Photo cross-post

Jul. 4th, 2025 02:49 am
andrewducker: (Default)
[personal profile] andrewducker


Got halfway to the bus stop to go to the pool and realised I didn't have my shoulder bag. Sprinted home, got it, and made it to the bus.

Got off the bus at the other end, realised Sophia's bag didn't have her swimming costume in it. Got a bus home, grabbed it, now in a taxi.

Fingers crossed that nothing else comes between me and drop-off and work!
Original is here on Pixelfed.scot.

Time marches on

Jul. 2nd, 2025 10:20 am
andrewducker: (Default)
[personal profile] andrewducker
As of this morning (2nd of July), we are now closer to 2050 than 2000.

Photo cross-post

Jul. 1st, 2025 01:58 pm
andrewducker: (Default)
[personal profile] andrewducker


"Sophia, will you pose with your brother for a photo?"

"I will, but I'm very angry about it!"
Original is here on Pixelfed.scot.

Photo cross-post

Jun. 29th, 2025 04:31 pm
andrewducker: (Default)
[personal profile] andrewducker


We had a nice day on the beach in North Berwick. A few of Sophia's old nursery friends, getting back together, with a few siblings thrown in. They got on like it wasn't mostly a year since they last saw each other, and they had a ball digging holes, wading through seaweed and climbing on rocks. The weather was just as fabulous as it looks here.
Original is here on Pixelfed.scot.

A complaint about modern life.

Jun. 28th, 2025 10:49 am
andrewducker: (lesbian tea)
[personal profile] andrewducker
When I am Emperor anyone selling bowls, plates, etc will have to certify whether you can microwave food in them without them getting hotter than the food.

Is microwave transparency really too much to ask?
[personal profile] mjg59
Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.

This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.

But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.

There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.

Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.

I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.

There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.

Someone, please, write a spec for this. Please don't make it be me.

Photo cross-post

Jun. 22nd, 2025 06:37 am
andrewducker: (Default)
[personal profile] andrewducker


First climbing experience, and after an hour of trying different walls Sophia made it to the top!
Original is here on Pixelfed.scot.

Profile

xiphmont: (Default)
xiphmont

Most Popular Tags