In business scenarios virtual app images are becoming "the thing to
do" and out of the box many of them support LDAP. Great.
This basically means that the apps are responsible for the form,
basic, or digest authentication which captures password information
INSIDE THE APP and then migrates it elsewhere to be validated. It
would be stupid easy to produce an "Easy to install Drupal APP Image
of Awesome that supports that LDAP extension that is hard to use!"
that dozens, hundreds, or simply at least one company would download,
install, be happy with.. and be completely aware that it is feeding
password information to the creator somewhere else on the InterWebs.
Lets not mention unsecured LDAP and how passwords are plaintext over
the wire between the app image and the LDAP server.
You get around this by moving password authentication somewhere more
trustworthy that is easier for you to keep an eye on (central) and
focus on secure access between it and the password authorization
system.
OpenID itself is not a method to collect username and password
information but rather a method to collect information and return an
access token to OpenID compatible sites. Wonderful stuff really.
There are a LOT of implementations of OpenID in many languages, but
most fail to compliment themselves with a method to collect username
and password information and use an authentication backend. An
example of a site that actually does this is http://www.MyOpenId.com/
where I am http://spencersr.MyOpenId.com/ and my information is
available without authentication, but the site acts as an
authentication system as well using a login url that is presented to
the browsing user when they attempt to log in using OpenID and that
URI.
That works well for one or two users.. but it lacks a lot of extra
attributes that an extendable implementation would offer. That's what
I'm hoping to focus on.
Above and beyond all that I'd like to implement a Hybrid OpenID+OAuth
method for this project that would help OpenID consumers and OAuth
consumers get the nitty gritty out of the way in one go and then hand
tokens around using easy to use backend solutions.
So my example for this is my company, as well as maybe the school
district, and any company that uses a lot of extra software products
that attempt to seamlessly integrate themselves into existing
corporate security infrastructure be it OpenLDAP, OpenDirectory,
ActiveDirectory, or that funky access database some former employee
made back in 1992 that you just haven't had the heart to replace (his
soul is in it man... his soul).
Scenario:
Download OpenID/OAuth compatible app or sign up for one "in the
cloud" somewhere.
Use http://iamwhoisayiam.intranet.mycompany.com/ as your openid
(redirect to https on request if http specified)
Be presented a page at http://iamwhoisayiam.intranet.mycompany.com/
wherein you log in, do other things as needed, then eventually accept
the invitation to allow a token to be sent back to the app as proof of
login.
The app says "yay" and you're logged in. It pulls down information
in the response it got from your OpenID server and pre-fills a lot of
useful information:
First name
Last name
Timezone
Country
Telephone numbers and stuff
Extended Scenario:
The app understands that Bailiwick was used and uses the OAuth token
it received in the response to get access to API information:
GetAvailableGroups for instance which would return a list of UUIDs
associated with a security group in LDAP or other such stuffs which
will then have to be resolved individually through GetGroupInformation
or the like.
I'd like to think that the extended API for OAuth access to your
domains information would be filtered at an administrative level.. and
content that is queriable is filtered as well, and then further
filtered by a a list of elements that are allowed to be returned for a
query.
Example: User appears to be part of group Smelly which is part of
the AdvertisableGroups group. Results when querying all users in
group Smelly have to be part of the AdvertisableSmellyUsersGroup group
or some such nonsense.
Anybody with Python skills wanna help out?
- Shane
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jan 26 10:14:19 2012
This archive was generated by hypermail 2.1.8 : Thu Jan 26 2012 - 10:14:20 AKST