Meeting Notes

Owned by Chris Vienneau
Last updated: Jan 19, 2025
16 min read

October 24, 2024

Overview

The Technical Discussion and Planning meeting focused on key themes related to security and identity management in software applications, starting with a decision to hold future meetings publicly for Linux Foundation members. Toby presented insights on decentralized identifiers (DIDs) and challenges around verifiable data registries, while Claude elaborated on OAuth workflows in desktop applications, highlighting security concerns regarding token storage. The team discussed the zero trust model in device authentication and the complexities of trust in desktop environments. Challenges around cross-application token sharing and plugin security were examined, with suggestions for sandboxing plugins and developing restricted access tokens. Action items were assigned, including preparations for future presentations on zero trust methodologies and various authorization experiences.

Notes

Edit

Security and Identity Discussion (00:00 - 09:30)

  • Meeting switched from another platform to Zoom

  • Discussion about making the meeting public or private

  • Agreed to make future meetings public for Linux Foundation members

  • OAuth and Decentralized Identifiers (09:30 - 20:34)

  • Toby presented on decentralized identifiers (DIDs) and W3C standards

  • Discussed challenges with verifiable data registries for DIDs

  • Explored the concept of verified credentials and their interoperability with DIDs

  • Mentioned mobile driver's license applications using verifiable credentials

OAuth Workflow and Desktop Applications (20:34 - 29:08)

  • Claude explained OAuth workflow in desktop products

  • Discussed challenges of storing sensitive information (tokens) in desktop applications

  • Explored the idea of using keychains to store secure information

Zero Trust and Device Authentication (29:08 - 39:29)

  • Discussed the concept of zero trust and its application to devices

  • Explored the need for authenticating both users and devices

  • Discussed the challenges of establishing trust in desktop environments

  • Mentioned potential solutions like sandboxing and containerization

Cross-Application Token Sharing (39:29 - 52:42)

  • Discussed the challenge of sharing authentication across multiple desktop applications

  • Explored RFC documentation on cross-application token sharing for mobile apps

  • Discussed the complexity of implementing cross-vendor workflows

Plugin Security and Trust (52:43 - 01:00:10)

  • Discussed challenges of establishing trust relationships with plugins in desktop applications

  • Explored the idea of sandboxing plugins and providing restricted access tokens

  • Agreed to continue discussions on authentication, authorization, and practical implementations in future meetings

Key Takeaways

The meeting covered several technical topics related to identity management, zero trust, and authentication/authorization systems. Here are the key technical takeaways:

  1. Zero Trust and Device Authentication:

    • Zero trust is about establishing guidelines where systems can trust each other. It involves validating user identities and controlling access rights.

    • Authenticating the device, not just the user, is crucial. There was a discussion on the need for device trust and the role of managed devices in ensuring security.

  2. OAuth Workflows:

    • OAuth workflows were discussed, especially in the context of desktop applications. The challenge is securely storing sensitive information like refresh tokens and managing them across different applications without requiring repeated sign-ins.

    • The need to separate identity and access tokens was highlighted to improve security.

  3. Identity Standards and Decentralized Identifiers (DIDs):

    • There was a discussion on decentralized identifiers (DIDs) and their interoperability with verifiable credentials. DIDs aim to decentralize identity from traditional identity providers.

    • Verifiable credentials were seen as a potential path forward, but there are challenges related to the lack of standardization and the need for a verifiable data registry.

  4. Cross-Application Token Sharing:

    • There's an interest in enabling cross-application token sharing, especially for desktop products to avoid repeated sign-ins. This is complex, especially when involving multiple vendors.

  5. Plugin Security:

    • The issue of plugins in applications and how they interact with authentication and tokens was raised. Establishing trust with third-party plugins and ensuring that they do not compromise security is a concern.

  6. Sandboxing and Application Isolation:

    • The potential for using sandboxing and containerization to create secure environments within desktop applications was mentioned as a way to enhance security.

  7. Authorization vs. Authentication:

    • The importance of understanding the separation between authorization and authentication was noted, with a suggestion to possibly have a session to explain these concepts further.

November 7, 2024

Overview

During the Technical Discussion and Planning meeting held on November 7, 2024, participants addressed key challenges surrounding authentication and authorization, focusing on identity management and federation across organizations. The team prioritized resolving identity-related issues, inspired by a communication from Matt regarding the working group's scope. Key topics included the complexities of federating identities, ensuring unique identifiers, and the implications of trust relationships. Various authentication methods were reviewed, emphasizing the concept of zero trust and potential challenges with multi-vendor implementations. The group explored typical OAuth flows and discussed a specific use case involving OpenRV, OpenAsset IO, and OTIO, proposing a simplified workflow diagram. The meeting concluded with action items, including developing a detailed presentation on the proposed use case and scheduling the next meeting for December 5th, while planning to share preparatory materials on Slack and inviting more participants for further discussions.

