SIROPE
OAuth and OAuth2 Living in SIR
Diego R. Lopez, RedIRIS
16th TF-EMC2. Copenhagen, September 2010
The Goals
• Explore the applicability of “classic” OAuth within
the RedIRIS environment
 User-mediated access to data held by the RedIRIS
services by registered applications
• Contribute to the development of OAuth2
 Assertion profile as a bridge to academic federations
 Authorization use cases in RESTful environments
 Enhanced user-mediated access in the line of Kantara’s
WG-UMA
16th TF-EMC2. Copenhagen, September 2010
Classic OAuth
• Service components deployed
 Register interface
 Server library
 Client reference implementation
16th TF-EMC2. Copenhagen, September 2010
Classic OAuth in Action
• 1-3: Control passes to
the section dealing with
OAuth logic
• 4-5: Client-server
credential exchange
• 6-7: User redirected to
AuthN/AuthR point
(federation plays here)
• 8-9 Temporary
credential and token
exchange
• 10-11: Resource access
using token
16th TF-EMC2. Copenhagen, September 2010
The OAuth2 Assertion Profile
16th TF-EMC2. Copenhagen, September 2010
Implementing the OAuth2 AP
•
•
•
•
•
• OAuth2lib: Components supporting
the OAuth2 AP
 Authorization Server
 Server access control logic
 Client interface
16th TF-EMC2. Copenhagen, September 2010
•
The user goes to a Client
Application.
The Client App requires the user
to authenticate at a federated
IdP that generates an assertion.
The Client App sends the
assertion obtained to an
Authorization Server. There, a
token for a certain user, client,
scope and lifetime is generated.
The Authorization Server sends
the generated token to the Client
App.
The Client App acts on behalf of
the user and requests the
resource to the Server. The
token can be used more times
until it expires.
The Server returns the resource
if the token sent is a valid token.
OAuth2lib AS
• Registered servers
 Keys
 Acceptable scopes
• Registered clients
 Keys
• Policy
 Clients
 Attributes
 Scopes
• Supports SAML and
PAPI assertion formats
 Extensible interface
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib Server Support
• ASes
 Keys
• Resources
 Calls content handlers
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib Client Interface
• Federation data
 How to access and
process the received
assertion
• OAuth2 data
 How to access the
appropriate AS and
server
• Resource data
 Forwarded to the
calling application
16th TF-EMC2. Copenhagen, September 2010
Deploying OAuth2 AP: SIROPE
• A web-based client offering users the access to
data related to their status in the SIR federation
 Currently, available SPs
• An Authorization Server
 Open to be used by other potential clients at the
institutions
• A pilot server application
 Available SPs for a given user/institution
 The hub nature of SIR comes to help again
http://www.rediris.es/sir/sirope
16th TF-EMC2. Copenhagen, September 2010
OAuth2lib beyond SIR
• Access to resources in the AGORA e-learning
toolset
 Fine-grained RESTful AuthR
• Evaluation of OAuth2lib in the OpenSocial
environment
 Collaboration with SURFnet
• Any others welcome
http://www.rediris.es/oauth2/
16th TF-EMC2. Copenhagen, September 2010