UserCentric Identity based Service Invocation


Published on

From XTech 2008 conference in Dublin

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • With the growing acceptance of OpenID across the web as a simple and easy way to exchange Online Identities, now is the time to look at how the new protocol OAuth helps in doing Identity based Service Invocations to help in building useful Web 2.0 applications (including Widgets and Gadgets for Social Networks) all under user’s control. This session introduces the OAuth protocol and how it can be used in various use cases. While doing so we will cover how it fits into the existing deployments with OpenID and possibly, other Authentication protocols as well. We will also discuss how OAuth fits into the two most common models where both User Identity and Services are managed by the same Provider or by different Providers. This of course opens up lot of questions about how OAuth and OpenID would work with each other and how the user’s permissions are managed. We will also look at how easy it is to add OAuth support into an existing Service using AOL’s WebAIM Service as an example.
  • UserCentric Identity based Service Invocation

    1. 1. ‘ User-Centric Identity’ based Service Invocation America Online LLC Praveen Alavilli XTech 2008 (Dublin)
    2. 2. Mashups, Gadgets, Widgets, Social Networks, Social Graphs, ….. <ul><li>no longer just about </li></ul><ul><ul><li>presenting content/feeds from multiple places </li></ul></ul><ul><ul><li>the user and his/her friends </li></ul></ul><ul><li>it’s also about </li></ul><ul><ul><li>how users can use multiple services together </li></ul></ul><ul><ul><li>the global mapping of everybody and how they are related </li></ul></ul><ul><li>Opening up a lot of questions about Data Portability . </li></ul>
    3. 3. Service Invocation <ul><li>Actions that a client/user-agent performs to use a Web Service / API </li></ul><ul><li>Several definitions when it’s related to a user </li></ul><ul><ul><li>‘ Deputization’ of services </li></ul></ul><ul><ul><li>‘ Delegation’ of actions (act on behalf of a user) </li></ul></ul>
    4. 4. Identity still at the ‘core’ <ul><li>So the users can </li></ul><ul><ul><li>control the flow of their data/information </li></ul></ul><ul><ul><li>authorize access to their information </li></ul></ul><ul><ul><li>personalize applications/data </li></ul></ul><ul><ul><li>communicate </li></ul></ul><ul><ul><li>publish content online </li></ul></ul><ul><li>Call it User-Centric or User-Centered :-) </li></ul>
    5. 5. User-Centric Identity <ul><li>Open, Community driven and standards based </li></ul><ul><ul><li>OpenID </li></ul></ul><ul><ul><ul><li>No support for Service Invocation </li></ul></ul></ul><ul><ul><li>InfoCard (CardSpace) </li></ul></ul><ul><ul><ul><li>No direct support for Service Invocation (although you can define a security token as another claim) </li></ul></ul></ul><ul><ul><li>SAML </li></ul></ul><ul><ul><li>Liberty ID-WSF </li></ul></ul><ul><ul><li>WS-* </li></ul></ul><ul><ul><ul><li>Too heavy for browser based apps and designed mainly for XML based Web Services (SOAP) </li></ul></ul></ul><ul><ul><ul><li>Complex message formats and protocols for developers and browser based apps </li></ul></ul></ul>
    6. 6. Proprietary Protocols <ul><li>AOL OpenAuth </li></ul><ul><li>Yahoo! BBAuth </li></ul><ul><li>Google Account Auth API (AuthSub) </li></ul><ul><li>Windows Live ID </li></ul><ul><li>All support service invocation with user’s consent (authorization) across all their Open Services but …. </li></ul><ul><ul><li>Different ways to obtain user consent/permission </li></ul></ul><ul><ul><li>Different user experience </li></ul></ul><ul><ul><li>Different protocols, message formats and parameter names </li></ul></ul><ul><ul><ul><li>Each defines it’s own: URL format, Parameters naming convention, Response specification, and Status Codes </li></ul></ul></ul><ul><ul><li>Lack of consistent model for rich clients (like Flash/Flex Apps, desktop clients) and browser based apps </li></ul></ul>
