New rev of Strict Transport Security (STS) Specification
Wednesday, December 23rd, 2009Details are over here..
=JeffH sez check it out 
Archive for the ‘Protocols’ Category
OAuth Protocol Flow Diagrams
Wednesday, October 22nd, 2008I found the existing protocol flow diagram in the current OAuth spec..
OAuth Core 1.0
http://oauth.net/core/1.0/
..somewhat hard to follow. So I concocted three separate new ones using the so-called “swimlane” technique that I’m used to.
I posted these to the OAuth list a while back, and a few folks reposted them to their blogs, but no one has yet piped up to say I got anything wrong. But YMMV, there might be bugs in here.
FWIW, I’ve posted them below in case others find them useful. Also, I have them in a single file..
http://identitymeme.org/doc/draft-hodges-oauth-05-figures.txt
..also featuring OpenID and SAML Web Browser SSO Profile diagrams for comparison purposes. Note that in all things protocol, definitions of terms are essential in order to be able to effectively communicate and reason about protocols, so I’ve included key definitions from the OAuth spec in the file.
NOTE: fixed-pitch font required for viewing. Also, wordpress is obviously messing up the diagrams below, and they consequently look sorta lame, here on the blog. This site presently uses an old wordpress install, maybe this will help motivate me to upgrade it. In the meantime, check out the file linked-to above for the best viewing experience 
Fig 1: out-of-band consumer setup/config
photos.example.net
+----------+
| |
| OAuth |
| service |
printer.example.com | provider |
+---------+ | |
|developer| | Sys |
| of | | Admin |
| OAuth | | |
|consumer | | |
| | | [SP] |
+----+----+ +----+-----+
| |
| obtain Consumer Key |
| and Consumer Secret |
| [details unspec'd, |
| performed out-of- |
| band.] |
|--------------------->|
|< ---------------------|
| |
| |
Fig 2: “Web-based consumer”
The "consumer" is a website or other application that accesses
the Service Provider on behalf of the wielder (user) of the user agent
(UA is typically a browser, but could be some other app).
Steps 1.n. "Obtain Unauthorized Request Token"
2.n. "User Authorizes Request Token"
3.n. "Exchange Request Token for Access token"
4.n. UA accessing protected resources at SP
photos.example.net
+----------+
| |
| OAuth |
printer.example.com | Service |
+--------+ | Provider |
| | | |
| OAuth | |[protected|
|Consumer| |resources]|
+----+ | | | |
| UA | | [RP] | | [SP] |
+-+--+ +---+----+ +----+-----+
| | |
| 1.0. User Agent inter-| |
| acts with Consumer | |
| site [optional] | |
|< --------------------->| |
| | |
| | |
| | |
| 1.1. UA informs/directs |
| Consumer to do something |
| with a resource (e.g. | |
| a photo) at SP | |
|---------------------->| |
| | |
| | |
| | |
| | 1.2. Consumer attempts
| | accessing photo at SP|
| |--------------------->|
| | |
| | |
| | 1.3. SP replies with |
| | a HTTP 401 containing|
| | a "OAuth" www-authn |
| | header field |
| |< ---------------------|
| | |
| | |
| | 1.4. Consumer replies|
| | with a request for |
| | "unauthorized Request|
| | Token" (uRT) via POST|
| | to SP's "request token
| | URL" |
| |--------------------->|
| | |
| | |
| | 1.5. SP issues uRT & |
| | token secret to |
| | Consumer. |
| |< ---------------------|
| | |
| | |
| | |
| 2.0. Consumer redirects |
| UA to SP "User Author-| |
| ization URL" including| |
| the uRT. | |
+<- - - - - - - - - - - - | |
. | (indirected via UA) | |
. | | |
+-------------------------+--------------------->|
| | |
| | |
| | |
| | |
| 2.2. User authenticates with the Service |
| Provider (optional, methods vary, realization|
| is out of scope) |
|< ============================================>|
| 2.3. User grants or declines permission |
| for the Service Provider allow Consumer |
| access to the resource (e.g. photo). |
| | |
| | |
| | |
| | |
| 2.4. If permision granted, UA redirected back|
| to Consumer's "Callback URL", conveying the |
| uRT. | |
+< - - - - - - - - - - - - - - - - - - - - - - - -|
. | (indirected via UA) | |
. | | |
. | | |
+------------------------>| |
| | |
| | |
| |3.0. Consumer requests|
| |Access token, supplies|
| |uRT. |
| |--------------------->|
| | |
| | |
| | |
| |3.1. SP grants Access |
| | Token. |
| |< ---------------------|
| | |
| | |
| |4.x. Consumer uses the|
| |Access Token, Access |
| |Token Secret, Consumer|
| |Key, and Consumer Secret
| |to make authenticated |
| |request(s) to the Service
| |Provider. |
| |=====================>|
| | . |
| | . |
| | . |
| | |
Fig 3: “desktop-based consumer”
this is case where user is wielding some app that is both a UA and a Consumer.
