1 / 18

Service Chaining with OAuth 2.0 Bearer Tokens

Service Chaining with OAuth 2.0 Bearer Tokens. Alan H. Karp HP Labs. Overview. OAuth 1.0 OAuth 2.0 Sabre 2.0. OAuth 1.0. OAuth 2.0. No crypto in the protocol Everything over HTTPS Opaque tokens represent access rights No revocation

cain
Download Presentation

Service Chaining with OAuth 2.0 Bearer Tokens

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Service Chaining with OAuth 2.0 Bearer Tokens Alan H. Karp HP Labs

  2. Overview • OAuth 1.0 • OAuth 2.0 • Sabre 2.0

  3. OAuth 1.0

  4. OAuth 2.0 • No crypto in the protocol • Everything over HTTPS • Opaque tokens represent access rights • No revocation • Most tokens expire in a short time, e.g., 10 min • Different patterns • Basic requires authentication • Bearer tokens

  5. OAuth 2.0 Basics Authorization Manager AM and RO agree on AG AM and RP agree on AT AM decides RT format All opaque to client AG and AT short-lived RT long-lived Access Token (AT) + Optionally Refresh Token (RT) Resource Owner Resource Provider AG Request Access AT Client Resource Authorization Grant (AG)

  6. Web Redirecton Authorization Manager Resource Owner Resource Provider 6.AT 5. AG 7. AT 8 4. AG 2. Denied Client 3. Request Access 1. Request Access

  7. SABRE 1.0 • SABRE • Semi-Automatic Business-Related Environment • Developed by IBM for American Airlines • First prototype 1960 • In use today as Sabre Holdings, Inc. (Travelocity) • Long past due for an upgrade • HP/EDS won the contract

  8. SABRE 2.0 • Widely known features • Airline/hotel reservations • Less well known or unknown features • Crew scheduling • Airport management

  9. Airport Management • 200 airlines • 10,000 employees each • 500 airports • 5,000 employees each • Federated Identity Management impractical • First solution ZBAC with SOAP • Switched to REST • Proposed waterken • Decided on OAuth

  10. Gate Agent Scenario • All computers at gates are shared • Want employers to authenticate their people • Authorization decided by role and context • Gate agent can close gate if employer’s flight • TWA has contracted to use Weather, Inc. • TWA gate agents may request forecasts • Agents specify airport code • Weather, Inc. takes latitude/longitude • SABRE Convert service translates code to lat/long

  11. Sign Contracts Weather, Inc. AuthZ Mgr Forecast TWA Terms and Conditions AuthN Mgr AuthZ Mgr Sabre 2.0 TWA Policy Policy Engine PM Terms and Conditions AuthZ Mgr Web Server Convert Service

  12. Screen on Gate Display More

  13. Setup Weather Service Forecast AuthZ Mgr TWA AuthN Mgr AuthZ Mgr Sabre 2.0 5. Get AGs Policy Engine PM 3. Attributes AuthZ Mgr 2. Login Web Server 4. Attributes 6. Web page content + AGs Alice at a Browser Convert Service 1. Sabre Front Page

  14. Request Permissions Weather Service Weather AuthZ Mgr TWA 10. AG1 for W AuthN Mgr AuthZ Mgr Sabre 2.0 9. Get AG for W AuthZ Mgr TWA Policy 11. AG1 for W 8. Get AG for W Web Server Alice at a Browser Convert Service 7. Get forecast for ORD

  15. Prepare to Delegate Weather Service Weather AuthZ Mgr TWA AuthN Mgr AuthZ Mgr Sabre 2.0 AuthZ Mgr TWA Policy 13. AG2 for W 12. Get AG for Convert Web Server Alice at a Browser Convert Service

  16. Prepare to Invoke Weather Service Weather AuthZ Mgr TWA AuthN Mgr AuthZ Mgr Sabre 2.0 Convert Service TWA Policy AuthZ Mgr Web Server 15. AT1 for CS Alice at a Browser 14. Exchange AG1 for AT1

  17. Invoke Weather Service Weather AuthZ Mgr TWA AuthN Mgr AuthZ Mgr Sabre 2.0 AuthZ Mgr 18. Return AT2 for W 17. Exchange AG2 for AT2 19. Invoke with AT2 TWA Policy Convert Service Web Server Alice at a Browser 16. Invoke with AT1 passing AG2

  18. Optimizations • Resource owner is resource provider • Forget about AGs, just hand out ATs • Skip AG2 • Alice can tell TWA AG is for Convert service

More Related