    7. 7. AOL Open Services
    8. 8. AOL OpenAuth and Open Services Untrusted Site (ex. User (Browser) 1. Access protected content 2. Redirect to OpenAuth 3. login 4. Login page 5. sn/pwd 6. Redirect to site w/ token 7. Redirect to site w/ token 8. Get buddylist W/ token 9. Validate token 10. Return buddy list AIM Service 11. Return Personalized content
    9. 9. AOL OpenAuth and Open Services
    10. 10. AOL OpenAuth and Open Services
    11. 11. Yahoo! Open APIs/Services
    12. 12. Yahoo! BBAuth
    13. 13. Yahoo! BBAuth
    14. 14. Yahoo! BBAuth
    15. 15. Google Open APIs/Services (GData) http://code. google .com/more/
    16. 16. Google AuthSub
    17. 17. Google AuthSub
    18. 18. And the list goes on… Source:
    19. 19. What do we need ? <ul><li>A open standard for Service Invocation that’s </li></ul><ul><ul><li>authentication method agnostic </li></ul></ul><ul><ul><li>easy for users to understand </li></ul></ul><ul><ul><li>provide Security and Privacy where ever appropriate </li></ul></ul><ul><ul><li>consistent and easy to implement for developers </li></ul></ul><ul><ul><li>open source code libraries </li></ul></ul><ul><ul><li>open and community driven specification </li></ul></ul>
    20. 20. OAuth (Oh! Auth) <ul><li>An Open protocol to allow Secure API Authentication in a simple and standard method from desktop and web applications. </li></ul>
    21. 21. What it’s Not ? <ul><li>User Authentication Protocol </li></ul><ul><li>Token specification </li></ul><ul><li>Web/Client SSO Protocol </li></ul><ul><li>Part of OpenID spec nor an extension </li></ul><ul><li>Consumer Key (developer key) and Secret provisioning protocol </li></ul>
    22. 22. What it really provides ? <ul><li>A simple and easy way to request user’s authorization , and a consistent way to access services on behalf of the user (service invocation). </li></ul><ul><li>Analogous to AOL/Yahoo/Google/…. Open Service protocols but Authentication is left out of scope intentionally ! </li></ul>
    23. 23. OAuth protocol <ul><li>Defines 3 request URLs: </li></ul><ul><ul><li>Request Token URL </li></ul></ul><ul><ul><ul><li>to obtain unauthorized token </li></ul></ul></ul><ul><ul><li>User Authorization URL </li></ul></ul><ul><ul><ul><li>to obtain user authorization for consumer access </li></ul></ul></ul><ul><ul><li>Access Token URL </li></ul></ul><ul><ul><ul><li>to exchange user-authorized token with an access token </li></ul></ul></ul><ul><li>+ an easy to extend framework (guidelines) to suit your needs </li></ul>
    24. 24. OAuth Parameters <ul><li>oauth_consumer_key </li></ul><ul><li>oauth_consumer_secret </li></ul><ul><li>oauth_token </li></ul><ul><li>oauth_token_secret </li></ul><ul><li>oauth_signature </li></ul><ul><li>oauth_signature_method </li></ul><ul><li>oauth_timestamp </li></ul><ul><li>oauth_nonce </li></ul><ul><li>oauth_version </li></ul><ul><li>oauth_callback </li></ul><ul><li>**Service Providers can add additional request parameters as per their needs but they MUST NOT begin with “oauth_” ** </li></ul>
    25. 25. Where are they passed ? <ul><li>URL Query Parameters </li></ul><ul><li>HTTP POST request body (as form params) </li></ul><ul><li>HTTP Authorization Header (most preferred way) </li></ul>