Notes

Edit

Authentication and Authorization Challenges (00:46 - 12:06)

  • Meeting participants discussing login issues and connectivity problems

  • Matt's email sparked discussion on working group scope and focus

  • Group decided to focus on identity-related issues as low-hanging fruit

  • Disney Animation uses Okta for centralized identity and access management

  • Discussion on federation and group management challenges across organizations

Identity Management and Federation (12:06 - 23:30)

  • Explored the complexities of identity management across multiple organizations

  • Discussed the challenges of federating identities and managing group memberships

  • Considered the implications of trusting attributes from federated organizations

  • Examined the need for unique identifiers across multiple systems

  • Discussed the importance of scoping identifiers and managing trust relationships

Authentication Methods and Zero Trust (23:31 - 32:29)

  • Reviewed various authentication methods including biometrics, SSO, and API keys

  • Discussed the concept of zero trust and its implications for authentication

  • Explored the differences between authentication factors and identity providers

  • Considered the challenges of implementing zero trust across multiple vendors

  • Discussed the limitations of API keys and the benefits of OAuth refresh tokens

OAuth Flows and Device Authorization (32:29 - 42:31)

  • Examined typical OAuth flows, including hybrid flow and device authorization flow

  • Discussed the differences between SSO and zero trust authentication

  • Explored the potential of using device authorization for multi-application access

  • Considered the challenges of sharing authentication across multiple applications

  • Discussed the importance of client IDs and scopes in OAuth flows

Use Case Development (42:32 - 53:32)

  • Proposed focusing on a specific use case involving OpenRV, OpenAsset IO, and OTIO

  • Discussed creating a simplified workflow diagram for the proposed use case

  • Considered the challenges of cross-vendor authentication workflows

  • Explored the potential of using device-level authorization for multiple applications

  • Discussed the limitations of current OAuth providers in cross-vendor scenarios

Next Steps and Future Meetings (53:32 - 01:01:50)

  • Decided to develop a more detailed presentation on the proposed use case

  • Agreed to create abstract models of trust domains and flows before implementation

  • Scheduled the next meeting for December 5th due to conflicts and holidays

  • Planned to share preparatory materials in the Slack channel before the next meeting

  • Discussed inviting additional participants to discuss plugin-related challenges

Pain Points

Login Issues: Multiple participants experienced difficulties with their login processes, particularly with the Linux Foundation and Movie Labs email accounts. This indicates a need for a more seamless authentication experience.
Complex Authorization Flows: There is a recognition of the cumbersome nature of current authorization processes, leading to multiple logins for users across different applications, which can hinder productivity.
Trust and Security Concerns: Discussions around zero trust models highlight concerns about the security of federated identities and the need for robust trust mechanisms between different identity providers (IDPs).

Business Needs


Streamlined Authentication: There is a strong need for a unified authentication solution that minimizes the number of times users need to log in across various applications and services.
Enhanced Identity Management: The need for better group management and identity verification processes was emphasized, particularly in complex organizational structures like Disney Animation.
Federation Across Vendors: Participants expressed a desire to facilitate federated access across different vendors without compromising security or requiring multiple logins.

The meeting discussed several key technical topics related to authentication, authorization, and identity management in collaborative workflows, particularly in the context of the Academy Software Foundation (ASWF) and various industry applications. Here are the main takeaways:

  1. Identity Management and Federation:

    • The discussion highlighted the use of Okta for centralized identity management at Disney Animation. The importance of unique identifiers across systems for identity federation was emphasized.

    • The challenge of trusting attributes from federated identity providers was discussed, especially when dealing with multiple organizations.

  2. Authorization and Authentication Methods:

    • Various methods of authentication were covered, including username/password, biometric, hardware keys, license servers, and different types of single sign-on (SSO) like social and enterprise SSO.

    • The limitations of API keys, particularly their long-lived and static nature, were noted, with a preference for OAuth tokens due to their ability to be refreshed and revoked.

  3. Zero Trust Architecture:

    • The meeting touched on the concept of zero trust, emphasizing the need for robust authentication methods that can ensure the identity of users, devices, and services.

    • There was a mention of the need to balance security with convenience, particularly in the context of zero trust and SSO.

  4. OAuth Flows:

    • Different OAuth flows were discussed, particularly the hybrid flow and device OAuth flow. The latter was noted as potentially relevant for scenarios where devices need to authenticate without a user interface.

