Using OpenID/OAuth to access



Similar documents
Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Enabling SSO for native applications

Onegini Token server / Web API Platform

Flexible Identity Federation

OAuth 2.0 andinternet Standard. Torsten Lodderstedt Deutsche Telekom AG

Mobile Security. Policies, Standards, Frameworks, Guidelines

IBM WebSphere Application Server

Building Secure Applications. James Tedrick

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

ACR Connect Authentication Service Developers Guide

SAML and OAUTH comparison

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

SECURING MOBILE APPLICATIONS

OAuth 2.0. Weina Ma

Public Auditing & Automatic Protocol Blocking with 3-D Password Authentication for Secure Cloud Storage

Integrating Single Sign-on Across the Cloud By David Strom

Web 2.0 Lecture 9: OAuth and OpenID

HOL9449 Access Management: Secure web, mobile and cloud access

AdRadionet to IBM Bluemix Connectivity Quickstart User Guide

Enterprise Access Control Patterns For REST and Web APIs

Traitware Authentication Service Integration Document

OpenLogin: PTA, SAML, and OAuth/OpenID

The Role of Identity Enabled Web Services in Cloud Computing

Transport Layer Security Protocols

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

OAuth: Where are we going?

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

An Oracle White Paper Dec Oracle Access Management OAuth Service

Cisco Unified Communications Manager 7.1 SIP Configuration Guide

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

OIX IDAP Alpha Project - Technical Findings

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

#07 Web Security CLIENT/SERVER COMPUTING AND WEB TECHNOLOGIES

CA CloudMinder. Getting Started with SSO 1.5

Introduction to IBM Worklight Mobile Platform

Globus Auth. Steve Tuecke. The University of Chicago

Axway API Gateway. Version 7.4.1

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

The Security Behind Sticky Password

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Single Sign On. SSO & ID Management for Web and Mobile Applications

PingFederate. Identity Menu Builder. User Guide. Version 1.0

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

W3C Web Payment IG. Payment Service Providers. Alibaba Zephyr Tuan

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

SETTING UP YOUR JAVA DEVELOPER ENVIRONMENT

Google Cloud Print Administrator Configuration Guide

Kerberos and Single Sign-On with HTTP

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Copyright Pivotal Software Inc, of 10

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Outlook Data File navigate to the PST file that you want to open, select it and choose OK. The file will now appear as a folder in Outlook.

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

SINGLE & SAME SIGN-ON ASPECTS

SECUREAUTH IDP AND OFFICE 365

Dictamus Manual. Dictamus is a professional dictation app for iphone, ipod touch and ipad. This manual describes setup and use of Dictamus version 10.

Identity Implementation Guide

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Cloud Tools Reference Guide. Version: GA

MiraCosta College now offers two ways to access your student virtual desktop.

Release Notes for Websense Web Endpoint (32- and 64-bit OS)

Information Security Group Active-client based identity management

Criteria for web application security check. Version

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

BM482E Introduction to Computer Security

Configuration Guide. BES12 Cloud

Manual for Android 1.5

Kerberos and Single Sign On with HTTP

A Survey on Cloud Security Issues and Techniques

Digital Signatures on iqmis User Access Request Form

Login with Amazon. Developer Guide for Websites

Token User Guide. Version 1.0/ July 2013

Denodo Data Virtualization Security Architecture & Protocols

EHR OAuth 2.0 Security

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Introduction to FileWave

Qlik REST Connector Installation and User Guide

Lecture 11 Web Application Security (part 1)

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Three attacks in SSL protocol and their solutions

Transcription:

Using OpenID/OAuth to access Federated d Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011

CMIP3 Pydap server: http://esgcet.llnl.gov/dap/ipcc4/?thredds g p p THREDDS catalog OpenDAP service points Basic Authentication Cloud-accessible with basic authentication pass-through i.e. llnl controlled user/password access to analysis done in the cloud with CMIP3 data

Sample CMIP3 access

CMIP3 is cloud accessible e Example Canadian PhD student used this IRI data library interface to do EOF, correlation and other analysis on CMIP3 model runs as well as other climate data Now leading Climate and Agriculture group in Pakistan Accessiblity makes a difference!

Mashup Authentication A simple data mashup: difference between two variables from two different datasets If both datasets are access-restricted under different security realms (different userid/password), then the difference cannot be authenticated ti t (Basic/Digest Authentication only has one set of authentication info)

OpenID OpenID separates user identification from resource access authorization, so a federation of servers can have users with the same id, yet decide separately who gets access to their resources. It also means resource providers can get out of the user authentication business. This is half of the solution to the mashup problem.

Man-in-the-Middle Middle Modern authentication schemes (i.e. other than Basic) defend against man-in-the-middle attacks, i.e. defend against a third-party sitting in the middle of the browser and dthe authenticating ti ti server conversation and relaying requests while copying for nefarious reasons. This also eliminates third-parties for good reasons. So we need to separate the good third parties from the bad ones. More than likely, this means one must explicitly authenticate third-parties (cloud applications) as well as users.

OAuth Mechanism to authenticate third-parties Used by third-party apps to access Google and Facebook data, for example Not a perfect match to our problem: built for large data provider, tiny app limit, i.e. most apps build for one data source. Currently missing the refusal part of the standard, but that could be part of Oauth 2.0, at which point it becomes Token Authorization (refusal does not distinguish between 2 nd and 3 rd parties, only the process for getting a token differs).

OAuth is token-based Bearer Token possession of token is sufficient for access MAC Token has associated secret, i.e. token can be used over an unsecure channel

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. OAuth 1.0 initial access

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. OAuth 1.0 subsequent access

OAuth App must OAuth Protocol Identify user Remember authorized tokens by y( (user,data server) Probably will have pre-registered with data source authentication service

OAuth 2.0 Authorization protocol in parallel with Basic and Digest Authentication, i.e. the Unauthorized response gives the information needed to get authorization Will probably be called Token or Bearer or MAC (i.e kinds of tokens) in WWW-Authenticate ti t which h will provide two endpoints for authorization Authorization-uri: endpoint for user to identify with token-uri: endpoint for app to identify with

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. OAuth 2.0 Web App Flow(*)

Federated Security for Federated Data Authentication Service split between user identifier and data protector Data Apps need to identify users and associated valid tokens Data Providers need to validate both users and data apps Need to avoid breaking anonymous/cached access Could create a bit of a mess when are the results of a data analysis finally released from the use-constraints t of the data that went into it?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information