Alternatives to oAuth for DECE

Peter DavisResearch Fellow

Neustar, Inc

1

Current Application

• AuthN:

• login();

• Delegation:

• oauth token

• Durable but unmanaged

• Conveyed in REST API headers

2

Current Issues

• login() exposes credentials to theft

• uname/pw storage causes account sync issues

• oauth suited for unknown to unknown interactions (thus extra step)

• Not intended for authN (requires composition with other protocols)

• Limited Extensibility options

• No distributed delegation model

3

Orientation to SAML• Token format

• Extensible

• REST and SOAP profiles

• 10 years of maturity

• Potential integration with MS InfoCard

• Broad open source and mature commercial software in place

• 8 initial profiles (and counting)

4

SAML Oauth ComparisonOauth 1.0a SAML2

REST profiles yes yes

# of profiles 1 10+

token format name/value w/sig XML w/XML dsig

authentication no (WRAP) yes

authN contexts no yes

Proxy Profiles no yes

attribute conveyance requires extension native

delegation yes yes

native usage for DECE no yes

sub-delegation no yes

suitable for intermediaries no yes

subject ID encryption no yes

prvt key propagation req’d yes no

5

Oauth Flows

6

SAML Flows

7

Opaque Identifiers

AliceCoordinator

Node A

Node B

Alice123

awhite

alicew

xyz

qrs

• Prevents collusion between nodes

• Conveyed by Coordinator Token response (accountID and UserID)

• Question: Persistence of identifiers

8

Roadmap for future (P1-3)

• Token provisioning

• Trusted module

• Linear Programming

9

Device Token

• Bearer Token model

• Assertion Token provisioning into device

• (D|d)evice presentation to Relying Parties

• Potential for DRM incorporation

• Enables holder-of-key models potentially

10

Coordinator Cache Policy

• Leverage HTTP cache negotiation

• require (eg MUST)

• If-Modified-Since

• Last-Modified

• Expires

• What is acceptable local cache policy (if coordinator unavailable)

11

Appendix

12

Applying SAML to DECE

• AuthN bindings and profiles

• Delegation (bearer) token use

• Comparable flows for oauth and SAML

• Trusted Module (device-lead delegation)

13

SAML Evolution

2002 2003 2005

14

Present-day Uses

• Enterprise

• Federal and eGovernment

• Consumer Banking

15

Conclusions

16

Questions

17

Ecosystem Model

18