Difference between revisions of "CLARIN/Security for web services"

From PDP/Grid Wiki
Jump to navigationJump to search
(more clarity in lay-out)
 
(73 intermediate revisions by 2 users not shown)
Line 1: Line 1:
* [http://www.isocat.org/ ISOcat] registry
+
{{CLARIN}}
* [http://www.clarin.eu/cmdi CMDI], component metadata infrastructure
+
'''This page has been superseded by a [[Media:Clarin-security_for_web_services-research-report010.pdf|report]].''' <br />
 +
A conclusion was to look into [[CLARIN/OAuth2|OAuth2]], which is being looked at [[CLARIN/OAuth2|here]].
  
 +
----
  
== Approaches ==
+
Notes after the report was finished:
 
+
* [https://forge.switch.ch/redmine/projects/sts/wiki/Wiki EMI STS] is a new contender, but uses SAML ECP, which not many IdPs support
<div style="clear:right"></div>[[Image:Approaches_open.png|150px|right|Open diagram]]
 
=== Open ===
 
All services trust each other. No technical security measures (other than, possibly, blocking complete strangers); managable upto ~15 services [TODO ref needed]
 
 
 
<div style="clear:right"></div>
 
=== Shibboleth + delegation ===
 
[http://shibboleth.internet2.edu/ Shibboleth] is already used for federated authentication. It has [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-Directvs.DelegatedAuthentication ECP] support with [https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal delegation], though only through a plugin. The next major IdP release [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-CodeAvailability may] include it though.
 
 
 
One cannot expect each IdP to install this plugin, or to have the latest version installed [TODO check if this is the case with Shibboleth version policies]. Therefore this option is not viable.
 
 
 
=== SAML ECP ===
 
(see Shibboleth) [TODO would there be other SAML ECP options than Shibboleth?]
 
 
 
<div style="clear:right"></div>[[Image:Approaches_oauth1.png|150px|right|OAuth 1.0 diagram]]
 
=== OAuth 1.0 ===
 
[http://tools.ietf.org/html/rfc5849 OAuth 1] is used on the world wide web as a method to access server resources on behalf of a resource owner. It is used by [http://wiki.oauth.net/w/page/12238516/FrontPage quite] a number of big websites like [http://code.google.com/apis/accounts/docs/OAuth.html Google], [http://dev.twitter.com/pages/sign_in_with_twitter Twitter].
 
 
 
OAuth 1.0 requires browser redirection and confirmation [TODO check if confirmation is optional]. This might be acceptable for the portal scenario, but not for nested service invocations (real delegation).
 
 
 
 
 
<div style="clear:right"></div>[[Image:Approaches_oauth2.png|150px|right|OAuth 2.0 diagram]]
 
=== OAuth 2.0 ===
 
[http://oauth.net/2/ OAuth 2] is the new version of OAuth, which supports many more scenario's. This is being adopted ([http://developers.facebook.com/docs/authentication/ Facebook] is on the wagon already). RedIRIS has already made this work with Shibboleth in [http://www.rediris.es/oauth2/ OAuth2lib].
 
 
 
<div style="clear:right"></div>
 
  
 
== Links ==
 
== Links ==
 
=== Standards ===
 
=== Standards ===
* [http://kantarainitiative.org/confluence/display/uma/UMA+Explained User Managed Access] (UMA) has some overlap with this work
+
* [http://kantarainitiative.org/confluence/display/uma/UMA+Explained User Managed Access] (UMA) has some overlap with this work; [http://www.ietf.org/mail-archive/web/oauth/current/msg08556.html seems to be] useful for person-to-person sharing
 
* [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS Web Services Security]: [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.pdf WS-Security], [http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf username], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-x509TokenProfile.pdf X.509], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SAMLTokenProfile.pdf SAML]
 
* [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS Web Services Security]: [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.pdf WS-Security], [http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf username], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-x509TokenProfile.pdf X.509], [http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SAMLTokenProfile.pdf SAML]
 
