extending oauth2 to join local services into a federative
play

Extending OAuth2 to Join Local Services into a Federative SOA M. - PowerPoint PPT Presentation

Oct 31, 2023 •5 likes •175 views

Extending OAuth2 to Join Local Services into a Federative SOA M. Politze IT Center RWTH Aachen University Where are we now? You are here! 20 km Source: http://www.wissenschaft.nrw.de/studium/informieren/hochschulkarte-nrw/ 3 Extending

  1. Extending OAuth2 to Join Local Services into a Federative SOA M. Politze IT Center RWTH Aachen University

  2. Where are we now? You are here! 20 km Source: http://www.wissenschaft.nrw.de/studium/informieren/hochschulkarte-nrw/ 3 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  3. Setting Support the core processes: Teaching, Learning and Research • Connect legacy systems with a single, consistent API • Develop an SOA that fits to the processes at the university  Start with eLearning  Generalize and try to apply to other fields:  Campus Management, Identity Management  Research Data Management / eScience • Security by design  Confidentiality  Integrity  Availability • Protect personal and confidential data 4 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  4. OAuth2 at Commercial Service Providers • Tightly coupled with their web services  Authorization for local scopes  Used for applications • Applications using multiple services still require multiple logins  1:1 mapping of services and logins  Hinders crossing system boundaries for process supporting application • Authentication via authorization  Use user info supplied by a service to identify the user  Leads to possible security vulnerabilities [1] [1] R. Yang, W. C. Lau, and T. Liu, Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0, in Black Hat Europe, 2016. 5 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  5. OAuth2 at RWTH Aachen University • Secure, device based Authorizations  (De)Authorizations via Webinterface  No credentials are passed to apps • OAuth2 as a service  Integrates Shibboleth as authentication  Possibility to provide a federative service (DFN, …) • Established at RWTH  RWTHApp has ~20.000 active users  Procedure scales across different applications 6 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  6. A Bit More Detail? 7 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  7. Security Implications • The token service is the authority • The token service is trusted • Users are known • Applications and web services are separated 8 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  8. Problem Statement OAuth2 Workflows allow apps to cross system boundaries • … because apps and systems are known to the OAuth2 server • … because each user is known to the OAuth2 server • … because systems trust the OAuth2 server to handle authorizations Can we always assume this? No 9 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  9. Partially Solved! University B Inf Inf Inf Inf Inf Inf OAuth Token Service OAuth Token Service Inf Inf Inf University A O RWTH Aachen 10 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  10. Long Answer • Ferderated services (SaaS)  Offered by one University  Members of other Universities may use  Likely each University has on OAuth2 server • Suppose an app is using APIs from several services  User needs to log in multiple times  Application has to decide which are the correct servers  User likely has many places to manage authorizations • Services need validate authorizations  May need to query multiple servers  Have to establish a trust relationship to all authorization servers 11 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  11. Security Implications • The token service is the authority • The token service is trusted • Users are known • Applications and web services are separated ? 12 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  12. Goals Always use the home institution • Let users manage their authorizations at their home institution • Let applications request authorizations from their home institution • Let services validate authorizations in their home institution Reuse existing technology for federated (web) applications Build a federated OAuth infrastructure 13 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  13. OAuth2 Federated Workflow 14 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  14. Establishing Authority / Trust • Local OAuth2 service remains authority {  … for apps ...  … for services "token_services" : { "https://oauth.example.com" : {  … for users "displayName" : "Example University", "namespace" : "example.com", "key" : "-----BEGIN PUBLIC KEY-----\nMIGfM...", • Discover remote OAuth2 "endpoints" : { services "authorize" : "https://oauth.example.com/authorize", "code" : "https://oauth.example.com/code", "token_info" : "https://oauth.example.com/token_info", "context" : "https://oauth.example.com/context" • Trust is established to local } OAuth2 service },  Local OAuth2 trusts remote ... } services in the federation  Hides complexity of the federation } from developers 15 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  15. Knowing the User • Transfer user information on validation  Reuse existing eduPerson sheme  Likely sufficient for many services • Use namespaces to distinguish users  Reuse existing namespaces (scopes)  Tie user IDs to the ones delivered by authentication infrastructure { "isValid" : true, "application" : "ahcndwlsajcnalfejalsd@example.com", "mail" : "max.power@example.com", "displayName" : "Max Power", "eduPersonPrincipalName" : "anpqr7d@example.com", "eduPersonScopedAffiliation" : "student@example.com" } 16 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  16. Conclusion • Rising need to share services among Universities  Highly decentralized environments  Reuse of existing techniques is mandatory • Rising demand among researchers and students  … to customize tools  … to combine existing systems • Federated OAuth2 may satisfy some demands • Currently evaluating proof-of-concept  Two OAuth instances operated at RWTH Aachen  In cooperation with Forschungszentrum Jülich 17 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  17. Thank you for your attention Vielen Dank für Ihre Aufmerksamkeit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Local Government and Reconstruction: Extending Rural Water Services and Evolving Practices 6 th

