[jdev] Claims-based Authentication

Jonathan Dickinson jonathan at dickinsons.co.za
Thu Jun 3 08:48:29 CDT 2010


> Date: Thu, 3 Jun 2010 07:41:25 -0600
> From: stpeter at stpeter.im
> To: jdev at jabber.org
> Subject: Re: [jdev] Claims-based Authentication
> 
> 1. Is there a compelling use case for this?
I have seen a few devs approach the mailing list with this problem. It most often appears in the form "How to use OAuth".
> 
> 2. Why wouldn't the WS-* folks define a new SASL mechanism?
The problem is the XML - WSF uses XML to do the exchange, to base64-ing it wouldn't be the best (as per requirement from the SASL RFC). If that lands up being the route taken they would probably only need to reserve a namespace.
This would probably land up being an XMPP-specific thing that would indicate how to do authentication exchanges using XML-based protocols (like WSF); but that is a big hunch on my part.
> 
> On 5/31/10 8:18 AM, Jonathan Dickinson wrote:
> > Hi All,
> >  
> > I have been doing some research lately on claims-based authentication
> > [CBA] (Microsoft implementation - AFAIK based on WS-Federation/WS-Trust
> > <http://en.wikipedia.org/wiki/WS-Federation>). The previous discussions
> > about OAuth and its limitations came to mind immediately - CBA seems to
> > resolve the issues that we discussed (it is not tied to the web).
> >  
> > For those who are not familiar with it; it basically is an identity that
> > consists of one or more claims. For example a Jabber claim might look
> > like this:
> >  
> > JID: jonathand at jabber.org
> > UPN: jonathand at jabber.org
> > Name: Jonathan Dickinson /from VCard/
> > etc.
> >  
> > In this scenario jabber.org is the sole /issuer/. This identity (and
> > it's claims) can be passed to other issuers so that they can fill in the
> > blanks. For instance, if I were to start off with a X509 claim:
> >  
> > Thumbprint: BCF189...
> > Name: CN=jonathand...
> >  
> > I could send it to my internal JID issuer and land up with the following:
> >  
> > Thumbprint: BCF189...
> > Name: CN=jonathand...
> > JID: jonathand at jabber.org
> > UPN: jonathand at jabber.org
> >  
> > The idea of a claim is that you can use that claim to authenticate with
> > SSO capabilities (this works particularly well with the Microsoft
> > implementation of it). I could authenticate against a server using
> > SQL-orientated credentials (e.g. PLAIN) - with appropriate translation
> > components in place I could pick up my SAP creds, Windows creds and HTTP
> > creds without the user having to enter them in. The whole exchange
> > occurs using XML (primarily SAML).
> >  
> > The XML is where the problem lies - SASL dictates that the contents be
> > base64-encoded. While this is perfectly valid it just feels plain wrong.
> > After thinking about it (less than I should - but here goes):
> >  
> > <stream:features>
> >      <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
> >        <required/>
> >      </starttls>
> >      <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' />
> >      <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
> >        <mechanism>DIGEST-MD5</mechanism>
> >        <mechanism>PLAIN</mechanism>
> >      </mechanisms>
> >    </stream:features>
> >  
> > The WS-Federation SignOn exchange could then be done via <federation>
> > tags. Obviously one would need to be careful around namespace prefix
> > conflicts etc. - but nothing too hairy.
> >  
> > Ideas/thoughts?
> >  
> > -- 
> > Jonathan Dickinson
> > 
> 
-- Jonathan Dickinson 		 	   		  
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20100603/7b73835d/attachment.htm>


More information about the JDev mailing list