* [https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml/ A SASL and GSS-API Mechanism for SAML], uses base64 encoded SAML request in URL
 
* [https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml/ A SASL and GSS-API Mechanism for SAML], uses base64 encoded SAML request in URL
 +
* [http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security4.html ways to use SAML] (and [http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/XWS-SecuritySamples7.html#wp580431 SAML interop scenarios])
 
* [http://tools.ietf.org/html/draft-ietf-oauth-v2-10 OAuth 2.0], and [http://iiw.idcommons.net/SAML_Profiles_for_OAuth with SAML assertions]
 
* [http://tools.ietf.org/html/draft-ietf-oauth-v2-10 OAuth 2.0], and [http://iiw.idcommons.net/SAML_Profiles_for_OAuth with SAML assertions]
  
 
=== Libraries ===
 
=== Libraries ===
 
* [http://www.rediris.es/oauth2/ OAuth 2 assertion profile library]
 
* [http://www.rediris.es/oauth2/ OAuth 2 assertion profile library]
* Shibboleth [https://spaces.internet2.edu/display/SHIB2/ECP#ECP-Directvs.DelegatedAuthentication ECP] [https://spaces.internet2.edu/display/ShibuPortal/IdPDelegationExtension delegation], [https://forge.switch.ch/redmine/projects/idwsfecp/wiki web-service client], and [https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal configuring it].
+
* Shibboleth [https://wiki.shibboleth.net/confluence/display/SHIB2/ECP ECP] [https://spaces.internet2.edu/display/ShibuPortal/IdPDelegationExtension IdPdelegation], [https://forge.switch.ch/redmine/projects/idwsfecp/wiki web-service client], and [https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal configuring it].
  
 
=== Federations ===
 
=== Federations ===
 
* [http://www.geant.net/Services/EndUserApplicationServices/Pages/eduGAIN.aspx eduGAIN]
 
* [http://www.geant.net/Services/EndUserApplicationServices/Pages/eduGAIN.aspx eduGAIN]
 
* [http://code.google.com/apis/opensocial/ OpenSocial]
 
* [http://code.google.com/apis/opensocial/ OpenSocial]
* [http://www.surfnet.nl/nl/Thema/SURFfederatie/diensten/Pages/ SURFfederatie diensten]
+
* [http://www.surfnet.nl/nl/Thema/SURFfederatie/diensten/ SURFfederatie diensten]
  
 
=== Other ===
 
=== Other ===
 
* [http://saml.xml.org/forum/n-tier-usage-of-saml-in-the-backend N-tier usage of SAML in backend]
 
* [http://saml.xml.org/forum/n-tier-usage-of-saml-in-the-backend N-tier usage of SAML in backend]
 +
* [http://www.omg.org/news/meetings/workshops/Web_Services_USA_Manual/02-3_K_Smith.pdf Similar project] in US' department of defense
 +
* [http://portabilitypolicy.org/ Data portability], and [http://dataportability.org/ blog]
 +
* OAuth 2 uses bearer tokens and misses signatures, which [http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/ may become a problem].
 +
* Nice [http://davidlyness.com/post/twitter-oauth OAuth 1] and [http://www.independentid.com/2011/03/oauth-flows-extended.html OAuth 2] diagrams
 +
* [http://profsandhu.com/zhang/pub/sacmat11-xdauth.pdf xDAuth]
 +
* [http://contentdm.lib.byu.edu/ETD/image/etd2515.pdf SimpleAuth]: adaptation of OpenID to support delegation (though this might be something entirely different)
 +
* [http://ndg-security.ceda.ac.uk/wiki/MashMyData MashMyData security model]

Latest revision as of 11:28, 26 February 2013

<sidebar>

</sidebar> This page has been superseded by a report.
A conclusion was to look into OAuth2, which is being looked at here.


Notes after the report was finished:

  • EMI STS is a new contender, but uses SAML ECP, which not many IdPs support

Links

Standards

Libraries

Federations

Other