1 / 16

A Trio of Auth Sources for simpleSAMLphp

A Trio of Auth Sources for simpleSAMLphp. TF-EMC2 Tuesday, February 15 th , 2011 Brook Schofield Project Development Officer brook@terena.org www.terena.org. Spend 3 days over Christmas on Auth Sources for simpleSAMLphp …. LinkedIn Business/Professional Contact Directory OAuth

Download Presentation

A Trio of Auth Sources for simpleSAMLphp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Trio of Auth Sources forsimpleSAMLphp TF-EMC2 Tuesday, February 15th, 2011 Brook Schofield Project Development Officerbrook@terena.orgwww.terena.org

  2. Spend 3 days over Christmas on Auth Sources for simpleSAMLphp… • LinkedIn • Business/Professional Contact Directory • OAuth • MySpace • 2nd Place to Facebook • OAuth • Windows Live ID (Messanger Connect) • Big User Base (Hotmail, MSN) • Tried OpenID (then stopped) • Uses OAuth-WRAP (prelude to OAuth 2.0)

  3. Plan was easy! • I’ve previously patched Twitter + Facebook • Copy + Paste Andreas’authtwitter module • …but Twitter is sloppy! • OAuth handling is very lax • authtwitter is a bad example :-( • Shared Data Structure came back to bite me. • LinkedIn is very strict! • Two main components for an authsource • lib/source/AuthSource.php • authenticate() and finalStep() • linkback.php • Calls finalStep()

  4. MySpace • 2nd big Social Networking Platform. • Just opened an Australian office. • Wasn’t for Sale.

  5. MySpace • Very good dev tools + REST web client.

  6. LinkedIn • OAuth • …but very strict • Required POST rather than GET + HEADERS

  7. LinkedIn

  8. LinkedIn • https://api.linkedin.com/uas/oauth/requestToken • POST (current code uses a GET) • Callback should be here! • https://www.linkedin.com/uas/oauth/authenticate?oauth_token=94ab03c4-ae2c-45e4-8732-0e6c4899db63 • REDIRECT • Twitter puts the Callback here :-( • https://api.linkedin.com/uas/oauth/accessToken • POST (current code uses a GET) • https://api.linkedin.com/v1/people/~ • GET (API to return user data) • Set Header: x-li-format: json for JSON response

  9. Windows Live ID • AKA Messenger Connect

  10. Windows Live ID

  11. Windows Live ID • 50k PHP Library from Microsoft – but replaced it with… • $authorizeURL = 'https://consent.live.com/Connect.aspx' • . '?wrap_client_id=' . $this->key • . '&wrap_callback=' . • urlencode(SimpleSAML_Module::getModuleUrl('authwindowslive') • . '/linkback.php') • . '&wrap_client_state=' . urlencode($stateID) • . '&wrap_scope=WL_Profiles.View,Messenger.SignIn’ • ; • parse_str($result, $response);

  12. Attributes

  13. Use on the TERENA SPProxy… • Not unless it’s in simpleSAMLphp • TERENA Policy? • Dyonisius Policy? • Encourages Collaboration! • If it’s good enough for TERENA it should be good enough for the community! • Dyonisius will tell you later today how it works.

  14. …future & TODO • Why no Generic OAuth? • Data APIs too specific • OpenID3.0 Connect • OpenID 2.0 isn’t really there either. • OAuth 2.0 • Facebook Graph API

  15. It’s all in simpleSAML now!

  16. brook@terena.org +31651553991 sip:schofield@terena.org skype://brookschofield @BrookSchofield facebook.com/brook.schofield linkedin.com/in/brookschofield Questions?“I’m not advocating it! I just wrote the code.” KristofBajnok

More Related