Saturday Sep 13, 2008

OAuth and Fine Grained User Controlled Authorization


There is a lot of buzz around OAuth. It provides a very simple and secure way for users to give access to their personal data. At core of the protocol is a token access protocol between service providers (where personal data exists) and consumers (entity requesting personal data) and a mechanism to interact with the user for allowing the data access.
Mere implementation of the OAuth protocol is not sufficient for a practical deployment - two key functions need to be supplied to make it useful:
  • Policy driven transfer of personal information. Eg : Particular picture/album, Home address, health records between start date and end date. This policy needs to be a union of service provider wide policies and user controlled policies.
  • Audit logs to record user content and data transferred.

    I plan to provide deep technical deepdive into OpenSSO on providing these functions in upcoming blogs. Earlier incarnations of OpenSSO (Access Manager 7.x) have already delved into solving this problem as part of Liberty Interaction Service implementation. For people not familiar with this protocol, Liberty Alliance's Interaction service in collaboration with Liberty Discovery Service provides similar functionality to OAuth going a step further by taking privacy and interoperabiliy into consideration, but at the expense of some complexity in its implementation.

    Hope to cover the following :
  • Basic OAuth implementation
  • Leveraging OpenSSO Policy to model admin and user controlled access control rules
  • Logging
  • Wednesday Nov 08, 2006

    Learn the Power of Federation in 5 days

    Sun's Training Team has put together an excellent course on Federation : Federation Boot Camp. Its quite comprehensive starting with basic concepts to hands on labs for the cool "a-ha!" experience.
    The best part is that its not a dull protocols and xml exercise - its designed around real customer use cases and actually helps you decide which of the several possible deployments are most applicable for your particular situation.
    And ofcourse its all based on what I do in my day job : SJS Access Manager and Federation Manager. Please feel free to request enrollment for the next session and for more info : fm-bootcamp AT sun dot com.
    About

    rajeev

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today