REST/SOAP Harmonization proposal for Identity-based Web-Services

Similar documents
A RESTful Approach to Identity-based Web Services

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

Telco Working Group. Kantara Initiative Summit 2011 Trust Framework Model and IdM Summit

SAML V2.0 Profile for Token Correlation

Test Assertions for the SCA Web Service Binding Version 1.1 Specification

Deployment Profile Template Version 1.0 for WS-Reliability 1.1

OASIS - Artifact naming guidelines

OIO WS-Trust Profile. Version 1.0. IT- & Telestyrelsen October 2009

Metadata for SAML 1.0 Web Browser Profiles

Working Group Charter: Basic Profile 1.2 and 2.0

IETF TRUST. Legal Provisions Relating to IETF Documents. Approved November 6, Effective Date: November 10, 2008

Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006

API Security Management SENTINET

IETF TRUST. Legal Provisions Relating to IETF Documents. February 12, Effective Date: February 15, 2009

Joint Initiative on a PSD2 Compliant XS2A Interface NextGenPSD2 XS2A Framework Operational Rules

System Architecture Model Version 1.1 WV Tracking Number: WV-020

Federated Web Services with Mobile Devices

TestCases for the SCA Assembly Model Version 1.1

XDI Requirements and Use Cases

Working Group Charter: Web Services Basic Profile

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

Metadata for SAML 1.0 Web Browser Profiles

ETSI TS V ( )

Enhanced Client Profile (PAOS-LECP) Solution Proposal for SAML 2.0

Next-Generation SOA Infrastructure. An Oracle White Paper May 2007

Kerberos SAML Profiles

SCA-J POJO Component Implementation v1.1 TestCases Version 1.0

Network Working Group. Category: Informational April A Uniform Resource Name (URN) Namespace for the Open Geospatial Consortium (OGC)

TestCases for the SCA Web Service Binding Specification Version 1.1

Identity Federation Requirements

Security Assertions Markup Language (SAML)

SSTC Response to Security Analysis of the SAML Single Sign-on Browser/Artifact Profile

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

TestCases for the SCA POJO Component Implementation Specification Version 1.1

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

Authentication in the Cloud. Stefan Seelmann

TCG Physical Security Interoperability Alliance IP Video Use Case 002 (PSI-UC-IPV002) Specification Version 1.0 Revision 0.2

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

StorageGRID Webscale NAS Bridge Management API Guide

Services and Identity Management Contents. A Basic Web Service. Web applications. Applications and Services

Oracle Utilities Opower Solution Extension Partner SSO

Cross-Operator Identity Services. 13. January 2012, Telekom Innovation Laboratories

TestCases for the SCA Web Service Binding Specification Version 1.1

Leveraging OpenID To connect Vehicle to the Cloud

Basic Profile 1.0. Promoting Web Services Interoperability Across Platforms, Applications and Programming Languages

OPENID CONNECT 101 WHITE PAPER

Technical Overview. Version March 2018 Author: Vittorio Bertola

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

[GSoC Proposal] Securing Airavata API

API Security Management with Sentinet SENTINET

Web Services Security XCBF Token Profile

RFC 4871 DomainKeys Identified Mail (DKIM) Signatures -- Update draft-ietf-dkim-rfc4871-errata-03-01dc

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

Level of Assurance Authentication Context Profiles for SAML 2.0

Abstract Code-Signing Profile of the OASIS Digital Signature Services

ISO/IEC INTERNATIONAL STANDARD. Information technology Multimedia framework (MPEG-21) Part 21: Media Contract Ontology

Realisation of SOA using Web Services. Adomas Svirskas Vilnius University December 2005

5 OAuth Essentials for API Access Control

SAML V2.0 EAP GSS SSO Profile Version 1.0

SAML V2.0 Profile for Mandator Credentials

API Gateway. Version 7.5.1

SOA-Tag Koblenz 28. September Dr.-Ing. Christian Geuer-Pollmann European Microsoft Innovation Center Aachen, Germany

