16th TF-EMC2. Copenhagen, September 2010

SIROPEOAuth and OAuth2 Living in SIR

Diego R. Lopez, RedIRIS

16th TF-EMC2. Copenhagen, September 2010

The Goals

• Explore the applicability of “classic” OAuth within the RedIRIS environment User-mediated access to data held by the RedIRIS

services by registered applications

• Contribute to the development of OAuth2 Assertion profile as a bridge to academic federations Authorization use cases in RESTful environments Enhanced user-mediated access in the line of Kantara’s

WG-UMA

16th TF-EMC2. Copenhagen, September 2010

Classic OAuth• Service components deployed

Register interface Server library Client reference implementation

16th TF-EMC2. Copenhagen, September 2010

Classic OAuth in Action

• 1-3: Control passes to the section dealing with OAuth logic

• 4-5: Client-server credential exchange

• 6-7: User redirected to AuthN/AuthR point (federation plays here)

• 8-9 Temporary credential and token exchange

• 10-11: Resource access using token

16th TF-EMC2. Copenhagen, September 2010

The OAuth2 Assertion Profile

16th TF-EMC2. Copenhagen, September 2010

Implementing the OAuth2 AP

• OAuth2lib: Components supporting the OAuth2 AP Authorization Server Server access control logic Client interface

• The user goes to a Client Application.

• The Client App requires the user to authenticate at a federated IdP that generates an assertion.

• The Client App sends the assertion obtained to an Authorization Server. There, a token for a certain user, client, scope and lifetime is generated.

• The Authorization Server sends the generated token to the Client App.

• The Client App acts on behalf of the user and requests the resource to the Server. The token can be used more times until it expires.

• The Server returns the resource if the token sent is a valid token.

16th TF-EMC2. Copenhagen, September 2010

OAuth2lib AS• Registered servers

Keys Acceptable scopes

• Registered clients Keys

• Policy Clients Attributes Scopes

• Supports SAML and PAPI assertion formats Extensible interface

16th TF-EMC2. Copenhagen, September 2010

OAuth2lib Server Support

• ASes Keys

• Resources Calls content handlers

16th TF-EMC2. Copenhagen, September 2010

OAuth2lib Client Interface

• Federation data How to access and

process the received assertion

• OAuth2 data How to access the

appropriate AS and server

• Resource data Forwarded to the

calling application

16th TF-EMC2. Copenhagen, September 2010

Deploying OAuth2 AP: SIROPE

• A web-based client offering users the access to data related to their status in the SIR federation Currently, available SPs

• An Authorization Server Open to be used by other potential clients at the

institutions• A pilot server application

Available SPs for a given user/institution The hub nature of SIR comes to help again

http://www.rediris.es/sir/sirope

16th TF-EMC2. Copenhagen, September 2010

OAuth2lib beyond SIR

• Access to resources in the AGORA e-learning toolset Fine-grained RESTful AuthR

• Evaluation of OAuth2lib in the OpenSocial environment Collaboration with SURFnet

• Any others welcomehttp://www.rediris.es/oauth2/