Difference between revisions of "CLARIN/Security for web services"
(include images) |
(→Approaches: expand) |
||
| Line 20: | Line 20: | ||
<div style="clear:right"></div>[[Image:Approaches_oauth1.png|150px|right|OAuth 1.0 diagram]] | <div style="clear:right"></div>[[Image:Approaches_oauth1.png|150px|right|OAuth 1.0 diagram]] | ||
=== OAuth 1.0 === | === OAuth 1.0 === | ||
| + | [http://tools.ietf.org/html/rfc5849 OAuth 1] is used on the world wide web as a method to access server resources on behalf of a resource owner. It is used by [http://wiki.oauth.net/w/page/12238516/FrontPage quite] a number of big websites like [http://code.google.com/apis/accounts/docs/OAuth.html Google], [http://dev.twitter.com/pages/sign_in_with_twitter Twitter]. | ||
| + | |||
| + | OAuth 1.0 requires browser redirection and confirmation [TODO check if confirmation is optional]. This would be acceptable for the portal scenario, but not for nested service invocations (real delegation). | ||
| + | |||
<div style="clear:right"></div>[[Image:Approaches_oauth2.png|150px|right|OAuth 2.0 diagram]] | <div style="clear:right"></div>[[Image:Approaches_oauth2.png|150px|right|OAuth 2.0 diagram]] | ||
=== OAuth 2.0 === | === OAuth 2.0 === | ||
| − | + | [http://oauth.net/2/ OAuth 2] is the new version of OAuth, which supports many more scenario's. This is being adopted ([http://developers.facebook.com/docs/authentication/ Facebook] is on the wagon already). | |
<div style="clear:right"></div> | <div style="clear:right"></div> | ||
Revision as of 16:21, 23 March 2011
Approaches
Open
All services trust each other. No technical security measures (other than, possibly, blocking complete strangers); managable upto ~15 services [TODO ref needed]
Shibboleth + delegation
Shibboleth is already used for federated authentication. It has ECP support with delegation, though only through a plugin. The next major IdP release may include it though.
One cannot expect each IdP to install this plugin, or to have the latest version installed [TODO check if this is the case with Shibboleth version policies]. Therefore this option is not viable.
SAML ECP
(see Shibboleth) [TODO would there be other SAML ECP options than Shibboleth?]
OAuth 1.0
OAuth 1 is used on the world wide web as a method to access server resources on behalf of a resource owner. It is used by quite a number of big websites like Google, Twitter.
OAuth 1.0 requires browser redirection and confirmation [TODO check if confirmation is optional]. This would be acceptable for the portal scenario, but not for nested service invocations (real delegation).
OAuth 2.0
OAuth 2 is the new version of OAuth, which supports many more scenario's. This is being adopted (Facebook is on the wagon already).
Links
Standards
- User Managed Access (UMA) has some overlap with this work
- OASIS Web Services Security: WS-Security, username, X.509, SAML
- A SASL and GSS-API Mechanism for SAML, uses base64 encoded SAML request in URL
- OAuth 2.0, and with SAML assertions
Libraries
- OAuth 2 assertion profile library
- Shibboleth ECP delegation, web-service client, and configuring it.
