Client
Client is the consumer of backend services.
Functionalities
- A simple user management system
Users can create new accounts, log in the system and log out the system. - Each user can upload her/his private key
- In above figure, the end user logins the client app as user "john". The client support accessing of three backend services. Then the user sets the binding of user id to each backend service. When the user wants to invoke backend service 1, the client app would set the user id to "mark" in the requests.
Service Provider
Functionalities of the service provider:
- A simple user management system
- Each user can bind a MyProxy account to his/her local account.
The needed information of MyProxy account includes username, password, MyProxy server host and port number.
Then the server would automatically retrieve a certificate chain from the specified MyProxy server. After parsing the certificate chain, public key of the original certificate that belongs to the user is extracted.
Note: we don't use public key included the proxy certificate. There is just one original certificate stored in the MyProxy server while many proxy certificates can be acquired. Each time a new proxy certificate is requested, a new public/private key is created and the public key is sent to MyProxy server. Usually, this process is done by system automatically. - Each service could be accessed by various client applications. Users can set which client apps are allowed to access their data.
OAuth Integration
In OAuth authorization procedure, there are three main steps:
- Get a request token
- Ask user to authorize the request
- Exchange request token with an access token
Then the access token acquired in step (3) is used to access protected resources.
Trust relationship between client app and service provider is built out of band. Two mechanisms are supported: shared secret and RSA.
In my solution, step (2) is extended with step (1) and (3) staying the same. Two additional parameters are added: user_id
and cgl_oauth_signagure
. Parameter user_id
is described here. The cgl_oauth_signature
is calculated against user_id
using the user's private key. After service provider receives the request, the corresponding public key (retrieved from MyProxy server) is used to verify the signature.
Future Work
- Revoke the authorized privileges
- Users can set an expiration time after which the access token will become invalid. Then the whole OAuth authorization process must be executed once again.
- Provides a way for user to revoke authorized privileges at any time they like.
- Trust relationship establishment.
Developers of client apps go to specified web page of the service provider to apply for development account. Then one of the following two things happens:- A shared secret would be generated automatically and copied to the corresponding client app.
- The developers of the client apps upload their certificate to backend service.
No comments:
Post a Comment