Difference between revisions of "CLARIN/OAuth2 use case"
(41 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
So the goal now is to create a straightforward OAuth2 setup with client, authentication server, and resource server. | So the goal now is to create a straightforward OAuth2 setup with client, authentication server, and resource server. | ||
+ | |||
+ | This 1-step delegation project has been finalized, resulting in a working [https://github.com/wvengen/oauth2-demo demonstrator] and implementation by MPI described in the associated [[Media:Clarin-security_for_web_services_inplementation.pdf|report]]. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | This page contains mostly background information. To get started with the demonstration, please visit the [https://github.com/wvengen/oauth2-demo Github repository]. | ||
== Client == | == Client == | ||
− | There are many OAuth2 clients for various programming languages. Documentation of the settings needed is most important. It would be useful to have a number of examples to use with the most important programming languages (at least Java and PHP). Finally, a way to configure a client with Apache configuration without touching its code, would be a bonus, supplying user and token information in environment variables. | + | There are many existing OAuth2 clients for various programming languages. Documentation of the settings needed is most important. It would be useful to have a number of examples to use with the most important programming languages (at least Java and PHP). Finally, a way to configure a client with Apache configuration without touching its code, would be a bonus, supplying user and token information in environment variables. |
+ | |||
+ | === Use-case: CMDI catalog === | ||
+ | The [http://catalog.clarin.eu/ CMDI catalog] is Java-based using [http://tomcat.apache.org/connectors-doc-archive/jk2/jk/aphowto.html mod_jk]. It uses servlet security, with [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig mod_shib] for single sign-on. Options: | ||
+ | * ''client library'' a Java client library to integrate within the portal for obtaining a token | ||
+ | ** portal needs to be web-based, because obtaining a token requires the user's web browser | ||
+ | * ''reverse proxy''/''servlet'' that always requests an access token after logging into the portal. | ||
+ | ** pro: portal doesn't need to change much / con: token not always needed | ||
+ | |||
+ | The former is cleaner, since it only fetches a token when it is needed. It is probably also easier to implement, and there is quite a number of existing client-side OAuth 2 libraries. | ||
+ | |||
+ | * [http://code.google.com/p/google-oauth-java-client/wiki/OAuth2 google-oauth-java-client] | ||
+ | * [https://github.com/SpringSource/spring-security-oauth/wiki/oAuth2 spring-security-oauth] | ||
+ | * [https://cwiki.apache.org/confluence/display/AMBER/OAuth+2.0+Client Apache Amber] | ||
+ | * perhaps at some point it would be convenient to write a [http://www.springsource.org/spring-social spring-social] provider | ||
+ | |||
+ | ==== Result ==== | ||
+ | This has been achieved using spring-security-oauth. | ||
== Authorization server == | == Authorization server == | ||
− | The OAuth2 AS (authorization server) is the most complex component of the three, which handles user authentication using SAML SSO, consent, possibly some authorization, and token management. There is not that much choice between existing OAuth2 server implementations currently, and their maturity varies. | + | The OAuth2 AS (authorization server) is the most complex component of the three, which handles user authentication using SAML SSO, consent, possibly some authorization, and token management. It does not need to integrate directly with an existing application (unlike the client or RS). There is not that much choice between existing OAuth2 server implementations currently, and their maturity varies. Options: |
+ | * [http://openam.forgerock.org/ OpenAM] [http://openam.forgerock.org/doc/admin-guide/index.html#oauth2-module-conf-hints OAuth 2 module] | ||
+ | * [https://github.com/songkick/oauth2-provider Songkick's OAuth2 provider] | ||
+ | ** easy to setup | ||
+ | ** no split AS/RS (no check_token endpoint) | ||
+ | * ndg_oauth_server | ||
+ | ** split AS/RS possible, check_token endpoint present | ||
+ | *** check_token only returns decision, not user identity | ||
+ | ** uses client-certificates for client authentication (instead of http basic auth) | ||
+ | * [https://github.com/cloudfoundry/uaa CloudFoundry User Account and Authentication Server] | ||
+ | ** split AS/RS (with check_token endpoint) | ||
+ | ** seems pretty complete | ||
+ | |||
+ | === Result === | ||
+ | This is currently working with ndg_oauth_server. Open questions or issues: | ||
+ | * Need to implement a resource registry | ||
+ | ** would be nice to specify what attributes to return are allowed per resource | ||
