Difference between revisions of "CLARIN/OAuth2 use case"
(→Client) |
|||
Line 21: | Line 21: | ||
=== Use-case: ISOcat === | === Use-case: ISOcat === | ||
− | In our use-case, [http://www.isocat.org/ ISOcat] is the resource server. It uses servlet filters for security, with [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig mod_shib] for single sign-on. Options would be: | + | In our use-case, [http://www.isocat.org/ ISOcat] is the resource server. It uses servlet filters for security, with [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig mod_shib] for single sign-on, with [http://httpd.apache.org/docs/2.2/mod/mod_proxy.html mod_proxy]. Options would be: |
* ''servlet-filter'' | * ''servlet-filter'' |
Revision as of 13:08, 20 September 2012
<sidebar>
- CLARIN web service security
- CLARIN/Security_for_web_services|Analysis
- CLARIN/OAuth2|OAuth2
- CLARIN/OAuth2 use case|OAuth2 use-case
- CLARIN/OAuth2_real_world_usage|OAuth2 elsewhere
- resources
</sidebar> While in the end n-tier delegation is needed withing CLARIN, for the current use-case it is enough to do without real delegation. Plain OAuth2 is sufficient, just to get some experience with it. Delegation can be added later by using a delegation endpoint, or using certificate delegation.
So the goal now is to create a straightforward OAuth2 setup with client, authentication server, and resource server.
Client
There are many OAuth2 clients for various programming languages. Documentation of the settings needed is most important. It would be useful to have a number of examples to use with the most important programming languages (at least Java and PHP). Finally, a way to configure a client with Apache configuration without touching its code, would be a bonus, supplying user and token information in environment variables.
Use-case: CMDI catalog
The CMDI catalog is Java-based using mod_jk. It uses servlet security, with mod_shib for single sign-on. There are different approaches to integrate with the existing service.
Authorization server
The OAuth2 AS (authorization server) is the most complex component of the three, which handles user authentication using SAML SSO, consent, possibly some authorization, and token management. There is not that much choice between existing OAuth2 server implementations currently, and their maturity varies.
Resource server
The resource server needs to verify the access token supplied by the client, and perhaps needs to retrieve user information to base an authorization decision on (since one of the requirements is that resources can make the final decision). This is no more than a simple REST call to a check-token or user-information endpoint on the authentication server.
To make this easy for service developers, at least clear documentation is needed on how to do this. It would be useful to have code samples in a number of programming languages.
To complete it, a way to run the service directly on Apache, with just some extra configuration for doing the check and returning information in (environment) variables, would be great. This may include running a reverse proxy that does the authorization, and passing the request on to the real service upon success.
Use-case: ISOcat
In our use-case, ISOcat is the resource server. It uses servlet filters for security, with mod_shib for single sign-on, with mod_proxy. Options would be:
- servlet-filter
- RESThub example
- Protecting resources with OAuth filters for JAX-RS, a RESTful Java API
- spring-security-oauth
- proxy that checks the OAuth2 token, optionally fetches user info, and fetches the real application