110 likes | 124 Views
Explore classic OAuth application, OAuth2 assertion profile, server components, and client implementation in a secure environment. Learn deployment, access control logic, federated authentication, and resource processing.
E N D
SIROPEOAuth and OAuth2 Living in SIR Diego R. Lopez, RedIRIS
The Goals • Explore the applicability of “classic” OAuth within the RedIRIS environment • User-mediated access to data held by the RedIRIS services by registered applications • Contribute to the development of OAuth2 • Assertion profile as a bridge to academic federations • Authorization use cases in RESTful environments • Enhanced user-mediated access in the line of Kantara’s WG-UMA
Classic OAuth • Service components deployed • Register interface • Server library • Client reference implementation
Classic OAuth in Action • 1-3: Control passes to the section dealing with OAuth logic • 4-5: Client-server credential exchange • 6-7: User redirected to AuthN/AuthR point (federation plays here) • 8-9 Temporary credential and token exchange • 10-11: Resource access using token
Implementing the OAuth2 AP • OAuth2lib: Components supporting the OAuth2 AP • Authorization Server • Server access control logic • Client interface • The user goes to a Client Application. • The Client App requires the user to authenticate at a federated IdP that generates an assertion. • The Client App sends the assertion obtained to an Authorization Server. There, a token for a certain user, client, scope and lifetime is generated. • The Authorization Server sends the generated token to the Client App. • The Client App acts on behalf of the user and requests the resource to the Server. The token can be used more times until it expires. • The Server returns the resource if the token sent is a valid token.
OAuth2lib AS • Registered servers • Keys • Acceptable scopes • Registered clients • Keys • Policy • Clients • Attributes • Scopes • Supports SAML and PAPI assertion formats • Extensible interface
OAuth2lib Server Support • ASes • Keys • Resources • Calls content handlers
OAuth2lib Client Interface • Federation data • How to access and process the received assertion • OAuth2 data • How to access the appropriate AS and server • Resource data • Forwarded to the calling application
Deploying OAuth2 AP: SIROPE • A web-based client offering users the access to data related to their status in the SIR federation • Currently, available SPs • An Authorization Server • Open to be used by other potential clients at the institutions • A pilot server application • Available SPs for a given user/institution • The hub nature of SIR comes to help again http://www.rediris.es/sir/sirope
OAuth2lib beyond SIR • Access to resources in the AGORA e-learning toolset • Fine-grained RESTful AuthR • Evaluation of OAuth2lib in the OpenSocial environment • Collaboration with SURFnet • Any others welcome http://www.rediris.es/oauth2/