by identity_provider and protocol"},{"line_number":71,"context_line":"    ids."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"JavaScript that performs a HTTP POST to the original webUI. The URL that"},{"line_number":74,"context_line":"Keystone will POST user back will be stored in the initial URL."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"The proposed work flow is depicted on an ASCII diagram below."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_2d120962","line":73,"in_reply_to":"1a930d6b_f6c0d651","updated":"2015-01-27 01:00:50.000000000","message":"we could put a @csrf_exempt on the function that handles that bit in django, would that be enough for you?","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"37017fe36c715b0016fb5321ca2490e1c4c56c74","unresolved":false,"context_lines":[{"line_number":95,"context_line":"The work flow is as follows:"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"::"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"    2a) Horizon issues an HTTP 301 Redirect response pointing the user to"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_1f91f8f0","line":98,"updated":"2015-01-26 21:34:05.000000000","message":"Wow! I like this description a lot better. It is much clearer to me","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"ca2eff9e98714d5397b9d4ebaabceda6219fcd30","unresolved":false,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"::"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"    2a) Horizon issues an HTTP 301 Redirect response pointing the user to"},{"line_number":102,"context_line":"    the Keystone endpoint."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_36297e37","line":99,"updated":"2015-01-26 22:23:16.000000000","message":"After the user reach Horizon, would the user be redirected automatically or would be given a chance to choose preferred authentication method?","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"d95d3eaa7ce9d83ceef9a4315a1bf64f7c7a5377","unresolved":false,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"::"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"    2a) Horizon issues an HTTP 301 Redirect response pointing the user to"},{"line_number":102,"context_line":"    the Keystone endpoint."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_ed3481fd","line":99,"in_reply_to":"1a930d6b_36297e37","updated":"2015-01-27 01:00:50.000000000","message":"I\u0027m picturing it as... \n\nif WEB_SSO_ENABLED is set then an extra log login field appears, and the user may select that button to be taken to their default / preferred IdP (or discovery service).\n\nThe usual login box for service accounts and admin accounts won\u0027t change.","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"ca2eff9e98714d5397b9d4ebaabceda6219fcd30","unresolved":false,"context_lines":[{"line_number":99,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"    2a) Horizon issues an HTTP 301 Redirect response pointing the user to"},{"line_number":102,"context_line":"    the Keystone endpoint."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"    2b) The browser redirects the user to a Keystone ``websso`` endpoint,"},{"line_number":105,"context_line":"    ``/auth/OS-FEDERATION/websso/{saml2/oidc}`` which is protected by"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_76522668","line":102,"updated":"2015-01-26 22:23:16.000000000","message":"I assume this is Keystone public endpoint?","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"d95d3eaa7ce9d83ceef9a4315a1bf64f7c7a5377","unresolved":false,"context_lines":[{"line_number":99,"context_line":"    1) A User with a web browser reaches Horizon"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"    2a) Horizon issues an HTTP 301 Redirect response pointing the user to"},{"line_number":102,"context_line":"    the Keystone endpoint."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"    2b) The browser redirects the user to a Keystone ``websso`` endpoint,"},{"line_number":105,"context_line":"    ``/auth/OS-FEDERATION/websso/{saml2/oidc}`` which is protected by"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_2d6da904","line":102,"in_reply_to":"1a930d6b_76522668","updated":"2015-01-27 01:00:50.000000000","message":"yep","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"37017fe36c715b0016fb5321ca2490e1c4c56c74","unresolved":false,"context_lines":[{"line_number":106,"context_line":"    saml2 and openid connect Apache plugins respectively."},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"    3a) Since the user doesn\u0027t have an active session, the user will be"},{"line_number":109,"context_line":"    redirected to their default IdP or Discover Service where an appropriate"},{"line_number":110,"context_line":"    IdP can be chosen. Keystone will produce an appropriate \u003csaml2:Request\u003e"},{"line_number":111,"context_line":"    request."