CIS 2015- User-Authorized Discovery- George Fletcher
-
Upload
cloudidsummit -
Category
Technology
-
view
63 -
download
3
Transcript of CIS 2015- User-Authorized Discovery- George Fletcher
Copyright © 2015 Cloud Identity Summit . All rights reserved. 2
Person to person Bluetooth discovery Email sharing NFC “tap”
Discovery Models
Copyright © 2015 Cloud Identity Summit . All rights reserved. 3
User-Authorized Discovery • Machine readable • Location of services • Context aware • Under user control • Based on a “sharable identifier”
o e.g. [email protected] o QR code with embedded information
Copyright © 2015 Cloud Identity Summit . All rights reserved. 5
Mint-like financial aggregation site
Copyright © 2015 Cloud Identity Summit . All rights reserved. 6
What!!! Are you crazy?!
Security Privacy Sharing
Two standards
Webfinger — RFC 7033 • Protocol for performing “relationship” discovery
User Managed Access v1.0 (Kantara Initiative) • Protocol for allowing user defined authorization for access to a resource
Webfinger example
• Query • resource: [email protected] • relationship: http://openid.net/specs/connect/1.0/issuer
• Response • subject: [email protected] • links
§ relationship: http://openid.net/specs/connect/1.0/issuer § href: https://oidc.provider.example.com § property
● name = http://oidc.provider.example.com/login_hint ● value = gffletch
Copyright © 2015 Cloud Identity Summit . All rights reserved. 9
User Managed Access (UMA)
UMA Defined
Copyright © 2015 Cloud Identity Summit . All rights reserved. 10
UMA & online sharing
• I want to share this stuff selectively • Among my own apps • With family and friends • With organizations
• I want to protect this stuff from being seen by everyone in the world
• I want to control access proactively, not just feel forced to consent over and over
Proposal: UMA protect webfinger
Leverage UMA to allow for security and privacy control of personal discovery information
• User control • Over what’s discoverable • Over authZ policy to access discovery information
• Privacy enhancing • Transparency • Audit capabilities
Alice & Bob Calendar Sharing
Alice’s Calendar service registers calendar endpoints and permissions with the UMA AS
Alice’s Calendar service registers calendar endpoints with her discovery service
Alice’s Discovery service registers calendar discovery information as a resource set with UMA AS
Alice defines authorization policy for Discovery requests and Calendar access
Copyright © 2015 Cloud Identity Summit . All rights reserved. 13
Discovery endpoint protected by UMA
UAD Identifier
UAD Identifier
Where is Alice’s Calendar endpoint?
Please visit Alice’s AS with this token They need authZ.
Send them to me with this token
Someone is trying to access Alice’s
calendar
Alice’s Discovery Service
Alice’s UMA AS
Calendar Client
Calendar Service
Alice Bob
Copyright © 2015 Cloud Identity Summit . All rights reserved. 14
Bob “wins” access
Hi Bob, you have approval to access
the data. Use this token.
Hi, I’m Bob can I please get access to Alice’s
calendar info? Alice’s
Discovery Service
Alice’s UMA AS
Calendar Client Calendar
Service
Alice Bob
Can Bob at Calendar client access your discovery service?
Copyright © 2015 Cloud Identity Summit . All rights reserved. 15
Bob discovers Alice’s calendar service
Where is Alice’s Calendar endpoint? Here’s my token
Alice’s calendar endpoint
Yes
Is this token valid for Alice’s
calendar endpoint?
Alice’s Discovery Service
Alice’s UMA AS
Calendar Client
Calendar Service
Alice Bob
Bob’s Calendar Client successfully discovered calendar endpoint.
What’s missing ● Taxonomy of relationship types ● Easy UAD identifer for users
o [email protected] ● Mixing public and “private” discovery data ● How to register link relations as resource sets in UMA ● Optimizations to allow for returning “access tokens” from the
discovery service ● Managing user authorization overload
Conclusion
Webfinger + UMA seems viable Many details left to be worked out Pilot effort needed to prove viability
User Authorization Overload
● How to manage all the AuthZ policies o Discovery o Calendar service
o Think about a world with IoT devices, Health care, Enterprise, etc
What’s missing • Taxonomy of relationship types
• Domain-specific in most cases • Easy PDS identifier for users
• [email protected] • Mixing pblic and “private” discovery data
• Discovery for photos should allow for return of my public photography site without client authentication
• How to register link relation as resource sets in UMA • Optimizations to allow for returning UMA RPTs from the
discovery service
User Authorization Overload • How to manage all the AuthZ policies
• Discovery • Calendar service
• Think about a world with loT devices, health care, enterprise, etc.
Conclusion • Webfinger + UMA seems viable • Many details left to be worked out • Pilot effort needed to prove viability