1 / 11

SIROPE OAuth and OAuth2 Living in SIR

SIROPE OAuth and OAuth2 Living in SIR. Diego R. Lopez, RedIRIS. The Goals. Explore the applicability of “classic” OAuth within the RedIRIS environment User-mediated access to data held by the RedIRIS services by registered applications Contribute to the development of OAuth2

ama
Download Presentation

SIROPE OAuth and OAuth2 Living in SIR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIROPEOAuth and OAuth2 Living in SIR Diego R. Lopez, RedIRIS

  2. The Goals • Explore the applicability of “classic” OAuth within the RedIRIS environment • User-mediated access to data held by the RedIRIS services by registered applications • Contribute to the development of OAuth2 • Assertion profile as a bridge to academic federations • Authorization use cases in RESTful environments • Enhanced user-mediated access in the line of Kantara’s WG-UMA

  3. Classic OAuth • Service components deployed • Register interface • Server library • Client reference implementation

  4. Classic OAuth in Action • 1-3: Control passes to the section dealing with OAuth logic • 4-5: Client-server credential exchange • 6-7: User redirected to AuthN/AuthR point (federation plays here) • 8-9 Temporary credential and token exchange • 10-11: Resource access using token

  5. The OAuth2 Assertion Profile

  6. Implementing the OAuth2 AP • OAuth2lib: Components supporting the OAuth2 AP • Authorization Server • Server access control logic • Client interface • The user goes to a Client Application. • The Client App requires the user to authenticate at a federated IdP that generates an assertion. • The Client App sends the assertion obtained to an Authorization Server. There, a token for a certain user, client, scope and lifetime is generated. • The Authorization Server sends the generated token to the Client App. • The Client App acts on behalf of the user and requests the resource to the Server. The token can be used more times until it expires. • The Server returns the resource if the token sent is a valid token.

  7. OAuth2lib AS • Registered servers • Keys • Acceptable scopes • Registered clients • Keys • Policy • Clients • Attributes • Scopes • Supports SAML and PAPI assertion formats • Extensible interface

  8. OAuth2lib Server Support • ASes • Keys • Resources • Calls content handlers

  9. OAuth2lib Client Interface • Federation data • How to access and process the received assertion • OAuth2 data • How to access the appropriate AS and server • Resource data • Forwarded to the calling application

  10. Deploying OAuth2 AP: SIROPE • A web-based client offering users the access to data related to their status in the SIR federation • Currently, available SPs • An Authorization Server • Open to be used by other potential clients at the institutions • A pilot server application • Available SPs for a given user/institution • The hub nature of SIR comes to help again http://www.rediris.es/sir/sirope

  11. OAuth2lib beyond SIR • Access to resources in the AGORA e-learning toolset • Fine-grained RESTful AuthR • Evaluation of OAuth2lib in the OpenSocial environment • Collaboration with SURFnet • Any others welcome http://www.rediris.es/oauth2/

More Related