+ | * tokens are currently not bound to a specific resource (=no audience restriction) | ||
+ | * check_token endpoint does ''not'' return a user identifier, so we don't know what resource to serve! | ||
== Resource server == | == Resource server == | ||
Line 18: | Line 59: | ||
=== Use-case: ISOcat === | === Use-case: ISOcat === | ||
− | In our use-case, [http://www.isocat.org/ ISOcat] is the resource server. | + | In our use-case, [http://www.isocat.org/ ISOcat] is the resource server. While many services use servlet filters for security combined with [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig mod_shib] for single sign-on and [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy], ISOcat uses [http://www.netkernel.org/ Netkernel]. Options would be: |
− | * ''servlet-filter'' | + | * using a ''library'' |
+ | ** [https://cwiki.apache.org/confluence/display/AMBER/OAuth+2.0+Resource+Server Apache Amber RS] | ||
+ | * ''servlet-filter'' (after migration to servlets) | ||
** [http://resthub.org/refdoc/java/oauth2.html#secured-your-resource-servers RESThub example] | ** [http://resthub.org/refdoc/java/oauth2.html#secured-your-resource-servers RESThub example] | ||
** [http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters Protecting resources with OAuth filters] for [http://cxf.apache.org/docs/jax-rs.html JAX-RS], a RESTful Java API | ** [http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters Protecting resources with OAuth filters] for [http://cxf.apache.org/docs/jax-rs.html JAX-RS], a RESTful Java API | ||
− | ** [https://github.com/SpringSource/spring-security-oauth/wiki spring-security-oauth] | + | ** [https://github.com/SpringSource/spring-security-oauth/wiki spring-security-oauth] (also [https://github.com/SpringSource/spring-security-oauth/wiki/oauth2 here]) |
− | * ''proxy'' that checks the OAuth2 token, optionally fetches user info, and | + | * ''reverse proxy'' that checks the OAuth2 token, optionally fetches user info, and hands it over to the real application |
** [http://blog.rot13.org/2009/06/reverse-proxy-with-remote-user-authorization.html Reverse proxy with remote user authorization] (mod_perl based) | ** [http://blog.rot13.org/2009/06/reverse-proxy-with-remote-user-authorization.html Reverse proxy with remote user authorization] (mod_perl based) | ||
** [http://www.allgoodbits.org/articles/view/28 Passing REMOTE_USER from Apache as a reverse proxy to web application servers] | ** [http://www.allgoodbits.org/articles/view/28 Passing REMOTE_USER from Apache as a reverse proxy to web application servers] | ||
+ | * ''apache module'' or ''option'' that does the same as the proxy directly | ||
+ | ** apache module does not exist, and would be quite some work ([http://code.google.com/p/mod-auth-oauth/wiki/mod_auth_oauth not] a [http://code.google.com/p/mod-auth-oauth/wiki/mod_auth_oauth new] idea) | ||
+ | ** if there is an config option to do authentication or set headers from a script, this may be a possibility (something like [http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms#Host_Access_Controls WSGIAccessScript], or another way of running a script plus [http://httpd.apache.org/docs/2.2/howto/access.html#env mod_setenvif]) | ||
+ | |||
+ | The use of a ''reverse proxy'' would be the most flexible. If it also integrates well with servlets (which often do use a reverse proxy already), then this would be a fit solution. | ||
+ | |||
+ | ==== Result ==== | ||
+ | This is working using spring security with an adaptation of [https://github.com/cloudfoundry/uaa/blob/master/common/src/main/java/org/cloudfoundry/identity/uaa/oauth/RemoteTokenServices.java CloudFoundry's RemoteTokenServices]. | ||
+ | |||
+ | == Links == | ||
+ | * [http://www.javacodegeeks.com/2012/02/oauth-with-spring-security.html OAuth with Spring Security] | ||
+ | * [http://www.lordofthejars.com/2011/05/to-seek-out-new-life-and-new.html To seek out new life and ...] | ||
+ | * [https://github.com/SpringSource/spring-security-oauth/wiki/oauth2 Spring Security OAuth2] | ||
+ | * [http://raibledesigns.com/rd/entry/integrating_oauth_with_appfuse_and Integrating OAuth with AppFuse and its REST API] | ||
+ | * [http://forum.springsource.org/showthread.php?117377-OAuth-2-without-Spring-MVC/page2 OAuth2 without Spring MVC] (Spring Forum) | ||
+ | * Installed (desktop) applications | ||
+ | ** [https://developers.google.com/accounts/docs/OAuth2#installed at Google] |
Latest revision as of 15:39, 28 August 2013
<sidebar>
- CLARIN web service security
- CLARIN/Security_for_web_services|Analysis
- CLARIN/OAuth2|OAuth2
- CLARIN/OAuth2 use case|OAuth2 use-case
- CLARIN/OAuth2_real_world_usage|OAuth2 elsewhere
- resources
</sidebar> While in the end n-tier delegation is needed withing CLARIN, for the current use-case it is enough to do without real delegation. Plain OAuth2 is sufficient, just to get some experience with it. Delegation can be added later by using a delegation endpoint, or using certificate delegation.
