Re: OAUTH setup for webid : getting an ODS client to "Connect" to my profilepage from Kingsley Idehen on 2012-01-11 (public-xg-webid@w3.org from January 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 11 Jan 2012 08:55:16 -0500
To: public-xg-webid@w3.org
Message-ID: <4F0D94C4.9010202@openlinksw.com>

On 1/11/12 3:11 AM, Peter Williams wrote:
> I deployed a authorization guard at my idweb site. if an OAUTH token 
> is sent to the webid endpoint, its evaluated using webid validation 
> logic, assuming it contains a cert in the OAUTH claims. If I gave out 
> the key, I dont see why an OAUTH v1 token could not  be formualted 
> directly, rather than doing what is now described.
>
> The scenario fits one of our products, that is a thick client (using 
> web services, including rest-based web services). How would I make it 
> apply the webid world (since its not a browser)?

You should be able to simulate a non browser UA using cURL re. RESTful 
interaction patterns. Then we get into pem, .p12, and local keystore API 
bindings on the client side re. WebID.

>
> The UA has the users signing key, shared with the browser - since they 
> are on the same windows machine typically. All apps on windows share 
> keys (given security rules). A demo UA signs a SAML2 token targetting 
> the my webid profile resource which the resource STS in the cloud 
> converts into an OAUTH v1 token (signed using an hmac known between it 
> and the profile's guard). This is returned to the UA, which installs 
> the OAUTH token into the www-auth header accompanying the web request, 
> which thereby forward the name and the cert (as signed by the cloud). 
> This only happens if the cloud has verified the certificate and SAML 
> assertion's signature classically (with no webid rules) The guard 
> receiving the www-auth header then evaluates the additional webid 
> rules (with no PKI rules), since it has a cert (much like SSL delivers 
> a cert). Failed or happy verification returns an exception (403 or 200).

Yes.

This is just more inter-protocol plumbing.
>
> Anyways got some kind of validator up in the cloud, using the cloud 
> STS to do the heavy validation, leaving to the webid validator 
> handling of the one particular extension (and modulus/exp) webid cares 
> about. This allows the edge devices (i.e. the cloud STS) to be 
> shielding mere resource servers from DOS - and enforcing proper cert 
> handling, cert chain discovery etc.
>
> Not going anywhere, but its fun to see how webid will surely evolve - 
> and work with all the othe security technology families. Seems to have 
> a nice fit, once divorced from SSL.
>
> Ok. tomorrow, can try again at SSL. Lets finally see what Azure does 
> with client certs, since there is load balancer in the way.

Okay.


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 11 January 2012 13:55:53 UTC