Transcript Service Chaining with Oauth 2.0 Bearer Tokens

Service Chaining with OAuth 2.0
Bearer Tokens
Alan H. Karp
HP Labs
Overview
• OAuth 1.0
• OAuth 2.0
• Sabre 2.0
OAuth 1.0
OAuth 2.0
• No crypto in the protocol
– Everything over HTTPS
• Opaque tokens represent access rights
• No revocation
– Most tokens expire in a short time, e.g., 10 min
• Different patterns
– Basic requires authentication
– Bearer tokens
OAuth 2.0 Basics
AM and RO agree on AG
AM and RP agree on AT
AM decides RT format
All opaque to client
AG
Resource
Owner
Request
Access
Authorization
Grant (AG)
Authorization
Manager
AG and AT short-lived
RT long-lived
Access
Token (AT)
+
Optionally
Refresh
Token (RT)
Resource
Provider
AT
Client
Resource
Web Redirecton
6.AT
Resource
Owner
5. AG
Authorization
Manager
Client
Resource
Provider
SABRE 1.0
• SABRE
– Semi-Automatic Business-Related Environment
• Developed by IBM for American Airlines
– First prototype 1960
– In use today as Sabre Holdings, Inc. (Travelocity)
• Long past due for an upgrade
– HP/EDS won the contract
SABRE 2.0
• Widely known features
– Airline/hotel reservations
• Less well known or unknown features
– Crew scheduling
– Airport management
Airport Management
• 200 airlines
– 10,000 employees each
• 500 airports
– 5,000 employees each
• Federated Identity Management impractical
• First solution ZBAC with SOAP
• Switched to REST
– Proposed waterken
– Decided on OAuth
Gate Agent Scenario
• All computers at gates are shared
• Want employers to authenticate their people
• Authorization decided by role and context
– Gate agent can close gate if employer’s flight
• TWA has contracted to use Weather, Inc.
• TWA gate agents may request forecasts
– Agents specify airport code
– Weather, Inc. takes latitude/longitude
– SABRE Convert service translates code to lat/long
Sign Contracts
Weather, Inc.
TWA
Forecast
AuthN
Mgr
AuthZ
Mgr
AuthZ
Mgr
Sabre 2.0
Policy
Engine
Web
Server
PM
AuthZ
Mgr
Convert
Service
Screen on Gate Display
More
Setup
TWA
Forecast
AuthN
Mgr
Weather Service
AuthZ
Mgr
AuthZ
Mgr
Sabre 2.0
Policy
Engine
Web
Server
Alice at
a
Browser
PM
AuthZ
Mgr
Convert
Service
Request Permissions
Weather Service
TWA
Weather
AuthN
Mgr
AuthZ
Mgr
AuthZ
Mgr
Sabre 2.0
AuthZ
Mgr
TWA
Policy
Web
Server
Alice at
a
Browser
7. Get forecast for ORD
Convert
Service
Prepare to Delegate
Weather Service
TWA
Weather
AuthN
Mgr
AuthZ
Mgr
AuthZ
Mgr
Sabre 2.0
AuthZ
Mgr
TWA
Policy
Web
Server
Alice at
a
Browser
Convert
Service
Prepare to Invoke
Weather Service
TWA
Weather
AuthN
Mgr
AuthZ
Mgr
AuthZ
Mgr
Sabre 2.0
Convert
Service
TWA
Policy
15. AT1 for CS
Alice at
a
Browser
14. Exchange AG1 for AT1
AuthZ
Mgr
Web
Server
Invoke
TWA
Weather
AuthN
Mgr
Weather Service
AuthZ
Mgr
AuthZ
Mgr
Sabre 2.0
AuthZ
Mgr
TWA
Policy
Alice at
a
Browser
Convert
Service
Web
Server
Optimizations
• Resource owner is resource provider
– Forget about AGs, just hand out ATs
• Skip AG2
– Alice can tell TWA AG is for Convert service