    • Concerns about how client IDs are used in OAuth flows and the implications for security and interoperability were raised.

  5. Challenges with Cross-Vendor Workflows:

    • The difficulty of using a single OAuth provider across different applications and vendors was acknowledged, with a need for solutions that can manage cross-vendor trust relationships.

  6. Proposed Next Steps:

    • It was suggested to develop a specific use case involving open-source tools like OpenRV and OpenAssetIO to explore how zero trust could be implemented in a practical scenario.

    • There was a proposal to document workflows and present them in detail for further analysis in future meetings.

December 5, 2024

Overview

The Technical Discussion and Demo Review meeting centered on the Open Source Days presentation led by Chris and Matt, where participants highlighted login and account management challenges and noted low attendance following the Thanksgiving holiday. A demo was presented showcasing a secure workflow involving the Academy Software Foundation, emphasizing the significance of Single Sign-On (SSO) and a Zero Trust architecture, along with authentication via OAuth. Technical implementation details covered Open Timeline IO and Open Asset IO, delving into the intricacies of implementing Zero Trust across multiple organizations. The meeting further addressed authentication challenges across various domains, debating pre-signed URLs versus active policy checks, and evaluated the presented use case for its applicability to studio workflows, acknowledging the need for secure file access in desktop applications and modern production environments. Future directions discussed included URL-based access to digital content creation tools and the collaboration on Doug's use case for file access across organizations, leading to action items for further exploration and preparation for upcoming discussions.

Notes

Open Source Days Presentation Demo (00:32 - 09:47)

  • Meeting focused on Chris and Matt's Open Source Days presentation

  • Participants discussed challenges with login and account management

  • Acknowledged low attendance due to post-Thanksgiving period

Security Demo and Use Case (09:48 - 23:44)

  • Presented a demo for Academy Software Foundation and Open Source Days

  • Demonstrated a workflow involving multiple companies and secure file access

  • Discussed the importance of Single Sign-On (SSO) and Zero Trust architecture

  • Explained the use of OAuth for authentication in the demo

Technical Implementation Details (23:44 - 34:37)

  • Discussed the implementation of Open Timeline IO and Open Asset IO

  • Explained the proxy server setup for secure file access

  • Highlighted the challenges of implementing Zero Trust across multiple organizations

️ Authentication and Authorization Challenges (34:37 - 43:57)

  • Explored the complexities of user authentication across multiple domains

  • Discussed the importance of federation for streamlined authentication

  • Debated the use of pre-signed URLs vs. active policy checks for file access

Use Case Evaluation (43:57 - 54:00)

  • Evaluated the presented use case for its relevance to studio workflows

  • Discussed the challenges of secure file access for desktop applications

  • Considered the need for virtual file systems in modern production environments

Future Directions and Studio Needs (54:00 - 01:03:27)

  • Explored the potential for URL-based access to digital content creation tools

  • Discussed the need to address practical studio challenges in future use cases

  • Agreed to further explore Doug's use case for multi-organization file access

Key Insights from the Transcript

Pain Points

  • Complex Authentication Process: Users expressed frustration over having to log in multiple times across different systems (e.g., Movie Labs, Lab Coat Media, Effects DMZ). This indicates a lack of a seamless Single Sign-On (SSO) experience.

  • Security Concerns: There are significant concerns about security, particularly regarding how permissions are managed and the risk of unauthorized access to media assets.

  • User Experience Challenges: The current authentication and authorization processes create a cumbersome user experience, especially for artists who need to access various tools and files quickly.

  • Lack of Guidelines: Users noted a lack of clear guidelines for implementing security protocols like OAuth, which complicates the integration of security measures across different applications.

Business Needs

  • Unified Authentication System: There is a clear need for a centralized authentication system that can streamline access across multiple platforms and services.

  • Enhanced Security Protocols: Businesses require robust security measures that allow for dynamic permission granting and revocation without compromising user experience.

  • Collaboration Across Organizations: The ability to securely share assets and collaborate with multiple vendors and studios is essential for improving workflow efficiency.

Interested Features

  • Single Sign-On (SSO): A feature that allows users to authenticate once and gain access to multiple applications without repeated logins.

  • Dynamic Permission Management: The ability to grant and revoke permissions in real-time, ensuring that only authorized users can access sensitive media.

  • Integration with Existing Tools: Seamless integration with popular tools and platforms used in the industry (e.g., Adobe Premiere, RV) to enhance workflow.

  • Auditing and Compliance Features: Tools that provide visibility into user activity and access, which are crucial for maintaining security standards and compliance.