Web Services Security: XCBF Token Profile

Sentinet for BizTalk Server SENTINET

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

We are ready to serve Latest Testing Trends, Are you ready to learn? New Batch Details

Service Component Architecture Client and Implementation Model for C++ Test Cases Version 1.1

XEP-0206: XMPP Over BOSH

DECISION OF THE EUROPEAN CENTRAL BANK

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Ecma International Policy on Submission, Inclusion and Licensing of Software

National Identity Exchange Federation. Terminology Reference. Version 1.0

Request for Comments: K. Norrman Ericsson June 2006

CDM Implementation Requirements

HTNG Web Services Product Specification. Version 2011A

ISO/IEC INTERNATIONAL STANDARD. Information technology Software asset management Part 2: Software identification tag

Cloud Access Manager Overview

Allowing the user to define the attribute release 21 May 2014

Identity as a Platform Service

ISO/IEC INTERNATIONAL STANDARD

Network Working Group Request for Comments: 3937 Category: Informational October 2004

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Lesson 3 SOAP message structure

Identity-Enabled Web Services

Enabler Release Definition for Parlay Service Access

Dell One Identity Cloud Access Manager 8.0. Overview

Lesson 13 Securing Web Services (WS-Security, SAML)

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

5 OAuth EssEntiAls for APi AccEss control layer7.com

Test Assertions for the SCA Assembly Model Version 1.1 Specification

Web Services Security SOAP Messages with Attachments (SwA) Profile 1.0 Interop 1 Scenarios

SAML-Based SSO Solution

OIX DDP. Open-IX Document Development Process draft July 2017

Interagency Advisory Board Meeting Agenda, August 25, 2009

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

Network Working Group Internet-Draft October 27, 2007 Intended status: Experimental Expires: April 29, 2008

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

XEP-0399: Client Key Support

Access Control Service Oriented Architecture

Transcription:

1 2 3 4 5 6 7 8 9 REST/SOAP Harmonization proposal for Identity-based Web-Services Version: 0.4 Date: 2012-10-16 10 11 Editor: Contributors: Gaël Gourmelen, Orange 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Fulup Ar Foll, Oracle Ingo Friese, Deutsche Telekom AG Jonas Högberg, EricssonKeith Uber, Ubisecure Solutions, Inc. Status: This document is a that has been approved by the Telecommunications Identity WG/DG (see section 3.9 and 4 of the Kantara Initiative Operating Procedures) Abstract: The aim of this document is to propose a solution in order to provide an easy and consistent way for both Web Service Clients and Web Service Providers to respectively invoke or expose Identity-based APIs through both REST and SOAP flavors, taking into account both legacy aspects and growing adoption of the OAuth standard. Filename: kantara-draft-report-tiwg-rest-soap-harmonization-proposal-0.4 1

29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 Notice: This document has been prepared by Participants of Kantara Initiative. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce portions of this document for other uses must contact Kantara Initiative to determine whether an appropriate license for such use is available. Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants of and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights. This Specification is provided "AS IS," and no Participant in the Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third party intellectual property rights, and fitness for a particular purpose. Implementers of this Specification are advised to review the Kantara Initiative s website (http://) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Trustees. The content of this document is copyright of Kantara Initiative. 2012 Kantara Initiative. 2

51 52 53 54 55 56 57 58 59 60 Contents 1 INTRODUCTION... 4 2 PROPOSAL... 6 2.1 Principles...6 2.2 WS-Security OAuth Access Token profile...7 2.3 Use of the ID-WSF Basic SOAP Binding...7 3 REFERENCES... 9 3.1 Informative...10 3

