Gluu Blog

Follow us:
Back to Blog

Juju OAuth2 Application Security Design Proposal

Mike S. February 14, 2014

We don’t need SSO, we need trust elevation

There is no point in designing a solution that provides just SSO. Today, people are using an array of devices (think IOT). Applications need to understand how (and how long ago) a person has been authenticated, and based on the context of the situation, whether they need to re-authenticate a person. There is no way to efficiently address the complexities of trust elevation without the ability to centrally define policies. Authentication alone is not flexible enough.

Integration Point: The Application

As a green field design, it makes sense for Juju to adopt the most advanced application security technology available. Only an OAuth2 based authentication and authorization solution has the potential to address the the newest requirements that domains face to secure API’s, web and native applications. Lessons learned from SAML and OAuth 1 have taught us that developer usability is the key to adoption. OAuth2 offers two relatively painless integration options for web developers:

oauth2_application_options

Inter-Domain Trust Management

SSO would be easy if you could figure out which domains you want to trust, and what information about people you want to share with them. Luckily, SAML provides and excellent example of how to manage trust in an ecosystem of partners: multi-party federations. See InCommon for a good example of a multi-party federation. In this model, a host organization defines the rules that partners in the ecosystem will abide, and the protocols and schema that members will use to exchange data.

Although no standards yet exist for multi-party federations in OAuth2, the same idea can be borrowed from SAML. A trusted central authority publishes the “metadata”, which contains the participants in the federation, their public certificates, and information about the services they offer. The metadata can be used by the applications for discovery. The federation also provides the legal Agreements. For example, if you want to join InCommon, you can read the Participation Agreement here. Federations can be very formal or very informal, depending on the participants and their business goals. The federation is also a good place for domains to collaborate on threat detection and other inter-domain security issues.

If you already have a SAML federation, you are one step ahead. New protocols bring new jargon and business considerations. For example, the UMA OAuth2 profile defines “client”, “authorization server”, “resource server” and scopes. OpenID Connect also has its own jargon. Likely, the federation will also have to reference an OAuth2 multiparty federation standard, like the one Gluu proposed in the Emerging Work section of the OpenID Foundation Wiki. As the considerations for federation extend beyond OpenID Connect, the IETF may be a good place for this standard, for example perhaps as an OAuth2 working group. Note: protocol translation alone from SAML to OAuth2 will not work because OAuth2 brings new capabilities. But there is no reason why SAML and OAuth2 support at the federation needs to be mutually exclusive.

oauth2_meshed_federation

 

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.