Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011.

Published byGerard Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011."— Presentation transcript:

1 Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011

2 CMIP3 Pydap server: http://esgcet.llnl.gov/dap/ipcc4/?threddshttp://esgcet.llnl.gov/dap/ipcc4/?thredds THREDDS catalog OpenDAP service points Basic Authentication Cloud-accessible with basic authentication pass-through i.e. llnl controlled user/password access to analysis done in the cloud with CMIP3 data

3 Sample CMIP3 access

4 Mashup Authentication A simple data mashup: difference between two variables from two different datasets If both datasets are access-restricted under different security realms (different userid/password), then the difference cannot be authenticated (Basic/Digest Authentication only has one userid)

5 OpenID OpenID separates user identification from resource access authorization, so a federation of servers can have users with the same id, yet decide separately who gets access to their resources. It also means resource providers can get out of the user authentication business. This is half of the solution to the mashup problem.

6 Man-in-the-Middle Modern authentication schemes (i.e. other than Basic) defend against man-in-the-middle attacks, i.e. defend against a third-party sitting in the middle of the browser and the authenticating server conversation and relaying requests while copying for nefarious reasons. This also eliminates third-parties for good reasons. So we need to separate the good third parties from the bad ones. More than likely, this means one must explicitly authenticate third-parties (cloud applications) as well as users.

7 OAuth Mechanism to authenticate third-parties Used by third-party apps to access Google and Facebook data, for example Currently missing the “refusal” part of the standard, but that will be part of Oauth 2.0, at which point it becomes “Token” Authorization (refusal does not distinguish between 2 nd and 3 rd parties, only the process for getting a token differs).

8 OAuth 1.0

9 OAuth 1.0 subsequent

10 OAuth App must OAuth Protocol Identify user Remember authorized tokens by (user,data server) Probably will have pre-registered

11 OAuth 2.0 Authorization protocol in parallel with Basic and Digest Authentication, i.e. the Unauthorized response gives the information needed to get authorization Will probably be called “Token” or “Bearer” or “MAC” (i.e kinds of tokens) in WWW-Authenticate which will provide two endpoints for authorization Authorization-uri: endpoint for user to identify with token-uri: endpoint for app to identify with

12 OAuth 2.0 Web App Flow(*)(*)

Download ppt "Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011."

Similar presentations

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
QGis Browser / VGL Frontend VGL Backend 3 rd Party WPS Services eScript Underworld AEM Inversion Proprietary Protocol Proprietary Protocol Proprietary.

QGis Browser / VGL Frontend VGL Backend 3 rd Party WPS Services eScript Underworld AEM Inversion Proprietary Protocol Proprietary Protocol Proprietary.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
1 Authentication and Authorization in Web Systems Zhenhua Guo Jun-30-2009.

1 Authentication and Authorization in Web Systems Zhenhua Guo Jun
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.

 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
Authenticate user AuthenticationContext aCtx = new AuthenticationContext(“https://sts.contoso100.com/adfs); AuthenticationResult.

Authenticate user AuthenticationContext aCtx = new AuthenticationContext(“ AuthenticationResult.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Similar presentations

Ads by Google