61 62 63 64 65 66 67 68 69 70 71 72 73 1 INTRODUCTION REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) are two different approaches for the implementation of Web Services. REST is Resource-oriented whereas SOAP is Activity-oriented. The type of application and the service it offers determines if REST or SOAP is more suitable ; though one can still argue that we can use SOAP or REST indifferently for these two kinds of services (with a bit of tweaking). To acknowledge the fact that both approaches can still make sense, here are some criteria that clearly distinguish in which case REST or SOAP is still more appropriate: REST may be appropriate when The Web Services are completely stateless. A caching infrastructure can be leveraged for performance, and the service is to a large extent static. The interface can be exposed through standard CRUD operations (Create, Read, Update, and Delete). The Web Service Client and the Web Service Provider have a mutual understanding of the context and content being passed along. Client applications are browser-based implementations (e.g. based on AJAX). SOAP may be appropriate when The Web Services are stateful and dynamic. A formal contract must be established to describe the interface that the Web Service offers (WSDL). Advanced security patterns (including but not limited to end-to-end messagelevel security) are required. The architecture must address complex nonfunctional requirements such as Transaction, Security, Addressing, Trust, Coordination and so on. With REST, developers must build this plumbing into the application layer themselves. Operations (actions) are specific to the service and go beyond basic CRUD operations. The architecture needs to handle asynchronous processing and invocation. Even if REST is more and more used mainly as it is simpler to implement, the characteristics of SOAP (extreme definition and data type declaration with XML Schemas type, value ranges, etc) correspond to what we are used to in telecom 4

74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 standards (e.g.: OMA Parlay X APIs, OMA SUPM, 3GPP GUP, ). That explains why some Telco APIs are still specified in either or both flavors. Legacy aspects will also lead to situations where telecommunication operators will expose both REST and SOAP APIs (e.g.: some Orange APIs opened to partners such as Billing are still SOAP APIs whereas others such as User Profile are REST APIs). In the case of Identity-based Web Services, the support of both REST and SOAP APIs brings however more complexity for both Web Service Providers and Web Service Clients if they need to support different Identity-based Web Services frameworks to handle common functions related to identity management, security, authorization... These functions are required to ensure that the access to the exposed resources is wellauthorized for the requesting Web Service Client, acting on behalf of an end-user. In the SOAP area, frameworks such as Liberty ID-WSF provide protocols and core components (ID-WSF Discovery Service and Interaction Service notably) to handle all these aspects in conjunction with a Federation Framework. In the REST area, the OAuth specifications handle these aspects through the delivery of an Access Token delivered to an authenticated Web Service Client upon approval by the end-user. As OAuth is today more and more adopted in the REST area 1 (more than ID-WSF in the SOAP area), the aim of this document is to describe how it can also be used to secure the access to SOAP APIs and thus providing an easy and consistent way for both Web Service Clients and Web Service Providers to respectively invoke or expose Identitybased APIs through both REST and SOAP flavors. 1 Important actors like Facebook, Google, Microsoft, Twitter, and Yahoo already deployed OAuthcompliant APIs. 5

99 100 101 102 103 104 105 106 107 108 109 110 111 2 PROPOSAL 2.1 Principles The proposal is here to rely on OAuth mechanisms to allow the user to control the access to his/her exposed resources and grant authorizations to requesting services (Web Service Clients) in both REST and SOAP contexts 2. Concretely, a WS Consumer/Client has to implement the protocol flows defined in [OAuth2] (or [OpenIDConnect] or [OAuth2Saml2]) to obtain an «OAuth Access Token». These tokens represent an authorization issued to the WS Consumer/Client with specific scopes (potentially multiple APIs exposed by the telecommunication operator in our context) and durations of access, granted by the resource owner (user), and enforced by the resource server and authorization server. 112 2 Note that a proposal also exists to extend the usage of the OAuth framework for non-http-based protocols: http://tools.ietf.org/id/draft-mills-kitten-sasl-oauth-04.txt. This can be seen as complementary to the approach proposed in our document for REST and SOAP APIs in order to provide even further harmonization between HTTP-based and non-http-based protocols. 6

