This picking up from where I left off in any earlier post about OAuth. To recap, this
fronts a short-lived credential service with an OAuth 2.0 interface.
This is now being integrated into Contrail described in this paper
just submitted following ISGC. There are few more design
considerations to give some thought to though for its wider deployment. As well as use for
managing delegation around entities in a cloud federation with
Contrail, we are applying this to CEDA's applications and web
services. We have a full Python implementation of both client and
server side for OAuth 2.0 which I hope to push out to PyPI soon.
We're using this to secure our CEDA OGC Web Processing Service and
and Web Map Service. Here though, I want to focus on how we might
integrate with federated identity management system for the Earth System Grid Federation (ESGF). This
is foremost given our involvement with CMIP5.
It's firstly a question of service
discovery, something that need not be addressed for Contrail. The
Contrail system consists of federation layer which abstracts a set of
underlying cloud provider interfaces. Users can manage resources
from each of these collectively through the federation's interface.
The access control system manages identity at the federation level.
A user authenticates with a single federation IdP. When it comes to
the OAuth delegation interface, there are single OAuth Authorisation server and Resource server instances associated with the IdP.
Now consider, ESGF. There are many
IdPs integrated into the federation, so how does the OAuth infrastructure map to this? Imagine,
for example a Web Processing Service hosted at CEDA. A user invokes
a process. This process will access secured data from an OPeNDAP
service. The WPS will therefore need a delegated credential. When
the user requests the process then, the WPS triggers the OAuth flow
redirecting their browser to an OAuth Server but how does the WPS
know where that service is? A simple approach would be to configure
the WPS with an endpoint in its start up settings. This server could
be:
- a global one for the whole federation – clearly this won't scale given the deployment across many organisations
- Associated with the given Service Provider – in this case CEDA
- Associated with the user's IdP
2. could work but now consider the
other steps in the flow: the user is prompted to authenticate with
the OAuth server and approve the delegation i.e. allow the WPS to get
a credential on their behalf. In a federated system, the user could
be from anywhere, they will need to sign in with their IdP. In this
case then, the user enters their OpenID at the OAuth Authorisation server.
Already, this is sounding complicated and potentially confusing for
the user: they've already been redirected away from the WPS to a
central OAuth Authorisation server at CEDA, now they will be redirected again to
their IdP probably somewhere else.
Also, consider the approval process.
Rather then having to approve the delegation every single time the user
invokes the WPS process, they would like the system to remember their approval
decision. The OAuth authorisation server could record a set of user approvals
associated with a profile stored their. However, if we manage approvals at
CEDA, this information will only be scoped within the bounds of
CEDA's services. If the user now goes to use services at another
service provider, they will need to record a fresh set of delegation
approvals. Not a smooth user experience.
Turning to 3., this could scale better.
All approval decisions would be centralised with the OAuth Authorisation server
associated with their IdP. However, there is now a service discovery
problem. Looking at the protocol flow again, the WPS does not know
the location of the user's OAuth Authorisation server endpoint. Given ESGF's already established use of OpenID,
an obvious solution is to leverage Yadis. During OpenID sign in, the Relying Party HTTP GETs the user's OpenID URL returning an XRDS document. This contains the service endpoint for the OpenID Provider. This has already been extended for ESGF to include the MyProxy and Attribute Service endpoints. I'm told that there's some debate in the community about choice of discovery technology with SWD (Simple Web Discovery) as an alternative. Given ESGF's legacy with XRD it makes logical sense to add in the address for the OAuth Authorisation server as an entry into the XRDS document returned.
<?xml version="1.0"; encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/signon/1.0</Type> <URI>https://openid.provider.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="1"> <Type>urn:esg:security:myproxy-service</Type> <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="10"> <Type>urn:esg:security:oauth-authorisation-server</Type> <URI>https://oauth-authorisation-server.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="20"> <Type>urn:esg:security:attribute-service</Type> <URI>https://attributeservice.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> </XRD> </xrds:XRDS>
Bringing it together, the delegation flow would start with the Service Provider present an interface to enable the user to select their IdP. This could be by entering a full OpenID URL or preferably picking one from a list of trusted IdPs. The SP could then GET the URL and extract the OAuth Authorisation Server endpoint from the XRDS document returned. From there, the standard OAuth flow would proceed as before.