    26. 26. Request Signing <ul><li>All token requests and protected resources requests MUST be signed to prevent token misuse. </li></ul><ul><li>OAuth does not mandate a particular signature method (HMAC-SHA1, RSA-SHA1, etc.) but it does define how you construct Signature Base String. </li></ul><ul><li>Signature Base String = HTTP Request Method + ‘&’ + request URL + ‘&’ + Normalized Request Parameters </li></ul><ul><li>Signing Key = oauth_consumer_secret + “&” + oauth_token_secret </li></ul>
    27. 27. Various use-cases still being worked on ! <ul><li>Auto discovery of OAuth end points and auto-provisioning </li></ul><ul><li>User - Gadget - Container - Service Provider interactions (for Gadget/Widget containers like Netvibes, iGoogle, etc.) </li></ul><ul><li>Consumer using a Service Provider that provides multiple resources </li></ul><ul><li>Consumer using Multiple Service Providers using same IDP </li></ul><ul><li>Consumer using a Service Provider outsourcing Identity to some one other IDP using OpenID/InfoCard/etc. </li></ul><ul><li>Consumer - Service Provider Transactions with no User (two-legged scenario) </li></ul><ul><li>Security related - session extension, additional/expired authorizations, token revocation, etc.. </li></ul><ul><li>Out of band Authorization </li></ul>
    28. 28. Extensions in draft mode <ul><li>Error Reporting Extension </li></ul><ul><li>RSA Key Rotation Extension </li></ul><ul><li>Gadgets Extension </li></ul><ul><li>Session Extension </li></ul><ul><li>Language Preference Extension </li></ul><ul><li>Consumer Request Extension for two-legged scenarios </li></ul><ul><li>Multi-Resource Authorization Extension </li></ul>
    29. 29. OAuth Discovery Extension <ul><li>Provides a way for discovering the Service Providers using a XRDS Document </li></ul><ul><ul><li>to indicate where it’s end points are, and </li></ul></ul><ul><ul><li>how to obtain required configuration data </li></ul></ul>
    30. 30. Sample XRDS Document <ul><li><!-- Request Token --> </li></ul><ul><li><Service> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> <URI></URI> </li></ul><ul><li></Service> </li></ul><ul><li><!-- User Authorization --> </li></ul><ul><li>… . </li></ul><ul><li><!-- Access Token --> </li></ul><ul><li>… . </li></ul><ul><li><!-- Protected Resources --> </li></ul><ul><li><Service> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li><Type></Type> </li></ul><ul><li></Service> </li></ul><ul><li><!-- Consumer Identity --> </li></ul><ul><li><!-- Manual Consumer Identity Allocation --> </li></ul><ul><li><Service> </li></ul><ul><li><Type></Type> </li></ul><ul><li><URI></URI> </li></ul><ul><li></Service> </li></ul>
    31. 31. How does OAuth fit in your existing deployments ?
    32. 32. Deployment Models <ul><li>SP has Central IDP </li></ul><ul><ul><li>OAuth endpoints handled by IDP </li></ul></ul><ul><ul><li>OAuth endpoints handled by SP </li></ul></ul><ul><li>SP is IDP </li></ul><ul><ul><li>Oauth endpoints handled by SP </li></ul></ul><ul><li>SP with no IDP </li></ul><ul><ul><li>Using OpenID or InfoCard or any other Protocol </li></ul></ul>
    33. 33. Central IDP Model - 1 <ul><ul><li>OAuth </li></ul></ul><ul><ul><li>endpoints </li></ul></ul><ul><ul><li>handled by </li></ul></ul><ul><ul><li>IDP. </li></ul></ul><ul><ul><li>SP OAuth </li></ul></ul><ul><ul><li>Discovery </li></ul></ul><ul><ul><li>Document </li></ul></ul><ul><ul><li>returns </li></ul></ul><ul><ul><li>endpoints as </li></ul></ul><ul><ul><li>IDP Urls. </li></ul></ul>
    34. 34. Central IDP Model - 2 <ul><ul><li>OAuth </li></ul></ul><ul><ul><li>endpoints </li></ul></ul><ul><ul><li>handled by </li></ul></ul><ul><ul><li>SP </li></ul></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><li>A simple </li></ul></ul><ul><ul><li>OAuth Proxy </li></ul></ul><ul><ul><li>Sevlet that </li></ul></ul><ul><ul><li>routes all </li></ul></ul><ul><ul><li>requests to </li></ul></ul><ul><ul><li>IDP internally. </li></ul></ul>
    35. 35. SP is IDP <ul><ul><li>OAuth </li></ul></ul><ul><ul><li>endpoints </li></ul></ul><ul><ul><li>handled by </li></ul></ul><ul><ul><li>SP </li></ul></ul>
    36. 36. SP with no IDP <ul><ul><li>OAuth </li></ul></ul><ul><ul><li>endpoints </li></ul></ul><ul><ul><li>handled by </li></ul></ul><ul><ul><li>SP but </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>handled by </li></ul></ul><ul><ul><li>OpenID (or </li></ul></ul><ul><ul><li>InfoCard, or </li></ul></ul><ul><ul><li>any other </li></ul></ul><ul><ul><li>mechanism) </li></ul></ul>
    37. 37. Supporting OAuth in existing Services <ul><li>Sample WebAIM call: ( </li></ul><ul><ul><li> f=xml&events=myinfo,presence,buddylist & a =<token>& k = co1dDRMvlgZJXvWK </li></ul></ul><ul><li>OAuth enabled: </li></ul><ul><ul><li><token>&oauth_signature_method=HMAC-SHA1&oauth_signature=<signature>&oauth_nonce=<nonce>&oauth_timestamp=1191232096&f=xml&events=myinfo,presence,buddylist </li></ul></ul><ul><ul><li>(OR) </li></ul></ul><ul><ul><li>,presence,buddylist </li></ul></ul><ul><ul><ul><li>HTTP Header: Authorization: OAuth realm=&quot;;, </li></ul></ul></ul><ul><ul><ul><ul><li>oauth_consumer_key=&quot; co1dDRMvlgZJXvWK &quot;, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>oauth_token=“<token>&quot;, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>oauth_signature_method=&quot;HMAC-SHA1&quot;, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>oauth_signature=”<signature>&quot;, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>oauth_timestamp=&quot; 1191232096 &quot;, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>oauth_nonce=”<nonce>&quot;, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>oauth_version=&quot;1.0&quot; </li></ul></ul></ul></ul>
    38. 38. If you are still wondering ‘why is it useful ?’ … <ul><li>For End users </li></ul><ul><li>Security </li></ul><ul><ul><li>All requests are signed </li></ul></ul><ul><ul><li>Nonce & timestamp for stopping replay attacks </li></ul></ul><ul><ul><li>User login credentials are not exposed </li></ul></ul><ul><ul><li>Tokens can be revoked (if supported by IDP) to stop a malicious Consumer from having continuous access to protected resources </li></ul></ul><ul><li>Privacy </li></ul><ul><ul><li>Consumer authorization under user’s control </li></ul></ul><ul><ul><li>User information not shared with Consumers </li></ul></ul><ul><li>User Experience </li></ul><ul><ul><li>Consistent Login experience </li></ul></ul><ul><ul><li>Easy to understand authorization process </li></ul></ul><ul><ul><li>Control on information/data access </li></ul></ul>
    39. 39. For Developers and Service Providers <ul><li>Developers </li></ul><ul><ul><li>Consistent APIs across different Service Providers for passing Identity Information </li></ul></ul><ul><ul><li>No need to worry about managing Identities and Authentication </li></ul></ul><ul><ul><li>Platform/OS independent </li></ul></ul><ul><ul><li>Simple Protocol and Message format </li></ul></ul><ul><li>Service Providers </li></ul><ul><ul><li>Easy way to increase adoption of their Services </li></ul></ul><ul><ul><li>Provides security and privacy of their users </li></ul></ul><ul><ul><li>One Consistent and Simple API to maintain for both Rich Clients and Browser Based Apps. </li></ul></ul>
    40. 40. Questions/Comments <ul><li>Reference Sites: </li></ul><ul><li>OAuth: </li></ul><ul><li>OAuth Group: http://groups. google .com/group/ oauth </li></ul><ul><li>OAuth Extensions: </li></ul><ul><li>OAuth Code: http:// oauth .net/code/ </li></ul><ul><li>AOL OpenAuth: </li></ul><ul><li>Contact Info: </li></ul><ul><li>Praveen Alavilli </li></ul><ul><li>AlavilliPraveen </li></ul><ul><li> </li></ul>