},{"line_number":112,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_3f015406","line":109,"updated":"2015-01-26 21:34:05.000000000","message":"Have you tested the double redirect. Does that work without any issue?","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"ca2eff9e98714d5397b9d4ebaabceda6219fcd30","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"    4a) Once authentication is successful, the IdP issues a SAML assertion or"},{"line_number":118,"context_line":"    OpenID Connect claim, and redirects user back to the"},{"line_number":119,"context_line":"    ``/auth/OS-FEDERATION/websso/{protocol}``."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"    4b) The browser redirect the user back to Keystone again, with the SAML"},{"line_number":122,"context_line":"    assertion or OpenID Connect claim."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_96fb1246","line":119,"updated":"2015-01-26 22:23:16.000000000","message":"How would IdP know how to post back the SAML assertion to Keystone? Is that based from the information in the SAML request?","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"d95d3eaa7ce9d83ceef9a4315a1bf64f7c7a5377","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"    4a) Once authentication is successful, the IdP issues a SAML assertion or"},{"line_number":118,"context_line":"    OpenID Connect claim, and redirects user back to the"},{"line_number":119,"context_line":"    ``/auth/OS-FEDERATION/websso/{protocol}``."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"    4b) The browser redirect the user back to Keystone again, with the SAML"},{"line_number":122,"context_line":"    assertion or OpenID Connect claim."}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_0d6aaded","line":119,"in_reply_to":"1a930d6b_96fb1246","updated":"2015-01-27 01:00:50.000000000","message":"this detail is handled by the apache plugins","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"39b73a01f91cb5ddcf8354dc8a99731fa8764498","unresolved":false,"context_lines":[{"line_number":196,"context_line":"Other contributors:"},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"* stevemar (Steve Martinelli \u003cstevemar@ca.ibm.com\u003e)"},{"line_number":199,"context_line":"* marek-denis(Marek Denis \u003cmarek.denis@cern.ch\u003e)"},{"line_number":200,"context_line":"* jose-castro-leon (Jose Castro Leon \u003cjose.castro.leon@cern.ch\u003e)"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Work Items"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_66ea6bad","line":199,"updated":"2015-01-27 06:42:23.000000000","message":"if you are tossing up another patch here, add a space between your irc name and the bracket","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"9d619272b3bffb5fc572dca5d0b954e0e4311605","unresolved":false,"context_lines":[{"line_number":196,"context_line":"Other contributors:"},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"* stevemar (Steve Martinelli \u003cstevemar@ca.ibm.com\u003e)"},{"line_number":199,"context_line":"* marek-denis(Marek Denis \u003cmarek.denis@cern.ch\u003e)"},{"line_number":200,"context_line":"* jose-castro-leon (Jose Castro Leon \u003cjose.castro.leon@cern.ch\u003e)"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Work Items"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_a187ddb3","line":199,"in_reply_to":"1a930d6b_66ea6bad","updated":"2015-01-27 07:20:11.000000000","message":"Done","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"39b73a01f91cb5ddcf8354dc8a99731fa8764498","unresolved":false,"context_lines":[{"line_number":198,"context_line":"* stevemar (Steve Martinelli \u003cstevemar@ca.ibm.com\u003e)"},{"line_number":199,"context_line":"* marek-denis(Marek Denis \u003cmarek.denis@cern.ch\u003e)"},{"line_number":200,"context_line":"* jose-castro-leon (Jose Castro Leon \u003cjose.castro.leon@cern.ch\u003e)"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Work Items"},{"line_number":203,"context_line":"----------"},{"line_number":204,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_e6ec9bbd","line":201,"updated":"2015-01-27 06:42:23.000000000","message":"also, can you add:\n\n  * tqtran (Thai Tran \u003ctqtran@us.ibm.com\u003e)\n\nas he is lined up to do some of the djanjo work for us, and a newly minted horizon core :)","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"9d619272b3bffb5fc572dca5d0b954e0e4311605","unresolved":false,"context_lines":[{"line_number":198,"context_line":"* stevemar (Steve Martinelli \u003cstevemar@ca.ibm.com\u003e)"},{"line_number":199,"context_line":"* marek-denis(Marek Denis \u003cmarek.denis@cern.ch\u003e)"},{"line_number":200,"context_line":"* jose-castro-leon (Jose Castro Leon \u003cjose.castro.leon@cern.ch\u003e)"},{"line_number":201,"context_line":""},{"line_number":202,"context_line":"Work Items"},{"line_number":203,"context_line":"----------"},{"line_number":204,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"1a930d6b_c19229f5","line":201,"in_reply_to":"1a930d6b_e6ec9bbd","updated":"2015-01-27 07:20:11.000000000","message":"Done","commit_id":"f5b0987b21233f6b1bda3b71be82015bb420694e"}]}
