OAuth2: Uma abordagem para segurança de aplicações e APIs REST - Devcamp 2014
AARC Draft Blueprint Architecture -...
Transcript of AARC Draft Blueprint Architecture -...
![Page 1: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/1.jpg)
https://aarc-project.eu
AuthenticationandAuthorisationforResearchandCollaboration
Ιnternet22016Global Summit
AARCDraftBlueprintArchitecture
May15– 18,Chicago
Christos KanellopoulosArchitecture (JRA1) WPLeader,GRNET
![Page 2: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/2.jpg)
https://aarc-project.eu 2
Thestartingpoint
• Thescenario:• Thereisatechnicalarchitectofaresearchcommunity
• Hercommunityisdistributedinternationally
• Increasingnumberofservicesneedauthentication
andauthorization
• Herjobistofindasolution
• Shewantstofocusonresearchandnotreinventthewheel
• Shestartsgoogling
• So,therearesomesolutionsavailable,but…
![Page 3: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/3.jpg)
https://aarc-project.eu 3
Thegoals
1. Users should be able to access the all services using the credentials from their HomeOrganization
2. Users should have one persistent non-reassignable non-targetedunique identifier.
3. Attempt to retrieve user attributes from the user’s Home Organization. If this is notpossible, then an alternate process should exist.
4. Distinguish (LOA) between self-asserted attributes and the attributes provided by theHome Organization/VO
5. Access to the various services should be granted based on the role(s) the users havewithin the collaboration
6. Services should not have to deal with the complexity of multipleIdPs/Federations/Attribute Authorities/technologies.
![Page 4: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/4.jpg)
https://aarc-project.eu
AARC:AnalysisofUserCommunitiesande-InfrastructureProviders
Non-web-browser
Guestusers
PersistentUniqueId
Credentialtranslation
AttributeAggregation
AttributeRelease
LevelsofAssurance
CommunitybasedAuthZ
Social&e-Gov IDs
Step-upAuthN
UserManagedInformation
UserFriendliness
IncidentResponse
BestPractices
CredentialDelegation
SPFriendliness
![Page 5: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/5.jpg)
https://aarc-project.eu
ThefunctionalComponents
UserCommunityRequirements
aarc-project.eu
https://goo.gl/kSxENp
![Page 6: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/6.jpg)
https://aarc-project.eu 6
Whytheproxymodel?
•AllinternalServicescanhaveonestaticallyconfiguredIdP
•NoneedtorunanIdP Discovery Service oneachService
•ConnectedSPsgetconsistent/harmonised useridentifiers
andaccompanying attributesets fromoneormoreAAs
thatcanbeinterpretedinauniformwayforauthZ
purposes
• ExternalIdPs onlydealwithasingleSP proxy
![Page 7: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/7.jpg)
https://aarc-project.eu
TheFunctionalComponentsandavailableAAItools
aarc-project.eu
AvailableAAIComponents
AttributeAuthorities
IdPs
Proxies
Token Translation
Service Provider
AnalysisofUserCommunities
AndInfrastructureProviders
![Page 8: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/8.jpg)
https://aarc-project.eu
eduGAIN&AARC
eduGAIN andtheIdentityFederations
Asolidfoundationforfederatedaccess inR&E
AuthenticationandAuthorizationArchitectureforResearchCollaboration
AsetofbuildingblocksontopofeduGAINforInternational ResearchCollaboration
![Page 9: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/9.jpg)
https://aarc-project.eu
Areallifeimplementation…
SP: VO Portal
Attribute Authority
IdP/SP Proxy
SP DS
Master Portal
IdP
SP: Tool
Federation
IdPeduGAINeGOVSocial IDs
Delegation Service /OpenID
AuthZ Server
MyProxy
CA
FQANs
SAML
OpenSSLEngine
OIDC
PUSP
Attribute Authority
![Page 10: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/10.jpg)
https://aarc-project.eu
Areallifeimplementation…
• IdP Discovery• UserEnrolment• UserConsent• SupportforLoA• AttributeAggregation• SAML2.0AttributeQuery,REST,LDAP
• Attributemapping• SupportforOIDC/OAuth2• Google,Facebook,LinkedIn, ORCID
• SupportforeGov IDs
![Page 11: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/11.jpg)
https://aarc-project.eu
Pilots
RequirementsUserCommunity
OverviewAvailableAAIComponents
DraftBlue-PrintArchitecture
aarc-project.eu
https://goo.gl/kSxENp https://goo.gl/NzQA2U https://goo.gl/7dZZF4
PilotsWithCommunities
Plan
Develop
Test
IncludeFeedback
Input fortraining
Package/release
![Page 12: AARC Draft Blueprint Architecture - Internet2meetings.internet2.edu/media/medialibrary/2016/05/...May 16, 2016 · • Support for OIDC/OAuth2 • Google, Facebook, LinkedIn, ORCID](https://reader034.fdocument.pub/reader034/viewer/2022050516/5fa07efb2deb2c40df00c14b/html5/thumbnails/12.jpg)
https://aarc-project.eu
ThankyouAnyQuestions?
©GÉANT onbehalf of theAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeunderGrantAgreementNo.653965(AARC).
https://aarc-project.eu