Key Technical Takeaways

  1. Zero Trust Implementation: The meeting discussed implementing zero trust architecture for media workflows, highlighting the importance of authentication and authorization without moving media files. The demo demonstrated a workflow where permissions were dynamically granted for media review, aiming to minimize the movement of media and instead focus on secure access.

  2. OAuth and Authentication: A significant challenge discussed was integrating OAuth into desktop applications like RV (a media playback tool), which traditionally do not handle user authentication in a networked environment. The demo required implementing custom code to handle OAuth authentication within RV.

  3. Federation and SSO: The discussion emphasized the need for single sign-on (SSO) and identity federation across different domains and organizations to streamline user authentication and improve user experience. This involves trusting different identity providers and ensuring seamless access across multiple systems.

  4. Service-to-Service Authentication: There was a focus on the need to avoid pre-signed URLs for media access due to security risks. Instead, using tokens and active authorization checks was recommended to ensure that access is tightly controlled and audited.

  5. Open Asset IO and Media Resolution: The demo leveraged Open Asset IO to manage asset identifiers and resolve them to actual media files. This involved a proxy system to stream media directly into applications like RV without local downloads.

  6. Policy Enforcement and Auditing: The importance of having centralized policy management to enforce who can access what media and when was highlighted. This is crucial for auditing and tracking user actions across various platforms and ensuring compliance with security policies.

  7. Challenges with Existing DCCs: The meeting acknowledged the challenges of adapting existing digital content creation (DCC) tools to work with modern, URL-based workflows. The need for these tools to evolve to support more flexible, network-oriented access models was discussed.

  8. Future Directions: The conversation hinted at the potential need for virtualized file systems or new interfaces for DCCs to better support cloud-based and collaborative workflows, aligning with the 2030 Vision for media production.

 

January 16, 2025

Overview

In the Technical Discussion and Planning meeting held on January 16, 2025, participants provided health updates before diving into a focused discussion on authentication and zero trust principles. Daryl introduced the need for a refreshed approach to authentication, acknowledging its role as a stepping stone towards achieving true zero trust, while noting the challenge posed to artists needing distinct logins for various services. The conversation also included insights from Claude on Autodesk's challenges with cloud connectivity and licensing sign-ins, emphasizing the importance of a generic solution that could leverage existing credentials. The group explored the unique authentication challenges faced by native applications and the necessity of implementing best practices to minimize disruption for artists. Daryl presented a high-level architecture for the proposed solution, which includes a centralized login application and identity management components, and addressed token expiration mechanisms. The discussion extended to integrating with external identity providers and establishing trust between services, leading to a collaborative outlook on creating a versatile login system for multi-vendor environments. Action items were assigned to Blake to investigate AWS identity solutions, Daryl to convert and share the presentation, and Chris to update the meeting notes on the wiki for future reference.

Notes

Health Updates and Meeting Start (00:26 - 07:56)

  • Participants discuss recent cold experiences

  • Daryl mentions still recovering from a viral infection

  • Chris Lowell joins the meeting

Authentication and Zero Trust Discussion (07:56 - 13:33)

  • Daryl introduces the meeting's focus on authentication and zero trust

  • Goal: Refresh on current status and propose implementation ideas

  • Acknowledge authentication isn't true zero trust but necessary for progress

  • Challenge: Artists potentially needing separate logins for each service/plugin

Customer Experiences and Autodesk Perspective (13:33 - 19:55)

  • Claude shares Autodesk's experience with cloud connectivity and sign-in requirements

  • Autodesk products now require sign-in for licensing and service connectivity

  • Challenge: Understanding how to approach the problem for a more generic solution

  • Discussion on leveraging existing credentials for other services (e.g., Google)

Identity and Authentication Challenges (19:55 - 27:46)

  • Focus on native applications: desktop, plugins, and command-line apps

  • Unique challenges in the industry: multiple vendors, plugins, artist collaboration

  • Current reliance on OS-level authentication for local access

  • Goal: Implement best practices and zero trust while minimizing artist disruption

️ Proposed Implementation and Workflow (27:48 - 34:17)

  • Daryl presents a high-level architecture for the proposed solution

  • Key components: Login application, identity library, identity API, and storage system

  • Workflow: Login once per session, share identities between native applications

  • Discussion on token expiration and refresh mechanisms

Identity Provider Integration and Trust (34:18 - 45:59)

  • Claude presents current Autodesk and ShotGrid authentication workflows

  • Discussion on integrating with external identity providers (IDPs)

  • Challenges in establishing trust between different services and IDPs

  • Consideration of using external browsers for authentication processes

Moving Forward and Industry Collaboration (45:59 - 56:25)

