Re: [rtcweb] usability of IdP concepts in draft-ietf-rtcweb-security-arch-07
Max Jonas Werner <mail@makk.es> Wed, 06 November 2013 08:36 UTC
Return-Path: <mail@makk.es>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E085921E809B for <rtcweb@ietfa.amsl.com>; Wed, 6 Nov 2013 00:36:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqvOPhzInrXZ for <rtcweb@ietfa.amsl.com>; Wed, 6 Nov 2013 00:36:03 -0800 (PST)
Received: from lupus.uberspace.de (lupus.uberspace.de [95.143.172.176]) by ietfa.amsl.com (Postfix) with SMTP id 25B0311E8194 for <rtcweb@ietf.org>; Wed, 6 Nov 2013 00:36:00 -0800 (PST)
Received: (qmail 10707 invoked from network); 6 Nov 2013 08:35:56 -0000
Received: from unknown (HELO ?141.22.28.177?) (141.22.28.177) by lupus.uberspace.de with SMTP; 6 Nov 2013 08:35:56 -0000
Message-ID: <5279FF69.5040206@makk.es>
Date: Wed, 06 Nov 2013 09:35:53 +0100
From: Max Jonas Werner <mail@makk.es>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Wolfgang Beck <wolfgang.beck01@googlemail.com>
References: <CAAJUQMgRqOggVzviMPnvpkwSzYJeEe_1S5K00chdGq-Hghq3Dg@mail.gmail.com> <52795BF0.1020207@makk.es> <CAAJUQMj2_sXtyTf=SugJWA81Ho_+G5WJN4QCfv1Z1FQdZL=Reg@mail.gmail.com>
In-Reply-To: <CAAJUQMj2_sXtyTf=SugJWA81Ho_+G5WJN4QCfv1Z1FQdZL=Reg@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="qgNEaGmXe5DkWcS51UUTeOdkUr70NQCp6"
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] usability of IdP concepts in draft-ietf-rtcweb-security-arch-07
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 08:36:09 -0000
Wolfgang, On 05.11.2013 23:03, Wolfgang Beck wrote: > According to the draft and the w3c doc, the Idp exchange is completely > hidden from the JS. I don't see how a web server could use the result to > verify the user without looking at the SDP. Or how the peerconnection could > reuse the result of an Idp exchange that authenticated the user towards the > server. Did I overlook something? > > Having to log in twice will only be tolerated by a small minority of > people. I propose you read the draft again since perhaps you overlooked something. Let me give you an example: You have a WebRTC application that's served from your domain example.com. Perhaps you've implemented some kind of login mechanism so the user logs in (using an HTML form perhaps) resulting in e.g. a cookie being saved in the user's browser carrying a session ID (again, this is just _one_ possibility). Your application creates a PeerConnection object and calls setIdentityProvider with the parameter "domain" set to "example.com" and the parameter "protocol" set to "proto" because you want to be your own IdP. When creating an offer the browser will then load the code from https://example.com/.well-known/idp-proxy/proto into an iframe or such and send a message to that code asking for an assertion. Since the IdP proxy code is served from the same origin it may read out the cookie value set earlier when logging the user in. This cookie value can now be used on the server side to automatically (as in without user interaction) create an assertion since the server already knows who the user is (from the cookie). This also works with using another IdP (say Facebook) with your application served from example.com. If the user is already logged into Facebook: no interaction needed. Max
- [rtcweb] usability of IdP concepts in draft-ietf-… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson
- Re: [rtcweb] usability of IdP concepts in draft-i… Max Jonas Werner
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Simon Perreault
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson
- Re: [rtcweb] usability of IdP concepts in draft-i… Max Jonas Werner
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson
- Re: [rtcweb] usability of IdP concepts in draft-i… Wolfgang Beck
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson
- Re: [rtcweb] usability of IdP concepts in draft-i… Max Jonas Werner
- Re: [rtcweb] usability of IdP concepts in draft-i… Martin Thomson