22 may 2008ivoa trieste: grid & web services1 alternate security mechanisms matthew j. graham...
TRANSCRIPT
![Page 1: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/1.jpg)
22 May 2008IVOA Trieste: Grid & Web Services 1
Alternate security mechanisms
Matthew J. Graham (Caltech, NVO)
THE US NATIONAL VIRTUAL OBSERVATORY
![Page 2: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/2.jpg)
Security review
• Users don’t care about protocols and standards – they care about better experience with enhanced privacy and security
• User experience: – why is security necessary? – Certificates? .globus directories? WTF?
• Developer experience:– Buzkashi
• Community interests:– Decentralization
22 May 2008IVOA Trieste: Grid & Web Services 2
![Page 3: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/3.jpg)
OpenID
• Single digital identity for use with any web site or service requiring authentication
• Open, free and decentralized standard• Well supported • 120 million OpenIDs (July 2007)• Microsoft, Google, Yahoo (Jan 2008)
22 May 2008IVOA Trieste: Grid & Web Services 3
![Page 4: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/4.jpg)
OpenID: how it works
• User registers an OpenID identity (URI or XRI) with an OpenID identity provider
• Relying party (service provider) displays single input box for OpenID identifier
• Relying party converts OpenID identifier to a canonical URL form and obtains identity service provider URL from there
• Relying party and identity provider establish shared secret and then user is redirected to identity provider for authentication
• User is redirected back to relying party along with credentials. Relying party validates that credentials originated from relying party using shared secret.
22 May 2008IVOA Trieste: Grid & Web Services 4
![Page 5: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/5.jpg)
OpenID: issues
• NVO setting up prototype OpenID identity provider service alongside current SSO setup:– use attribute to strengthen
• OpenID has little provision for web services (SOAP or RESTful):– requires communication between user and
relying party and user and identity provider– checkid_immediate?– check_authentication?
22 May 2008IVOA Trieste: Grid & Web Services 5
![Page 6: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/6.jpg)
OAuth
• An API access delegation protocol• Well supported• User grants access to their protected
resources to a consumer using tokens generated by a service provider instead of their credentials
• Defines three endpoints:– Request token– User authentication- Access token
22 May 2008IVOA Trieste: Grid & Web Services 6
![Page 7: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/7.jpg)
Oauth: how it works
22 May 2008IVOA Trieste: Grid & Web Services 7
![Page 8: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/8.jpg)
OAuth
• All done with HTTP GET/POST and headers
• As with OpenID, requires some level of user interaction: capture credentials or request approval
22 May 2008IVOA Trieste: Grid & Web Services 8
![Page 9: 22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY](https://reader035.vdocuments.us/reader035/viewer/2022070305/55149d46550346ea6e8b5809/html5/thumbnails/9.jpg)
Summary
• Industry embracing decentralised security mechanisms: – “web of trust” vs hierarchical model
• Currently well-suited to web apps involving a browser but not to web services (no user)
• What is the Grid community doing?– Shibboleth/GridShib?
22 May 2008IVOA Trieste: Grid & Web Services 9