Local Government and Reconstruction: Extending Rural Water Services and Evolving Practices 6 th

Republic of Sierra Leone Local Government and Reconstruction: Extending Rural Water Services and Evolving Practices 6 th RWSN Forum, Kampala, 29 th November 01 December 2011 Ing. Lamin Souma Ag. Chief Engineer, Water Supply Division

170 views • 13 slides
shape your local Maternity Services? We need families who have recently used these services and

shape your local Maternity Services? We need families who have recently used these services and

Would you like to help shape your local Maternity Services? We need families who have recently used these services and local maternity staff to join us, share their views and experiences, and help us co-produce our Local Maternity Services.

467 views • 5 slides
From OAuth1 to OAuth2 with Apache CXF and Hawk Sergey Beryozkin, T alend What is Apache CXF ?

From OAuth1 to OAuth2 with Apache CXF and Hawk Sergey Beryozkin, T alend What is Apache CXF ?

From OAuth1 to OAuth2 with Apache CXF and Hawk Sergey Beryozkin, T alend What is Apache CXF ? Production quality Java framework for developing REST and SOAP web services CXF 3.0.2: JAX-RS 2.0, JAX-WS 2.2 Major focus on the web

230 views • 22 slides
1 Join more than 1,000 attendees, Municipal Marketplace including local government leaders A

1 Join more than 1,000 attendees, Municipal Marketplace including local government leaders A

1 Join more than 1,000 attendees, Municipal Marketplace including local government leaders A wide variety of services and products essential from throughout the state and company to running your municipality will be exhibited at

307 views • 9 slides
1 Weve invited you to join us for this informational meeting because collaborative efforts

1 Weve invited you to join us for this informational meeting because collaborative efforts

1 Weve invited you to join us for this informational meeting because collaborative efforts involving federal, state, and local partners are ongoing in your local area to get a more holistic picture of local flood hazards, risks and mitigation

192 views • 16 slides
Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, CAS Joint work with Dong Lu, Dingkang Wang and Jie Zhou July 16-19, 2018, City University of New

571 views • 39 slides
Debugging of optimized code: Extending the lifetime of local variables and parameters Wolfgang

Debugging of optimized code: Extending the lifetime of local variables and parameters Wolfgang

Debugging of optimized code: Extending the lifetime of local variables and parameters Wolfgang Pieb October 18, 2017 Motivation Local variables and parameters (including the this pointer) are often optimized away soon after the last point

663 views • 9 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
Extending Cloud Foundry with new Services #cloudcredo #cloudfoundry 4832 Roadmap What is

Extending Cloud Foundry with new Services #cloudcredo #cloudfoundry 4832 Roadmap What is

Extending Cloud Foundry with new Services #cloudcredo #cloudfoundry 4832 Roadmap What is Cloud Foundry? Why would I want one? Your PaaS should be hackable Extending with new Services The Future 4832 Why Cloud

452 views • 27 slides
Extending INET Framework for Directional and Asymmetrical Wireless Communications Paula Uribe 2

Extending INET Framework for Directional and Asymmetrical Wireless Communications Paula Uribe 2

MASCOTTE Join Project Team INRIA-CNRS-UNSA. Sophia Antipolis. France c e n t r e d e r e c h e r c h e Extending INET Framework for Directional and Asymmetrical Wireless Communications Paula Uribe 2 Juan-Carlos Maureira 1 Olivier Dalle 1 1

688 views • 66 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
The Social Services Research Group and why you should join Social Services Research Group The

The Social Services Research Group and why you should join Social Services Research Group The