So the goal now is to create a straightforward OAuth2 setup with client, authentication server, and resource server.
This 1-step delegation project has been finalized, resulting in a working demonstrator and implementation by MPI described in the associated report.
This page contains mostly background information. To get started with the demonstration, please visit the Github repository.
Client
There are many existing OAuth2 clients for various programming languages. Documentation of the settings needed is most important. It would be useful to have a number of examples to use with the most important programming languages (at least Java and PHP). Finally, a way to configure a client with Apache configuration without touching its code, would be a bonus, supplying user and token information in environment variables.
Use-case: CMDI catalog
The CMDI catalog is Java-based using mod_jk. It uses servlet security, with mod_shib for single sign-on. Options:
- client library a Java client library to integrate within the portal for obtaining a token
- portal needs to be web-based, because obtaining a token requires the user's web browser
- reverse proxy/servlet that always requests an access token after logging into the portal.
- pro: portal doesn't need to change much / con: token not always needed
The former is cleaner, since it only fetches a token when it is needed. It is probably also easier to implement, and there is quite a number of existing client-side OAuth 2 libraries.
- google-oauth-java-client
- spring-security-oauth
- Apache Amber
- perhaps at some point it would be convenient to write a spring-social provider
Result
This has been achieved using spring-security-oauth.
Authorization server
The OAuth2 AS (authorization server) is the most complex component of the three, which handles user authentication using SAML SSO, consent, possibly some authorization, and token management. It does not need to integrate directly with an existing application (unlike the client or RS). There is not that much choice between existing OAuth2 server implementations currently, and their maturity varies. Options:
- OpenAM OAuth 2 module
- Songkick's OAuth2 provider
- easy to setup
- no split AS/RS (no check_token endpoint)
- ndg_oauth_server
- split AS/RS possible, check_token endpoint present
- check_token only returns decision, not user identity
- uses client-certificates for client authentication (instead of http basic auth)
- split AS/RS possible, check_token endpoint present
- CloudFoundry User Account and Authentication Server
- split AS/RS (with check_token endpoint)
- seems pretty complete
Result
This is currently working with ndg_oauth_server. Open questions or issues:
- Need to implement a resource registry
- would be nice to specify what attributes to return are allowed per resource
- tokens are currently not bound to a specific resource (=no audience restriction)
- check_token endpoint does not return a user identifier, so we don't know what resource to serve!
Resource server
The resource server needs to verify the access token supplied by the client, and perhaps needs to retrieve user information to base an authorization decision on (since one of the requirements is that resources can make the final decision). This is no more than a simple REST call to a check-token or user-information endpoint on the authentication server.
To make this easy for service developers, at least clear documentation is needed on how to do this. It would be useful to have code samples in a number of programming languages.
To complete it, a way to run the service directly on Apache, with just some extra configuration for doing the check and returning information in (environment) variables, would be great. This may include running a reverse proxy that does the authorization, and passing the request on to the real service upon success.
Use-case: ISOcat
In our use-case, ISOcat is the resource server. While many services use servlet filters for security combined with mod_shib for single sign-on and mod_proxy, ISOcat uses Netkernel. Options would be:
- using a library
- servlet-filter (after migration to servlets)
- RESThub example
- Protecting resources with OAuth filters for JAX-RS, a RESTful Java API
- spring-security-oauth (also here)
- reverse proxy that checks the OAuth2 token, optionally fetches user info, and hands it over to the real application
- apache module or option that does the same as the proxy directly
- apache module does not exist, and would be quite some work (not a new idea)
- if there is an config option to do authentication or set headers from a script, this may be a possibility (something like WSGIAccessScript, or another way of running a script plus mod_setenvif)
The use of a reverse proxy would be the most flexible. If it also integrates well with servlets (which often do use a reverse proxy already), then this would be a fit solution.
Result
This is working using spring security with an adaptation of CloudFoundry's RemoteTokenServices.
Links
- OAuth with Spring Security
- To seek out new life and ...
- Spring Security OAuth2
- Integrating OAuth with AppFuse and its REST API
- OAuth2 without Spring MVC (Spring Forum)
- Installed (desktop) applications