Friday 25 June 2010

Introspecting Identity with Yadis

Yadis is a powerful tool for service discovery. It answers the question, given an identity URI, what identity services can I invoke on it?  The Earth System Grid security architecture has OpenID as its core identity service but there are others: MyProxy from the Globus toolkit enables users to obtain a short lived X.509 certificate for SSL based authentication to secured resources.  In addition there is the SAML Attribute Service enabling a client to query attribute information about a given subject.   Locating these services is a problem and this was illustrated in a use case recently: a trusted service in the federation would like to notify a user by e-mail.  The service has their OpenID but it doesn't have access to the usual attributes available through the Attribute Exchange interface - they're not signed in.  How can I query their e-mail address to contact them?

OpenID (v2.0) already supports the Yadis protocol, and its uses is mandatory for ESG OpenID Providers.   If I HTTP GET a user's identity URI, I get a document containing the OpenID Provider endpoint:

Extending this I can include the corresponding MyProxy and the Attribute Service URIs:


<?xml version="1.0"; encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <XRD>
    <Service priority="0">
      <Type>http://specs.openid.net/auth/2.0/signon</Type>
      <Type>http://openid.net/signon/1.0</Type>
      <URI>https://openid.provider.somewhere.ac.uk</URI>
      <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
    </Service>
    <Service priority="1">
      <Type>urn:esg:security:myproxy-service</Type>
      <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI>
      <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
    </Service>
    <Service priority="20">
      <Type>urn:esg:security:attribute-service</Type>
      <URI>https://attributeservice.somewhere.ac.uk</URI>
      <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
    </Service>
  </XRD>
</xrds:XRDS>

The priority attribute for each <Service/> element lets the client know which is the preferred service for authentication. The Attribute Service is of course not an authentication service but I'd argue it has a place here as it is an identity service. [17/03/11 - Note correction for this use case: each service element is in the single XRD element, not many XRD elements each with a single service element as I had before!]

Taking this a step further, I can combine it with MyProxy's provisioning functionality, the ability to provision a client with trusted CA certificates it needs to bootstrap trust.

Given an identity URI, I can:
  1. retrieve the Yadis document
  2. parse the MyProxy server endpoint
  3. retrieve the trust roots to bootstrap trust in the identity services for this identity URI.

No comments: