extending oauth2 to join local services into a federative
play

Extending OAuth2 to Join Local Services into a Federative SOA M. - PowerPoint PPT Presentation

Oct 31, 2023 •5 likes •175 views

Extending OAuth2 to Join Local Services into a Federative SOA M. Politze IT Center RWTH Aachen University Where are we now? You are here! 20 km Source: http://www.wissenschaft.nrw.de/studium/informieren/hochschulkarte-nrw/ 3 Extending

  1. Extending OAuth2 to Join Local Services into a Federative SOA M. Politze IT Center RWTH Aachen University

  2. Where are we now? You are here! 20 km Source: http://www.wissenschaft.nrw.de/studium/informieren/hochschulkarte-nrw/ 3 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  3. Setting Support the core processes: Teaching, Learning and Research • Connect legacy systems with a single, consistent API • Develop an SOA that fits to the processes at the university  Start with eLearning  Generalize and try to apply to other fields:  Campus Management, Identity Management  Research Data Management / eScience • Security by design  Confidentiality  Integrity  Availability • Protect personal and confidential data 4 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  4. OAuth2 at Commercial Service Providers • Tightly coupled with their web services  Authorization for local scopes  Used for applications • Applications using multiple services still require multiple logins  1:1 mapping of services and logins  Hinders crossing system boundaries for process supporting application • Authentication via authorization  Use user info supplied by a service to identify the user  Leads to possible security vulnerabilities [1] [1] R. Yang, W. C. Lau, and T. Liu, Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0, in Black Hat Europe, 2016. 5 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  5. OAuth2 at RWTH Aachen University • Secure, device based Authorizations  (De)Authorizations via Webinterface  No credentials are passed to apps • OAuth2 as a service  Integrates Shibboleth as authentication  Possibility to provide a federative service (DFN, …) • Established at RWTH  RWTHApp has ~20.000 active users  Procedure scales across different applications 6 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  6. A Bit More Detail? 7 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  7. Security Implications • The token service is the authority • The token service is trusted • Users are known • Applications and web services are separated 8 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  8. Problem Statement OAuth2 Workflows allow apps to cross system boundaries • … because apps and systems are known to the OAuth2 server • … because each user is known to the OAuth2 server • … because systems trust the OAuth2 server to handle authorizations Can we always assume this? No 9 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  9. Partially Solved! University B Inf Inf Inf Inf Inf Inf OAuth Token Service OAuth Token Service Inf Inf Inf University A O RWTH Aachen 10 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  10. Long Answer • Ferderated services (SaaS)  Offered by one University  Members of other Universities may use  Likely each University has on OAuth2 server • Suppose an app is using APIs from several services  User needs to log in multiple times  Application has to decide which are the correct servers  User likely has many places to manage authorizations • Services need validate authorizations  May need to query multiple servers  Have to establish a trust relationship to all authorization servers 11 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  11. Security Implications • The token service is the authority • The token service is trusted • Users are known • Applications and web services are separated ? 12 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  12. Goals Always use the home institution • Let users manage their authorizations at their home institution • Let applications request authorizations from their home institution • Let services validate authorizations in their home institution Reuse existing technology for federated (web) applications Build a federated OAuth infrastructure 13 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  13. OAuth2 Federated Workflow 14 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  14. Establishing Authority / Trust • Local OAuth2 service remains authority {  … for apps ...  … for services "token_services" : { "https://oauth.example.com" : {  … for users "displayName" : "Example University", "namespace" : "example.com", "key" : "-----BEGIN PUBLIC KEY-----\nMIGfM...", • Discover remote OAuth2 "endpoints" : { services "authorize" : "https://oauth.example.com/authorize", "code" : "https://oauth.example.com/code", "token_info" : "https://oauth.example.com/token_info", "context" : "https://oauth.example.com/context" • Trust is established to local } OAuth2 service },  Local OAuth2 trusts remote ... } services in the federation  Hides complexity of the federation } from developers 15 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  15. Knowing the User • Transfer user information on validation  Reuse existing eduPerson sheme  Likely sufficient for many services • Use namespaces to distinguish users  Reuse existing namespaces (scopes)  Tie user IDs to the ones delivered by authentication infrastructure { "isValid" : true, "application" : "ahcndwlsajcnalfejalsd@example.com", "mail" : "max.power@example.com", "displayName" : "Max Power", "eduPersonPrincipalName" : "anpqr7d@example.com", "eduPersonScopedAffiliation" : "student@example.com" } 16 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  16. Conclusion • Rising need to share services among Universities  Highly decentralized environments  Reuse of existing techniques is mandatory • Rising demand among researchers and students  … to customize tools  … to combine existing systems • Federated OAuth2 may satisfy some demands • Currently evaluating proof-of-concept  Two OAuth instances operated at RWTH Aachen  In cooperation with Forschungszentrum Jülich 17 Extending OAuth2 to Join Local Services into a Federative SOA Marius Politze EUNIS 2017, 08.06.2017

  17. Thank you for your attention Vielen Dank für Ihre Aufmerksamkeit

Recommend

Local Government and Reconstruction: Extending Rural Water Services and Evolving Practices 6 th

Local Government and Reconstruction: Extending Rural Water Services and Evolving Practices 6 th

Republic of Sierra Leone Local Government and Reconstruction: Extending Rural Water Services and Evolving Practices 6 th RWSN Forum, Kampala, 29 th November 01 December 2011 Ing. Lamin Souma Ag. Chief Engineer, Water Supply Division

170 views • 13 slides
shape your local Maternity Services? We need families who have recently used these services and

shape your local Maternity Services? We need families who have recently used these services and

Would you like to help shape your local Maternity Services? We need families who have recently used these services and local maternity staff to join us, share their views and experiences, and help us co-produce our Local Maternity Services.

467 views • 5 slides
From OAuth1 to OAuth2 with Apache CXF and Hawk Sergey Beryozkin, T alend What is Apache CXF ?

From OAuth1 to OAuth2 with Apache CXF and Hawk Sergey Beryozkin, T alend What is Apache CXF ?

From OAuth1 to OAuth2 with Apache CXF and Hawk Sergey Beryozkin, T alend What is Apache CXF ? Production quality Java framework for developing REST and SOAP web services CXF 3.0.2: JAX-RS 2.0, JAX-WS 2.2 Major focus on the web

230 views • 22 slides
1 Join more than 1,000 attendees, Municipal Marketplace including local government leaders A

1 Join more than 1,000 attendees, Municipal Marketplace including local government leaders A

1 Join more than 1,000 attendees, Municipal Marketplace including local government leaders A wide variety of services and products essential from throughout the state and company to running your municipality will be exhibited at

307 views • 9 slides
1 Weve invited you to join us for this informational meeting because collaborative efforts

1 Weve invited you to join us for this informational meeting because collaborative efforts

1 Weve invited you to join us for this informational meeting because collaborative efforts involving federal, state, and local partners are ongoing in your local area to get a more holistic picture of local flood hazards, risks and mitigation

192 views • 16 slides
Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, CAS Joint work with Dong Lu, Dingkang Wang and Jie Zhou July 16-19, 2018, City University of New

571 views • 39 slides
Debugging of optimized code: Extending the lifetime of local variables and parameters Wolfgang

Debugging of optimized code: Extending the lifetime of local variables and parameters Wolfgang

Debugging of optimized code: Extending the lifetime of local variables and parameters Wolfgang Pieb October 18, 2017 Motivation Local variables and parameters (including the this pointer) are often optimized away soon after the last point

663 views • 9 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
Extending Cloud Foundry with new Services #cloudcredo #cloudfoundry 4832 Roadmap What is

Extending Cloud Foundry with new Services #cloudcredo #cloudfoundry 4832 Roadmap What is

Extending Cloud Foundry with new Services #cloudcredo #cloudfoundry 4832 Roadmap What is Cloud Foundry? Why would I want one? Your PaaS should be hackable Extending with new Services The Future 4832 Why Cloud

452 views • 27 slides
Extending INET Framework for Directional and Asymmetrical Wireless Communications Paula Uribe 2

Extending INET Framework for Directional and Asymmetrical Wireless Communications Paula Uribe 2

MASCOTTE Join Project Team INRIA-CNRS-UNSA. Sophia Antipolis. France c e n t r e d e r e c h e r c h e Extending INET Framework for Directional and Asymmetrical Wireless Communications Paula Uribe 2 Juan-Carlos Maureira 1 Olivier Dalle 1 1