  • Discussion on creating a more generic login system for multi-vendor environments

  • Exploration of token exchange processes between different services

  • Blake mentions AWS perspective on identity management

  • Action Item: Blake to explore AWS identity solutions for this use case

  • Agreement to potentially demo the proposed solution in a future meeting

Action items

Blake

  • Explore AWS identity solutions and start conversations with the service team about applying them to this use case (52:29)

Daryl

  • Convert the presentation into a PDF and share it on the wiki page (56:06)

Chris

  • Update and complete the meeting notes on the wiki (55:59)

Key Insights from the Customer Conversation

Pain Points

  • Complex Authentication Processes: The current requirement for multiple logins across different services is cumbersome and not tenable for users, particularly artists who need seamless access to various tools.

  • Lack of Unified Identity Management: There is a significant challenge in managing identities across different platforms (e.g., Autodesk, Google, Adobe), leading to frustration and inefficiencies.

  • Token Management Issues: Concerns were raised about the management of long-lived tokens and the need for better security practices, such as minimizing token accessibility duration and ensuring quick revocation of access.

Business Needs

  • Single Sign-On (SSO) Solutions: There is a strong demand for a unified authentication process that allows users to log in once and access multiple services without repeated logins.

  • Identity Provider Flexibility: Customers need the ability to choose their identity provider and manage access rights effectively across different platforms.

  • Improved Security Practices: The need for a zero-trust approach that minimizes disruption to artists while enhancing security is essential.

  • Seamless Integration Across Tools: The ability to connect various applications (e.g., Autodesk, Adobe) with a single identity is crucial for improving workflow efficiency.

Interested Features

  • Identity Token Exchange: The ability to exchange identity tokens for access tokens seamlessly across different applications is a key feature that would address current pain points.

  • OS Key Store Utilization: Leveraging the operating system's key store for managing identities and tokens could simplify the authentication process.

  • Contextual Identity Management: The ability to manage identities based on project context (e.g., different identities for different productions) is an important feature that would enhance user experience.

  • Support for Multiple Identity Protocols: Implementing support for protocols like OpenID Connect and SAML to facilitate broader integration with various identity providers.

Conclusion

The insights gathered from the conversation highlight significant pain points related to authentication and identity management that the customer is facing. Addressing these needs with a robust, flexible, and secure identity management solution could greatly enhance productivity and user satisfaction, making it an attractive proposition for closing the deal.

The meeting covered several key technical takeaways related to identity management and authentication for applications in the context of the media and entertainment industry:

  1. Challenge of Identity Management: The industry faces unique challenges due to the need for multiple vendors to work together, which complicates single sign-on (SSO) and identity management. Applications often rely on OS-level authentication, and there's a need to move away from practices like using long-lived API keys.

  2. Need for a Unified Identity Solution: A proposed solution involves having a login application that uses an identity library to authenticate users once per session and stores the identity in a secure way for native applications to access. This aims to minimize disruptions for artists while improving security.

  3. Architectural Approach: The proposed architecture includes a login application, an identity library, and identity storage. Applications would retrieve an identity from this storage to request access tokens from network services. The approach emphasizes using existing protocols like OpenID Connect to handle identity verification.

  4. Identity Protocols: OpenID Connect is preferred over SAML due to its ease of configuration and the fact that it provides a JWT (JSON Web Token) that can be used for identity verification. SAML, while possible, is more complex and less standardized.

  5. Browser-based Authentication Flow: The use of external browsers for authentication is recommended to leverage their security updates. There was also discussion of using "headless" authentication, similar to methods used by TV apps, to provide flexibility in how users authenticate.

  6. Handling Token Expiration and Refresh: The system would need to manage token expiration and refresh seamlessly, especially for long-duration processes like rendering. There is a need to ensure that tokens can be refreshed automatically without user intervention.

  7. Interoperability and Trust: A significant challenge is enabling interoperability between different systems (e.g., Autodesk and Google services) and establishing trust between them to allow seamless identity exchange.

  8. Potential Implementation Challenges: Storing and accessing identities securely across different operating systems and applications presents challenges, especially with varying access controls like those found in macOS and Linux.

  9. Revocation of Access: There was a discussion on the need for mechanisms to revoke access tokens immediately in case of malicious activity, beyond just relying on token expiration.

  10. Importance of Contextual Identity: The need for supporting multiple identities for users who work on different productions or projects was acknowledged, which requires careful management of identity contexts.

Overall, the meeting stressed the importance of a unified, secure, and artist-friendly approach to identity management in the media and entertainment industry, leveraging existing standards and protocols to address the unique challenges faced by the industry.