+----------+
| |
| OAuth |
| service |
+--------+ | provider |
| | | |
|Desktop-| |[protected|
|based | |resources]|
|Consumer| | |
| | | |
| UA | | [SP] |
+-+------+ +----+-----+
| |
| 1. Consumer requests "unauthorized Request |
| Token (uRT)" with POST to SP's "request token"
| URL. |
|--------------------------------------------->|
| |
| |
| 1.1. SP issues uRT and Token Secret to |
| consumer. |
|< ---------------------------------------------|
| |
| |
| |
| 1.2. User authenticates with the Service |
| Provider (optional, methods vary, realization|
| is out of scope) |
|<============================================>|
| 3. User grants or declines permission |
| for the Service Provider to issue Access |
| Token. |
| |
| |
| |
| |
| 4. Service Provider authorizes the uRT to be |
| exchanged for an Access Token and secret. |
|< ---------------------------------------------|
| |
| |
| |
| 5. Consumer exchanges the uRT and secret |
| for an Access Token and Secret. |
|--------------------------------------------->|
|< ---------------------------------------------|
| |
| |
| |
| 6. Consumer uses the Access Token, Access |
| Secret, Consumer Key, and Consumer Secret |
| to make authenticated request(s) to the Service
| Provider |
|<============================================>|
| . |
| . |
| . |
| . |
| . |
| . |
| |
New version of OpenID SAML comparison document
Monday, January 21st, 2008I’ve done a modest editorial and copy editing update to the OpenID SAML technical comparison document announced earlier. Going forward, the latest rev will be available via this URL:
http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html
(Draft) Technical Comparison: OpenID and SAML
Monday, December 17th, 2007Over the past couple of years quite a few folks have asked me, and I’m sure others, “what’s the salient differences between OpenID and SAML?” So earlier this year I began hacking together a technical comparison of the two. It’s an interesting exercise comparing two Web SSO protocols, even one as ostensibly simple, and straightforwardly specified, as OpenID. It turns out to be a fairly complex task given all the different facets inherent in authentication protocols in general, and in web-, i.e. HTTP-based, protocols (and profiles thereof) in particular. And also given the various audiences affected by such protocols: implementors, deployers, end users, and protocol designers.
The resultant comparison paper, “Technical Comparison: OpenID and SAML - Draft 05″ seems to me to be at a stage where it can be shared widely (i.e. on the web ), here it is..
http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html
..For many readers, sections 1, 2, and perhaps 3 ought to cover things. For those necessarily interested in gory, really geeky details, parts or all of section 4 will be of interest. Note that this is still a “draft“–there are various items, especially in section 4, that are not as yet evaluated as thoroughly as I’d like, or at all (as yet).
I’ve tried as much as possible to provide an objective comparison. It’s admittedly difficult given I’ve been intimately involved in SAML’s gestation since essentially the very beginning. It’s also a technically difficult comparison because of the differing design centers of OpenID and SAML, as well as differing specification styles, and thus the difficulty in presenting the comparison to the reader, not to mention attempting to be “balanced“.
So, I hope this paper will prove at least somewhat enlightening and useful to the multifaceted “identity” community out there, and to those shepherding websites who are wondering what these two oft-mentioned beasts are, how’re they’re different/similar/alike, and also nominally how they work.
=JeffH sez check it out.