A RESTful Approach to Identity-based Web Services

Transcription

1 A RESTful Approach to Identity-based Web Services Marc J. Hadley Hubert A. Le Van Gong Sun Microsystems, Inc. 1

2 Outline > Identity-based web services intro > RESTful ID-WSF > OAuth Extensions > Permissioned Data Sharing 2 2

3 Identity-based Web Services? 3 3

4 Identity-based Web Services? Who Identifying the parties Sender Invoker Recipient Target 3 3

5 Identity-based Web Services? Who Identifying the parties Sender Invoker Recipient Target What Resource Locating Addressing 3 3

6 Identity-based Web Services? Who Identifying the parties Sender Invoker Recipient Target What Resource Locating Addressing How Framework Transport Philosophy Security 3 3

7 Identity-based Web Services? Who Identifying the parties Sender Invoker Recipient Target What Resource Locating Addressing How Framework Transport Philosophy Security Why Agreement Policy Privacy 3 3

8 One way to look at it > You surf the web Authenticated once Seamlessly logged in to other sites Single sign-on > You purchase airline tickets & move to another country Your online calendar is updated Your magazine subscription follows Delegated Authorization 4 4

9 # my identities Evolution & Issues # online apps # online relationships 5 5

10 # my identities Evolution & Issues 1 Web browsing, search... # online apps # online relationships 5 5

11 # my identities Evolution & Issues Online banking, n 1 Web browsing, search... n # online apps # online relationships 5 5

12 Evolution & Issues # my identities y Photo sharing, blogs, IM... 3 n Online banking, Web browsing, search... n x # online apps z # online relationships 5 5

13 Evolution & Issues # my identities y Photo sharing, blogs, IM... 3 n Online banking, Web browsing, search... n x # online apps z 4 What we want!! # online relationships 5 5

14 A Continuum of Solutions > Delegated Authentication Single Sign On > Attribute Exchange WS-Federation OpenID SAML Liberty ID-WSF > Delegated Authorization Sharing of attributes OAuth WS-* Some cover it all

15 RESTful? REST is an Architectural Style Set of constraints you apply to the architecture of a distributed system to induce desirable properties RESTful Web Services Application of REST architectural style to services that utilize Web standards Key elements Resources identified by URIs Standard set of methods with well-defined semantics Resource representation format identified with media types Responses contain links that clients traverse to navigate application state Stateless communications 7 7

16 Reduced coupling 8 Why RESTful? Reach Services easily consumed by a variety of clients Alignment Services are part of the Web Services work well with existing infrastructure Bookmark-able Browser friendly Scalable Horizontal scaling Cache friendly Straightforward failover 8

17 First Foray: RESTful ID-WSF > Starting point: Liberty ID-WSF 2.0 Identity-based Web Services Framework Builds on top of Identity federation (e.g. SAML) Provides framework for Data sharing Privacy & security protection Some nice features like Data service template (DST) Interaction service People service 9 9

18 First Foray: RESTful ID-WSF Typical Scenario 10 10

19 First Foray: RESTful ID-WSF Same overall approach Service Association 1 Service Discovery 2 Service Invocation 3 But

20 RESTful Approach - Some key differences > Resource location Resource in SOAP == service endpoint + owner identity Resource in REST == represented by an endpoint (URI) > URI (a resource) MUST be cachable & bookmarkable Correlation issues that potentially require additional security mechanisms > Resource Access SOAP operations define in, say Liberty ID-WSF, overlap with HTTPʼs CRUD operations 12 12

21 RESTful ID-WSF - Service Association > A 2-steps process Registration of a service metadata to a Discovery Service 13 13

22 RESTful ID-WSF - Service Association 14 14

23 RESTful ID-WSF - Service Discovery 15 15

24 RESTful ID-WSF - Service Invocation > Classic use of HTTP CRUD operations but... Add a security token obtained at discovery time Possible use of XPATH-based queries Within the body of the message As parameters of the URI 16 16

25 First Foray: RESTful ID-WSF 17 17

26 Approaching from Another Angle: Extending OAuth OAuth in a Jiffy... HTTP-based protocol Delegated Authorization Allow a service consumer to access a resource hosted at a service provider Browser and non-browser based user authz / consent Signature mechanism to secure HTTP messages However, OAuth core does not support our use cases

27 Approaching from Another Angle: Extending OAuth What follows are ideas being worked on Conveying identity tokens Provisioning & discovering services Leveraging XRDS to describe a userʼs services VRM / Permissioned based data sharing 19 19

28 Extending OAuth - Conveying Identities Alice Hike.com (Alice) Event.com (Bob) 20 20

29 Extending OAuth - Conveying Identities Alice Hike.com (Alice) hiking friends Portable Contact Event.com (Bob) 20 20

30 Extending OAuth - Conveying Identities Alice Hike.com (Alice) hiking friends Portable Contact Event.com (Bob) 20 20

31 Extending OAuth - Conveying Identities Alice Hike.com (Alice) hiking friends Portable Contact ID token A IdP/OP (Alice) ID token A Event.com (Bob) 20 20

32 Extending OAuth - Conveying Identities Alice Hike.com (Alice) hiking friends Portable Contact ID token A IdP/OP (Alice) ID token A ID token A OpenID ID or A... Event.com (Bob) 20 20

33 Extending OAuth - Conveying Identities Alice Hike.com (Alice) hiking friends Portable Contact ID token A IdP/OP (Alice) ID token A ID token A OpenID ID or A... Event.com (Bob) membership query Is A in set for B? Portable Contact 20 20

34 Extending OAuth - Service Provisioning 21 21

35 Permissioned Data Sharing disclose site that consumes data 22 22

36 Typical Federated-Identity Solution identity provider, discovery service... authorize disclose store consumer, relying party, web service consumer... service provider, attribute authority, web service provider

37 OAuth Solution disclose store consumer authorize service provider 24 24

38 Functional Requirements > Support the notion of a "relationship management" service that an individual can access as an interface mode separate from authenticating to networked applications > Allow an individual to select policies and enforceable contract terms that govern the granting of responding-service access to requesting services > Allow an individual to conduct short-term and long-term management of access relationships, including modifying the conditions of access or terminating the relationship entirely > Allow an individual to audit and monitor various aspects of access relationships > Allow requesting services to interact directly with responding services in a fashion guided by policy while an individual is offline, reserving real-time user approval for extraordinary circumstances > Allow requesting services to interact with multiple responding services associated with the same individual 25 25

39 Relationship Manager Solution disclose store consumer contract authorize service provider relationship manager 26 26

40 Relationship Manager Solution disclose store consumer contract authorize service provider relationship manager identity provider, discovery service 26 26

41 High-Level Overview of Interactions 27 27

42 Next Steps for This Work Further use case development IIW and other venues... Protocol development in Kantara Coordinating with related communities OAuth, CX, XACML, uapprove, Mine!, Mydex, r-cards... Seeking collaboration on implementations OpenSSOʼs OAuth extension (imminently) Other open source projects 28 28

43 Useful Technologies... > Jersey ( RESTful framework for Java developers > OAuth Signature Library (both client & server) Java-based - smooth integration with Jersey (filters) RESTful implementation. > OpenSSO ( Access management, SSO etc

44 Conclusion > Still early days for this work > Lots of compelling use cases > Protocols under active developments OAuth (community & IETF), Kantara Initiative etc. XRDS

45 Marc J. Hadley Hubert A. Le Van Gong marc.hadley at Sun.Com hubert.levangong at Sun.Com