Difference between revisions of "CLARIN/OAuth2"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 19: Line 19:
 
* Perl: [http://search.cpan.org/dist/Net-OAuth2/ Net::OAuth2] client
 
* Perl: [http://search.cpan.org/dist/Net-OAuth2/ Net::OAuth2] client
 
* R: [https://github.com/noahhl/oauth oauth]
 
* R: [https://github.com/noahhl/oauth oauth]
 +
 +
== Use-case ==
 +
A user accesses a web portal ("client" in OAuth2 terminology) for editing data. He logs in using SAML SSO. Somewhere in the process, the portal needs to access the user's data on service B. Using the existing SAML SSO login, the portal accesses service B without having to ask the user's confirmation again.
 +
Access to service B can be implemented using OAuth 2.0. There are several ways to do this. Let's see what existing implementations provide.
 +
 +
* [http://www.rediris.es/oauth2/ OAuth2lib]: client does SAML SSO login. By presenting the returned attributes to the AS, it obtains an access token for the RS.
 +
** ''':)''' AS trusts RS; signed access token by shared secret
 +
** ''':((''' AS fully trusts client to supply user attributes
 +
*** Either client could pass signed SAML statement from IdP to AS, which then can verify that.
 +
**** related to [http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer draft-ietf-oauth-saml2-bearer] (and expired [http://tools.ietf.org/html/draft-campbell-oauth-saml draft-campbell-oauth-saml]); AS would need to check that it was signed to the portal's SAML SP endpoint according to draft :/
 +
**** ''':(''' would require signatures of all IdPs at each AS (can be done using eduGAIN, but not pretty)
 +
**** ''':(''' requires patching of OAuth2lib (and maybe SimpleSAMLphp too)
 +
*** Or introduce an [http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1 authorization endpoint] that does SAML SSO login for the client
 +
**** ''':)''' returns user attributes token to client
 +
**** ''':)''' signed token so AS can check it was supplied by the authorization endpoint (shared secret)
 +
**** ''':D''' client does not need to know about SAML SSO
 +
**** ''':(''' requires development of new service endpoint

Revision as of 11:18, 10 November 2011

Documents

draft-campbell-oauth-saml draft-jones-oauth-jwt-bearer

Software

AS=Authentication Server, RS=Resource Server

Use-case

A user accesses a web portal ("client" in OAuth2 terminology) for editing data. He logs in using SAML SSO. Somewhere in the process, the portal needs to access the user's data on service B. Using the existing SAML SSO login, the portal accesses service B without having to ask the user's confirmation again. Access to service B can be implemented using OAuth 2.0. There are several ways to do this. Let's see what existing implementations provide.

  • OAuth2lib: client does SAML SSO login. By presenting the returned attributes to the AS, it obtains an access token for the RS.
    • :) AS trusts RS; signed access token by shared secret
    • :(( AS fully trusts client to supply user attributes
      • Either client could pass signed SAML statement from IdP to AS, which then can verify that.
        • related to draft-ietf-oauth-saml2-bearer (and expired draft-campbell-oauth-saml); AS would need to check that it was signed to the portal's SAML SP endpoint according to draft :/
        • :( would require signatures of all IdPs at each AS (can be done using eduGAIN, but not pretty)
        • :( requires patching of OAuth2lib (and maybe SimpleSAMLphp too)
      • Or introduce an authorization endpoint that does SAML SSO login for the client
        • :) returns user attributes token to client
        • :) signed token so AS can check it was supplied by the authorization endpoint (shared secret)
        • :D client does not need to know about SAML SSO
        • :( requires development of new service endpoint