Sorry, meant to say "server-less client applications". The OP is trying to create a client-side JS application that communicates directly to an OS endpoint (specifically trystack). I believe his problem is same origin policy, not authentication.
On Apr 23, 2012, at 12:33 PM, Adam Young wrote: > On 04/23/2012 01:13 PM, Tres Henry wrote: >> Adam, in what way should the OS API support server-less clients? AFAIK the >> options are CORS or JSONP, no? > > I am not quite sure what you mean by serverless clients, but I think the > answer to this is getting a real Single Sign On solution, which is based on: > > 1. Kerberos, > 2. X509 > > Kerberos is likely a non starter for Web applications due to some current > issues with handling multiple TGTs and also cross firewalls (Kerberso tickets > must get served out on port 88 without jumping through considerable hoops.) > > I've written up about X509 support here: > http://wiki.openstack.org/PKI > > I think that X509 Client Authentication is the right long-term approach for > what we are doing. Specifically, short term X509 certificates replacing the > Keystone tokens as the mechanism for SSO. > > >> >> On Apr 23, 2012, at 5:50 AM, Adam Young wrote: >> >>> I see this as a feature, not a drawback. The inability to access >>> portions of the HTTP protocol is there to defend against attacks such as >>> cross site request forgeries. If we suppress that mechanism, we open up a >>> lot of security holes. >>> >>> >>> On 04/23/2012 06:09 AM, Adrian Smith wrote: >>>> The authentication request returns X-Storage-Url and X-Auth-Token >>>> headers. For the JS client to see them they need to be referenced in >>>> Access-Control-Expose-Headers. As of the last time checked, both these >>>> headers were being stripped from the response before being presented >>>> to JS. >>>> >>>> Adrian >>>> >>>> >>>> On 23 April 2012 10:35, Nick Lothian<nick.loth...@gmail.com> wrote: >>>>> Hi Adrian, >>>>> >>>>> Good to know this is a known issue. >>>>> >>>>> Why does the client need to see custom headers from the server anyway? >>>>> I know the client needs to pass the authorisation header to the server, >>>>> but >>>>> I haven't seen any of the APIs yet that return custom headers. (It's >>>>> likely >>>>> I'm missing them though) >>>>> >>>>> Nick >>>>> >>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adr...@17od.com> wrote: >>>>>> Hi Nick, >>>>>> >>>>>> I did some work with CORS a few months back [1]. >>>>>> >>>>>> At the time I couldn't get any browser to work properly with CORS so I >>>>>> just parked the code. The problem was lack of support for the >>>>>> Access-Control-Expose-Headers header. >>>>>> >>>>>> According to the Chrome bug report [2] this issue may well be fixed >>>>>> now so I need to retest. >>>>>> >>>>>> Adrian >>>>>> >>>>>> [1] >>>>>> http://www.mail-archive.com/openstack@lists.launchpad.net/msg07219.html >>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338 >>>>>> >>>>>> >>>>>> On 23 April 2012 06:19, Nick Lothian<nick.loth...@gmail.com> wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I've been playing with the Nova APIs from Javascript, and I've run into >>>>>>> a >>>>>>> problem. >>>>>>> >>>>>>> The very first thing one needs to do to use the APIs is to get a token. >>>>>>> >>>>>>> That requires a POST to the API endpoint. Using curl& trystack that >>>>>>> looks >>>>>>> like this: >>>>>>> >>>>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d >>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>", >>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json' >>>>>>> >>>>>>> >>>>>>> The Javascript equivalent (using JQuery) is: >>>>>>> >>>>>>> $.ajax({ >>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens";, >>>>>>> type: 'POST', >>>>>>> headers: {"Content-Type": "application/json"}, >>>>>>> data: {"auth":{"passwordCredentials":{"username":"<username>", >>>>>>> "password":"<password>"}}}, >>>>>>> success: function(data) { alert(data); } >>>>>>> }); >>>>>>> >>>>>>> That fails because the call is cross-domain, and Nova doesn't support >>>>>>> CORS >>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script> >>>>>>> based >>>>>>> cross-domain requests only supports GET requests, so that doesn't work >>>>>>> either. >>>>>>> >>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but >>>>>>> I'm >>>>>>> really hoping someone can point out something obvious I'm missing here. >>>>>>> >>>>>>> Regards >>>>>>> Nick Lothian >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Mailing list: https://launchpad.net/~openstack >>>>>>> Post to : openstack@lists.launchpad.net >>>>>>> Unsubscribe : https://launchpad.net/~openstack >>>>>>> More help : https://help.launchpad.net/ListHelp >>>>>>> >>>>> _______________________________________________ >>>>> Mailing list: https://launchpad.net/~openstack >>>>> Post to : openstack@lists.launchpad.net >>>>> Unsubscribe : https://launchpad.net/~openstack >>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~openstack >>>> Post to : openstack@lists.launchpad.net >>>> Unsubscribe : https://launchpad.net/~openstack >>>> More help : https://help.launchpad.net/ListHelp >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~openstack >>> Post to : openstack@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~openstack >>> More help : https://help.launchpad.net/ListHelp > _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