113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 This token is then conveyed in both REST (as specified in [OAuth2]) and SOAP calls. For SOAP calls, the proposal is to convey the OAuth Access token in a <wsse:security> SOAP header as profiled in the following chapter (only OAuth2 Bearer Access tokens are considered at this stage). This would be the minimal step in order to be able to reuse standard XML Signature mechanisms to securely bind the OAuth Access Token to the SOAP message. A further step would be to support the ID-WSF Basic SOAP Binding [LIB-Basic-SOAP] to benefit from additional messaging-specific features. 2.2 WS-Security OAuth Access Token profile The <wsse:binarysecuritytoken> element is introduced in the WSS: SOAP Message Security [WSS] document as a way of conveying any encoded binary security token in a <wsse:security> SOAP header. The use of this element to convey OAuth Bearer Access tokens mainly requires the definition of a new value ("#OAuth2-Bearer" standard value and associated namespace to be defined in relevant standard organization, for example OASIS) for its ValueType attribute in order to clearly distinguish OAuth Bearer Access tokens from other types of binary tokens. <wsse:security mustunderstand="1"> <wsu:timestamp wsu:id="ts"> <wsu:created>2011-05-17t04:49:17z</wsu:created > </wsu:timestamp> <wsse:binarysecuritytoken ValueType="#OAuth2-Bearer" EncodingType="wsse:Base64Binary">7Fjfp0ZBr1KtDRbnfVdmIw</wss e:binarysecuritytoken> </wsse:security> Depending on agreements between Web Service Client and Web Service Provider, the exchanged SOAP messages can be integrity protected by implementing the signature mechanisms defined in [WSS]. 2.3 Use of the ID-WSF Basic SOAP Binding The ID-WSF Basic SOAP Binding [LIB-Basic-SOAP] provides a profile that is intended to be a basic, scaled-down version of the Liberty ID-WSF 2.0 SOAP Binding Specification and Security Mechanisms 2.0. As specified in [LIB-Basic-SOAP], the following header blocks MUST be included in the SOAP header: 7

142 143 144 145 146 147 148 149 150 151 <wsa:messageid> <wsa:relatesto> (mandatory on response) <wsa:action> <sbf:framework> <wsse:security> The following headers MAY be included in the SOAP header: <wsa:to> [LIB-Basic-SOAP] can be used as a basis to define Identity-based SOAP Web Services except that, in our context, it MUST also support the WS-Security OAuth Access Token profile defined above. 8

152 153 154 155 156 157 158 3 CONCLUSION This document proposes a simple solution in order to provide an easy and consistent way for both Web Service Clients and Web Service Providers to respectively invoke or expose Identity-based APIs through both REST and SOAP flavors. It enables APIs providers to rely on OAuth to secure the access to their APIs in a uniform way with minimal impacts on existing SOAP APIs (legacy aspects). 9

159 160 161 162 163 4 REFERENCES 4.1 Informative [OAuth2] Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth 2.0 Authorization Protocol", draft-ietf-oauth-v2-23 (work in progress), January 2012. [OpenIDConnect] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, OpenID Connect Standard 1.0, December 2011. [OAuth2Saml2] Mortimore, C., "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0", draft-ietf-oauth-saml2-bearer-08 (work in progress), August 2011. [WSS] Web Services Security: SOAP Message Security 1.1, OASIS Standard, 1 February 2006. [LIB-Basic-SOAP] Liberty ID-WSF Basic SOAP Binding Specification, version 1.0, Liberty Alliance Project 10

164 165 166 167 168 169 170 171 172 173 174 175 176 Revision History 0.1 Initial draft 0.2 Integration of comments received from the Kantara Initiative Telecommunication Identity Work Group 0.3 Additional comments from the Kantara Initiative Telecommunication Identity Work Group 0.4 Approval by the Kantara Initiative Telecommunication Identity Work Group 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback