[OAUTH-WG] SSO scenario

Justin Karneges <justin@affinix.com> Fri, 26 August 2011 23:03 UTC

Return-Path: <justin@affinix.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id F280A21F8B7D for <oauth@ietfa.amsl.com>; Fri, 26 Aug 2011 16:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id y+p+9bU675xD for <oauth@ietfa.amsl.com>; Fri, 26 Aug 2011 16:03:41 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (caiajhbdcagg.dreamhost.com []) by ietfa.amsl.com (Postfix) with ESMTP id 438FE21F8B0B for <oauth@ietf.org>; Fri, 26 Aug 2011 16:03:41 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (localhost []) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTP id 90F5110AFB1 for <oauth@ietf.org>; Fri, 26 Aug 2011 16:04:58 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=affinix.com; h=from:to:subject :date:mime-version:content-type:content-transfer-encoding: message-id; q=dns; s=affinix.com; b=rTHrX/y6ijzllZ+Vi/j8YpkNdR9k DwaPbDR3CVOxs/SxsfhThKM57wcnaj8nE+qOBBufsjHAwcJhhNjK4uI7jYRQV2t9 Rywts5nY0PSTBEIbTNFG3Sk6gfpArUUaLCvQoPZtD5cZ5xjzCK+kP/tYs1WnUMLJ Oiu+MEe4PiW+FF8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=affinix.com; h=from:to :subject:date:mime-version:content-type :content-transfer-encoding:message-id; s=affinix.com; bh=gVchGwH mjQMczHNb4nUKupfajV4=; b=g+Qcm1cOThMFBrmcmw8l7bpXfnfbJ8MyFT4SvwW k8NPqsZlEZLTHbuWjt3ot3ypDZx4ZSbg3D3nmamVTkS76DPxYDDhNI9UNDTHRKAL +Q1Bk//GUigeUb8u5tTw4HBSM0blMoxNuZ6Q2PPuk/iFxbsL6VkNRemu3WqtCJRN p+1E=
Received: from purelace.localnet (andross.dreamhost.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: justin@affinix.com) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTPSA id 742AD10AFAD for <oauth@ietf.org>; Fri, 26 Aug 2011 16:04:58 -0700 (PDT)
From: Justin Karneges <justin@affinix.com>
To: oauth@ietf.org
Date: Fri, 26 Aug 2011 16:04:57 -0700
User-Agent: KMail/1.13.6 (Linux/2.6.38-11-generic; KDE/4.6.2; x86_64; ; )
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201108261604.57643.justin@affinix.com>
Subject: [OAUTH-WG] SSO scenario
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2011 23:03:42 -0000

Hi folks,

I currently use a proprietary token approach to provide authentication to a 
browser widget, and I wonder if OAuth could be used to replace it.

Here's how the system currently works:
  - website supports authenticated users (happens via username/password form)
  - website and widget provider have a shared secret
  - the website serves a page to the browser, containing an embed of a remote 
widget as well as a token that asserts the currently logged in user.  the 
widget takes this token and performs an ajax call to the widget provider 
server.  behold, the user is now logged in to the widget.

In trying to organize this into OAuth terms and roles, here is what I come up 
  - resource owner: the user
  - resource server: widget provider (where the resource is generically "the 
ability to utilize the widget")
  - client: the webpage running in the browser
  - authorization server: the website

The website essentially serves up the client application and token in one 
shot, so the client never has to explicitly ask for a token.  However, the 
client would then take that token and use it to access a service.  The website 
and widget provider would share key material such that token validation is 
possible, but it's important to note that the two services are not owned and 
operated by the same people.

Does this seem right?  Normally when I think of OAuth, I think of a user 
giving a third-party service access to his personal stuff, but in the above flow 
I'm proposing that OAuth be used so that the user gains access to his own 
stuff.  In fact, there would be no way to access his stuff other than this 
approach, so it's not just about optional third-party access.  It's the direct 
and only access.

Would love confirmation that OAuth is appropriate for my needs, and if I have 
the roles right in that case.