The Social Services Research Group and why you should join Social Services Research Group The network for research, information, planning and performance across social care and health services for children and adults What is SSRG? The

394 views • 8 slides
Extending the Emergency Medical Services network for out-of-hospital cardiac arrest victims An

Extending the Emergency Medical Services network for out-of-hospital cardiac arrest victims An

Extending the Emergency Medical Services network for out-of-hospital cardiac arrest victims An explorative study for the province of Drenthe Tef Jansma Master thesis University of Groningen supervisors: Dr. ir. Durk-Jouke van der Zee

439 views • 17 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
Welcome to tonight's webinar. It will start at 7:30 pm AEST. Join a local Veteran-Focussed Mental

Welcome to tonight's webinar. It will start at 7:30 pm AEST. Join a local Veteran-Focussed Mental

29/05/2018 Welcome to tonight's webinar. It will start at 7:30 pm AEST. Join a local Veteran-Focussed Mental Health Professionals Network: Networks are currently located in the following areas: Brisbane Townsville Perth

346 views • 15 slides
Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2 and OpenID Connect to Science Gateways https://tools.ietf.org/html/rfc6749 Three Layers of Science Gateway Cyberinfrastructure Tenants Resources

813 views • 43 slides
F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services Matthew Burnside and

F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services Matthew Burnside and

F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services Matthew Burnside and Angelos D. Keromytis Department of Computer Science Columbia University { mb, angelos } @cs.columbia.edu ISC 2009 Motivation Identity-related

831 views • 33 slides
Yegge on SOA Doug Woos Logistics notes Lab 3a due Wednesday - Other lab deadlines pushed back

Yegge on SOA Doug Woos Logistics notes Lab 3a due Wednesday - Other lab deadlines pushed back

Yegge on SOA Doug Woos Logistics notes Lab 3a due Wednesday - Other lab deadlines pushed back two days Next few lectures all have associated readings Today Yegge essay - Summary - Small-group discussion - Whole-class discussion (Will this

428 views • 16 slides
What SOA can do for Software Dependability Karl M. Gschka Karl.Goeschka@tuwien.ac.at Vienna

What SOA can do for Software Dependability Karl M. Gschka Karl.Goeschka@tuwien.ac.at Vienna

What SOA can do for Software Dependability Karl M. Gschka Karl.Goeschka@tuwien.ac.at Vienna University of Technology Overview Dependability challenges Control loop: Adaptivity and evolution The SOA potential Challenges of

627 views • 38 slides
How I make slides in L A T EX Dennis Chao Department of Computer Science University of New

How I make slides in L A T EX Dennis Chao Department of Computer Science University of New

How I make slides in L A T EX Dennis Chao Department of Computer Science University of New Mexico dlchao@cs.unm.edu August 2003 Outline Introduction Using the foils package Conclusions 1 Introduction Why I make slides in L A T

768 views • 8 slides
SOA and ESB Mark Jeynes IBM Software, Asia Pacific jeynesm@au1.ibm.com Agenda Service

SOA and ESB Mark Jeynes IBM Software, Asia Pacific jeynesm@au1.ibm.com Agenda Service

SOA and ESB Mark Jeynes IBM Software, Asia Pacific jeynesm@au1.ibm.com Agenda Service Orientation SCA / SDO Process Choreography WS-BPEL Enterprise Service Bus Demonstration WebSphere Integration Developer

593 views • 20 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
A Touch of Calculus: Shaking Up the Pre-Requisite Structure of College Mathematics Rick Cleary,

A Touch of Calculus: Shaking Up the Pre-Requisite Structure of College Mathematics Rick Cleary,

A Touch of Calculus: Shaking Up the Pre-Requisite Structure of College Mathematics Rick Cleary, Babson College Electronic Seminar on Math Education September 15, 2020 Thanks! To Haynes Miller and Tara Holm for the invitation. To

810 views • 48 slides
Towards Scalable SoC Security Validation Sujit Kumar Muduli Indian Institute of Technology,

Towards Scalable SoC Security Validation Sujit Kumar Muduli Indian Institute of Technology,

Towards Scalable SoC Security Validation Sujit Kumar Muduli Indian Institute of Technology, Kanpur Objective Proving confidentiality and integrity show execution traces are indistinguishable to untrusted entity Instance 1 Instance 2 AES

176 views • 3 slides

More recommend