Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Chaining with OAuth 2.0 Bearer Tokens Alan H. Karp HP Labs.

Similar presentations


Presentation on theme: "Service Chaining with OAuth 2.0 Bearer Tokens Alan H. Karp HP Labs."— Presentation transcript:

1

2 Service Chaining with OAuth 2.0 Bearer Tokens Alan H. Karp HP Labs

3 Overview OAuth 1.0 OAuth 2.0 Sabre 2.0

4 OAuth 1.0

5 OAuth 2.0 No crypto in the protocol – Everything over HTTPS Opaque tokens represent access rights No revocation – Most tokens expire in a short time, e.g., 10 min Different patterns – Basic requires authentication – Bearer tokens

6 OAuth 2.0 Basics Resource Owner Resource Provider Client Authorization Manager Request Access Authorization Grant (AG) AG Access Token (AT) + Optionally Refresh Token (RT) AT Resource AM and RO agree on AG AM and RP agree on AT AM decides RT format All opaque to client AG and AT short-lived RT long-lived

7 Web Redirecton Resource Owner Resource Provider Client Authorization Manager 1. Request Access 2. Denied 3. Request Access 4. AG 5. AG 6.AT 7. AT 8

8 SABRE 1.0 SABRE – Semi-Automatic Business-Related Environment Developed by IBM for American Airlines – First prototype 1960 – In use today as Sabre Holdings, Inc. (Travelocity) Long past due for an upgrade – HP/EDS won the contract

9 SABRE 2.0 Widely known features – Airline/hotel reservations Less well known or unknown features – Crew scheduling – Airport management

10 Airport Management 200 airlines – 10,000 employees each 500 airports – 5,000 employees each Federated Identity Management impractical First solution ZBAC with SOAP Switched to REST – Proposed waterken – Decided on OAuth

11 Gate Agent Scenario All computers at gates are shared Want employers to authenticate their people Authorization decided by role and context – Gate agent can close gate if employers flight TWA has contracted to use Weather, Inc. TWA gate agents may request forecasts – Agents specify airport code – Weather, Inc. takes latitude/longitude – SABRE Convert service translates code to lat/long

12 Sign Contracts Web Server AuthZ Mgr Sabre 2.0 Policy Engine Convert Service TWA AuthN Mgr AuthZ Mgr Forecast AuthZ Mgr Weather, Inc. Terms and Conditions TWA Policy PM

13 Screen on Gate Display More

14 Setup Alice at a Browser TWA AuthN Mgr AuthZ Mgr Forecast AuthZ Mgr Weather Service 2. Login 3. Attributes Web Server AuthZ Mgr Sabre 2.0 Convert Service PM 1. Sabre Front Page 4. Attributes 6. Web page content + AGs 5. Get AGs Policy Engine

15 Request Permissions Web Server AuthZ Mgr Sabre 2.0 Alice at a Browser TWA Policy Convert Service TWA AuthN Mgr AuthZ Mgr Weather AuthZ Mgr Weather Service 8. Get AG for W 10. AG1 for W 9. Get AG for W 11. AG1 for W 7. Get forecast for ORD

16 Prepare to Delegate Web Server AuthZ Mgr Sabre 2.0 Alice at a Browser TWA Policy Convert Service TWA AuthN Mgr AuthZ Mgr Weather AuthZ Mgr Weather Service 12. Get AG for Convert 13. AG2 for W

17 Prepare to Invoke Web Server AuthZ Mgr Sabre 2.0 Alice at a Browser TWA Policy Convert Service TWA AuthN Mgr AuthZ Mgr Weather AuthZ Mgr Weather Service 14. Exchange AG1 for AT1 15. AT1 for CS

18 Invoke Web Server AuthZ Mgr Sabre 2.0 Alice at a Browser TWA Policy Convert Service TWA AuthN Mgr AuthZ Mgr Weather AuthZ Mgr Weather Service 16. Invoke with AT1 passing AG2 17. Exchange AG2 for AT2 18. Return AT2 for W 19. Invoke with AT2

19 Optimizations Resource owner is resource provider – Forget about AGs, just hand out ATs Skip AG2 – Alice can tell TWA AG is for Convert service


Download ppt "Service Chaining with OAuth 2.0 Bearer Tokens Alan H. Karp HP Labs."

Similar presentations


Ads by Google