688 views • 66 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
The Social Services Research Group and why you should join Social Services Research Group The

The Social Services Research Group and why you should join Social Services Research Group The

The Social Services Research Group and why you should join Social Services Research Group The network for research, information, planning and performance across social care and health services for children and adults What is SSRG? The

394 views • 8 slides
Extending the Emergency Medical Services network for out-of-hospital cardiac arrest victims An

Extending the Emergency Medical Services network for out-of-hospital cardiac arrest victims An

Extending the Emergency Medical Services network for out-of-hospital cardiac arrest victims An explorative study for the province of Drenthe Tef Jansma Master thesis University of Groningen supervisors: Dr. ir. Durk-Jouke van der Zee

439 views • 17 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
Welcome to tonight's webinar. It will start at 7:30 pm AEST. Join a local Veteran-Focussed Mental

Welcome to tonight's webinar. It will start at 7:30 pm AEST. Join a local Veteran-Focussed Mental

29/05/2018 Welcome to tonight's webinar. It will start at 7:30 pm AEST. Join a local Veteran-Focussed Mental Health Professionals Network: Networks are currently located in the following areas: Brisbane Townsville Perth

346 views • 15 slides
Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2 and OpenID Connect to Science Gateways https://tools.ietf.org/html/rfc6749 Three Layers of Science Gateway Cyberinfrastructure Tenants Resources

813 views • 43 slides
Java: Learning to Program with Robots Chapter 02: Extending Classes with Services Chapter

Java: Learning to Program with Robots Chapter 02: Extending Classes with Services Chapter

Java: Learning to Program with Robots Chapter 02: Extending Classes with Services Chapter Objectives After studying this chapter, you should be able to: Extend an existing class with new commands. Explain how a message sent to an object

921 views • 47 slides
When to Optimize Enumerating all possible plans Selection Pushdown Join Conversion Join

When to Optimize Enumerating all possible plans Selection Pushdown Join Conversion Join

When to Optimize Enumerating all possible plans Selection Pushdown Join Conversion Join Reordering Pick a Join Algo Which Plan is the Best? Always push down selections Always convert joins Which join order??? Which join algo? What makes a

363 views • 3 slides
in a Cooperative Scenario Marius Politze, Bernd Decker IT Center RWTH Aachen University Setting

in a Cooperative Scenario Marius Politze, Bernd Decker IT Center RWTH Aachen University Setting

Extending the OAuth2 Workflow to Audit Data Usage for Users and Service Providers in a Cooperative Scenario Marius Politze, Bernd Decker IT Center RWTH Aachen University Setting Support the core processes: Teaching, Learning and Research

821 views • 17 slides
Extending Tina With Secure On-line Accoun7ng

Extending Tina With Secure On-line Accoun7ng

Extending Tina With Secure On-line Accoun7ng Services Fernando Rocha Bara7eri (09138013) Flavio Kruger BiEencourt (10104029) Giovani

600 views • 56 slides
Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability 01 Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability 02 Testing for availability Many languages for message-passing concurrency allow programs to test

541 views • 19 slides
Demand for services is going up the money to pay for them is going down 450 Another

Demand for services is going up the money to pay for them is going down 450 Another

A new deal for Bradford District The future of local services The Council is talking to local people about the need to cut back or stop some services focus on what activities make the biggest difference to the District look

107 views • 9 slides
Better Local Services: Improving Local Government Delivery Through Innovation and Partnerships:

Better Local Services: Improving Local Government Delivery Through Innovation and Partnerships:

Better Local Services: Improving Local Government Delivery Through Innovation and Partnerships: Lessons from the New Zealand Experience A Presentation to the Commonwealth Local Government Forum Asia-Pacific Regional

234 views • 21 slides
Extending the enterprise to close the performance gap in the built environment Seb Cox M.Eng.

Extending the enterprise to close the performance gap in the built environment Seb Cox M.Eng.

Extending the enterprise to close the performance gap in the built environment Seb Cox M.Eng. M.Sc. MCIOB PMP Nermeen Mahmoud M.Sc. EIT EllisDon Construction Services Inc September 27, 2018 Seb Cox - Background 8 yrs Defense Aerospace

754 views • 56 slides

More recommend