User-Authorized Discovery George Fletcher

Copyright © 2015 Cloud Identity Summit . All rights reserved. 2

Person to person Bluetooth discovery Email sharing NFC “tap”

Discovery Models

Copyright © 2015 Cloud Identity Summit . All rights reserved. 3

User-Authorized Discovery •  Machine readable •  Location of services •  Context aware •  Under user control •  Based on a “sharable identifier”

o  e.g. george@discover.example.com o  QR code with embedded information

Copyright © 2015 Cloud Identity Summit . All rights reserved. 4

Social web site

Copyright © 2015 Cloud Identity Summit . All rights reserved. 5

Mint-like financial aggregation site

Copyright © 2015 Cloud Identity Summit . All rights reserved. 6

What!!! Are you crazy?!

Security Privacy Sharing

Two standards

Webfinger — RFC 7033 • Protocol for performing “relationship” discovery

User Managed Access v1.0 (Kantara Initiative) • Protocol for allowing user defined authorization for access to a resource

Webfinger example

•  Query •  resource: george@discover.example.com •  relationship: http://openid.net/specs/connect/1.0/issuer

•  Response •  subject: george@discover.example.com •  links

§  relationship: http://openid.net/specs/connect/1.0/issuer §  href: https://oidc.provider.example.com §  property

●  name = http://oidc.provider.example.com/login_hint ●  value = gffletch

Copyright © 2015 Cloud Identity Summit . All rights reserved. 9

User Managed Access (UMA)

UMA Defined

Copyright © 2015 Cloud Identity Summit . All rights reserved. 10

UMA & online sharing

• I want to share this stuff selectively • Among my own apps • With family and friends • With organizations

• I want to protect this stuff from being seen by everyone in the world

• I want to control access proactively, not just feel forced to consent over and over

Proposal: UMA protect webfinger

Leverage UMA to allow for security and privacy control of personal discovery information

• User control •  Over what’s discoverable •  Over authZ policy to access discovery information

• Privacy enhancing •  Transparency •  Audit capabilities

Alice & Bob Calendar Sharing

Alice’s Calendar service registers calendar endpoints and permissions with the UMA AS

Alice’s Calendar service registers calendar endpoints with her discovery service

Alice’s Discovery service registers calendar discovery information as a resource set with UMA AS

Alice defines authorization policy for Discovery requests and Calendar access

Copyright © 2015 Cloud Identity Summit . All rights reserved. 13

Discovery endpoint protected by UMA

UAD Identifier

UAD Identifier

Where is Alice’s Calendar endpoint?

Please visit Alice’s AS with this token They need authZ.

Send them to me with this token

Someone is trying to access Alice’s

calendar

Alice’s Discovery Service

Alice’s UMA AS

Calendar Client

Calendar Service

Alice Bob

Copyright © 2015 Cloud Identity Summit . All rights reserved. 14

Bob “wins” access

Hi Bob, you have approval to access

the data. Use this token.

Hi, I’m Bob can I please get access to Alice’s

calendar info? Alice’s

Discovery Service

Alice’s UMA AS

Calendar Client Calendar

Service

Alice Bob

Can Bob at Calendar client access your discovery service?

Copyright © 2015 Cloud Identity Summit . All rights reserved. 15

Bob discovers Alice’s calendar service

Where is Alice’s Calendar endpoint? Here’s my token

Alice’s calendar endpoint

Yes

Is this token valid for Alice’s

calendar endpoint?

Alice’s Discovery Service

Alice’s UMA AS

Calendar Client

Calendar Service

Alice Bob

Bob’s Calendar Client successfully discovered calendar endpoint.

What’s missing ●  Taxonomy of relationship types ●  Easy UAD identifer for users

o  gffletch@discover.me ●  Mixing public and “private” discovery data ●  How to register link relations as resource sets in UMA ●  Optimizations to allow for returning “access tokens” from the

discovery service ●  Managing user authorization overload

Q & A

George Fletcher george.fletcher@teamaol.com

Conclusion

Webfinger + UMA seems viable Many details left to be worked out Pilot effort needed to prove viability

User Authorization Overload

●  How to manage all the AuthZ policies o  Discovery o  Calendar service

o  Think about a world with IoT devices, Health care, Enterprise, etc

What’s missing •  Taxonomy of relationship types

•  Domain-specific in most cases •  Easy PDS identifier for users

•  gffletch@discover.me •  Mixing pblic and “private” discovery data

•  Discovery for photos should allow for return of my public photography site without client authentication

•  How to register link relation as resource sets in UMA •  Optimizations to allow for returning UMA RPTs from the

discovery service

User Authorization Overload •  How to manage all the AuthZ policies

•  Discovery •  Calendar service

•  Think about a world with loT devices, health care, enterprise, etc.

Conclusion •  Webfinger + UMA seems viable •  Many details left to be worked out •  Pilot effort needed to prove viability