CLARIN/Security for web services

<sidebar>

• CLARIN web service security
  • CLARIN/Security_for_web_services|Analysis
  • CLARIN/OAuth2|OAuth2
  • CLARIN/OAuth2 use case|OAuth2 use-case
  • CLARIN/OAuth2_real_world_usage|OAuth2 elsewhere
• resources
  • https://mailman.nikhef.nl/mailman/listinfo/biggrid-clarin-security-discuss%7Cmailing list
  • http://agenda.nikhef.nl/conferenceDisplay.py?confId=993%7Cworkshop 2010
  • http://www.clarin.eu/%7CCLARIN
  • http://www.biggrid.nl/%7CBiG Grid

</sidebar> This page has been superseded by a report.
A conclusion was to look into OAuth2, which is being looked at here.

---

Notes after the report was finished:

• EMI STS is a new contender, but uses SAML ECP, which not many IdPs support

Links

Standards

• User Managed Access (UMA) has some overlap with this work; seems to be useful for person-to-person sharing
• OASIS Web Services Security: WS-Security, username, X.509, SAML
• A SASL and GSS-API Mechanism for SAML, uses base64 encoded SAML request in URL
• ways to use SAML (and SAML interop scenarios)
• OAuth 2.0, and with SAML assertions

Libraries

• OAuth 2 assertion profile library
• Shibboleth ECP IdPdelegation, web-service client, and configuring it.

Federations

• eduGAIN
• OpenSocial
• SURFfederatie diensten

Other

• N-tier usage of SAML in backend
• Similar project in US' department of defense
• Data portability, and blog
• OAuth 2 uses bearer tokens and misses signatures, which may become a problem.
• Nice OAuth 1 and OAuth 2 diagrams
• xDAuth
• SimpleAuth: adaptation of OpenID to support delegation (though this might be something entirely different)
• MashMyData security model