sirope oauth and oauth2 living in sir
DESCRIPTION
SIROPE OAuth and OAuth2 Living in SIR. Diego R. Lopez, RedIRIS. The Goals. Explore the applicability of “classic” OAuth within the RedIRIS environment User-mediated access to data held by the RedIRIS services by registered applications Contribute to the development of OAuth2 - PowerPoint PPT PresentationTRANSCRIPT
16th TF-EMC2. Copenhagen, September 2010
SIROPEOAuth and OAuth2 Living in SIR
Diego R. Lopez, RedIRIS
16th TF-EMC2. Copenhagen, September 2010
The Goals
• Explore the applicability of “classic” OAuth within the RedIRIS environment User-mediated access to data held by the RedIRIS
services by registered applications
• Contribute to the development of OAuth2 Assertion profile as a bridge to academic federations Authorization use cases in RESTful environments Enhanced user-mediated access in the line of Kantara’s
WG-UMA
16th TF-EMC2. Copenhagen, September 2010
Classic OAuth• Service components deployed
Register interface Server library Client reference implementation
16th TF-EMC2. Copenhagen, September 2010
Classic OAuth in Action
• 1-3: Control passes to the section dealing with OAuth logic
• 4-5: Client-server credential exchange
• 6-7: User redirected to AuthN/AuthR point (federation plays here)
• 8-9 Temporary credential and token exchange
• 10-11: Resource access using token
16th TF-EMC2. Copenhagen, September 2010
The OAuth2 Assertion Profile
16th TF-EMC2. Copenhagen, September 2010
Implementing the OAuth2 AP
• OAuth2lib: Components supporting the OAuth2 AP Authorization Server Server access control logic Client interface
• The user goes to a Client Application.
• The Client App requires the user to authenticate at a federated IdP that generates an assertion.
• The Client App sends the assertion obtained to an Authorization Server. There, a token for a certain user, client, scope and lifetime is generated.
• The Authorization Server sends the generated token to the Client App.
• The Client App acts on behalf of the user and requests the resource to the Server. The token can be used more times until it expires.
• The Server returns the resource if the token sent is a valid token.
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib AS• Registered servers
Keys Acceptable scopes
• Registered clients Keys
• Policy Clients Attributes Scopes
• Supports SAML and PAPI assertion formats Extensible interface
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib Server Support
• ASes Keys
• Resources Calls content handlers
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib Client Interface
• Federation data How to access and
process the received assertion
• OAuth2 data How to access the
appropriate AS and server
• Resource data Forwarded to the
calling application
16th TF-EMC2. Copenhagen, September 2010
Deploying OAuth2 AP: SIROPE
• A web-based client offering users the access to data related to their status in the SIR federation Currently, available SPs
• An Authorization Server Open to be used by other potential clients at the
institutions• A pilot server application
Available SPs for a given user/institution The hub nature of SIR comes to help again
http://www.rediris.es/sir/sirope
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib beyond SIR
• Access to resources in the AGORA e-learning toolset Fine-grained RESTful AuthR
• Evaluation of OAuth2lib in the OpenSocial environment Collaboration with SURFnet
• Any others welcomehttp://www.rediris.es/oauth2/