SIROPE OAuth and OAuth2 Living in SIR
description
Transcript of SIROPE OAuth and OAuth2 Living in SIR
16th TF-EMC2. Copenhagen, September 2010
SIROPEOAuth and OAuth2 Living in SIR
Diego R. Lopez, RedIRIS
16th TF-EMC2. Copenhagen, September 2010
The Goals
• Explore the applicability of “classic” OAuth within the RedIRIS environment User-mediated access to data held by the RedIRIS
services by registered applications
• Contribute to the development of OAuth2 Assertion profile as a bridge to academic federations Authorization use cases in RESTful environments Enhanced user-mediated access in the line of Kantara’s
WG-UMA
16th TF-EMC2. Copenhagen, September 2010
Classic OAuth• Service components deployed
Register interface Server library Client reference implementation
16th TF-EMC2. Copenhagen, September 2010
Classic OAuth in Action
• 1-3: Control passes to the section dealing with OAuth logic
• 4-5: Client-server credential exchange
• 6-7: User redirected to AuthN/AuthR point (federation plays here)
• 8-9 Temporary credential and token exchange
• 10-11: Resource access using token
16th TF-EMC2. Copenhagen, September 2010
The OAuth2 Assertion Profile
16th TF-EMC2. Copenhagen, September 2010
Implementing the OAuth2 AP
• OAuth2lib: Components supporting the OAuth2 AP Authorization Server Server access control logic Client interface
• The user goes to a Client Application.
• The Client App requires the user to authenticate at a federated IdP that generates an assertion.
• The Client App sends the assertion obtained to an Authorization Server. There, a token for a certain user, client, scope and lifetime is generated.
• The Authorization Server sends the generated token to the Client App.
• The Client App acts on behalf of the user and requests the resource to the Server. The token can be used more times until it expires.
• The Server returns the resource if the token sent is a valid token.
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib AS• Registered servers
Keys Acceptable scopes
• Registered clients Keys
• Policy Clients Attributes Scopes
• Supports SAML and PAPI assertion formats Extensible interface
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib Server Support
• ASes Keys
• Resources Calls content handlers
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib Client Interface
• Federation data How to access and
process the received assertion
• OAuth2 data How to access the
appropriate AS and server
• Resource data Forwarded to the
calling application
16th TF-EMC2. Copenhagen, September 2010
Deploying OAuth2 AP: SIROPE
• A web-based client offering users the access to data related to their status in the SIR federation Currently, available SPs
• An Authorization Server Open to be used by other potential clients at the
institutions• A pilot server application
Available SPs for a given user/institution The hub nature of SIR comes to help again
http://www.rediris.es/sir/sirope
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib beyond SIR
• Access to resources in the AGORA e-learning toolset Fine-grained RESTful AuthR
• Evaluation of OAuth2lib in the OpenSocial environment Collaboration with SURFnet
• Any others welcomehttp://www.rediris.es/oauth2/