Travis Spencer - Software Engineer

Videos from Nordic APIs

2013-04-19T09:09:48Z

Last month, I worked with my colleagues at Twobo and w/ Twobo's partner, Dopter, to organize the first every all-API-related event in the Nordics. It was great fun, and I'm really happy to play a part in the development of the API community here in Northern Europe. Thanks again to all those who attended and to the sponsors!

We had originally planned on a half-day event, but it filled up weeks ahead of time. So, we added an encore in the morning that included most of the afternoon's presentations. Besides Twobo and Dopter, we also had folks w/ us from Ping Identity, Layer 7 Technologies, Jayway, Axiomatics, Samtrafiken, and others. We've uploaded all the slides and you can find the recordings of the afternoon sessions on the Nordic APIs YouTube channel. I gave one on API security and another about secure social media integration, which I outlined a couple months ago on this blog. Here's the recordings of my talks; would love your feedback.

The events were so well received that we have arranged a handful of others over the next few months. In May, we'll be in Copenhagen, Denmark, Sundsvall, Sweden and Aarhus, Denmark. In early June, we'll go up to Norway to a city called Trondheim. These events will be free, half-day conferences like the one in Stockholm last month. We'll be joined by folks from Telenor Comoyo, BlueVia (an initiative of Telenor and Telefonica), Sogeti, and others. In the fall, we'll be joined by a number of speakers and presenters from the Nordics and elsewhere for a 2-day event in Stockholm. The format should be very personal and engaging w/ an unconference, panel discussions, demo track, concurrent talks, and, hopefully, a group dinner on the first evening.

You can read more about this new series of events on nordicapis.com, in this press release from Twbo and Dopter, on ProgrammableWeb, and on the Twobo Web site. Really hope you'll join in the conversation that's taking place on Twitter, share your thoughts in a comment below, and join us for one of these upcoming events.

Speaking at BYOD and API Events

2013-02-16T09:11:51Z

I'll be heading up to Stockholm next week where I'll be presenting on BYOD. I'll be joined by others from StjärnaFyrkant, Ping Identity, PwC, Nokia, Sony, Telia, UnboundID, and my colleagues from Twobo. (I think some of the guys from Axiomatics will be around too.) You can find the full agenda here. My session is entitled "Turning your Organization into a Platform: Securely exposing data to apps running on employees' devices." During my talk, I'll present on how social media, mobile, cloud, and big data are having a "platformification effect" on organizations, forcing them to open up data and processes in new ways. I'll give a few examples of orgs who have done this, including my favorite, Pearson. As organizations undergo this shift, it is important that the APIs which they expose take into account the identity of the user who invokes them. Coupling this w/ information about the app/client, location, device, and other context, organizations can make calculated decisions about whether or not they should return the requested resources or not. In this way, BYOD and COPE are irrelevant. What's relevant is who the user is and what they are allowed to do in a given situation. I explained this in more detail in a whitepaper that you can find on Twobo's site (in English and Swedish). I also blogged about this on Mashup.se a few weeks ago, so check there for a bit more detail. The event is February 21, and it starts at 12:00 w/ lunch. So, come in time to grab a bite and talk about how BYOD is effecting Europe and beyond. Attendance is free, and you can find directions here.

Next month, at Nordic APIs in Stockholm, I'll also be giving a very exciting presentation about some innovative new things that we're doing at Twobo with the Janrain API. During my talk, I'll show how organizations can safely and securely use this service to integrate social media into their Web site as well as to publish back to them using a single API. I'll show how Janrain's service can be used with SiteMinder from CA to ensure that only authorized users gain access to sensitive parts of a Web site. What I'll demo allows Web site operators to uniformly consume anonymous, social and more trusted identities that are unaffected by the use or implementation of any particular upstream social network. I'll also show how Web site operators can combine Janrain's social media aggregation API and our integration with SiteMinder with other third-party tools, like Google Analytics, to use social more effectively. This event will be on March 21 at Jayway's office in downtown Stockholm. We'll be joined by presenters from Dopter, Jayway, Ping Identity, and Radio Sweden. We'll start w/ lunch at 12:00 and go till at least 16:00. (We might be joined by one or two more companies, so we may go till 17:00.) The event is free, and we are almost booked up, so RSVP today! More details on the agenda, speakers, etc. can be found on the Nordic APIs Web site.

[Disclosure: Twobo, my company, has a commercial relationship with Ping Identity, StjärnaFyrkant, UnboundID, Jayway, Dopter, CA, and Axiomatics; it also has an interest in both of these events.]

Upcoming Cloud Computing Events in the Netherlands

2012-09-21T12:44:10Z

This fall, I'll be presenting at IDentity.Next on behalf of my company, Twobo Technologies. At this conference, which takes place November 20th and 21st in the Hague, I'll be diving into various scenarios and use cases for the emerging provisioning standard, System for Cross-domain Identity Management (SCIM). This will be a sequel of sorts to the talk I did at the Cloud Identity Summit in July where I gave an intro to the new protocol. If you're planning on attending and want to do your prep work, have a look through this slide deck:

SCIM presentation from CIS 2012 from Twobo Technologies

Solving the provisioning problem is one thing we must do to benefit from this new IT delivery model. Next month, I'll be traveling down to Amsterdam to discuss this and other challenges with hundreds of other attendees of the Broadband Cloud Summit that's taking place as a part of this year's Broadband World Forum. From the 16th to 18th of October, I'll be joined by tens of thousands of speakers and delegates from tons of organizations who are seeking to find new ways of using digital identity, mobile computing, and the cloud to capitalize on emerging opportunities that they present to telcos and other service providers. Among these will be UnboundID, a partner of Twobo's, and hundreds of other exhibitors.

So, if you're going to be in the Netherlands over the next couple of months, drop me a line. I'd love to connect w/ you while there. If you're not, keep an eye out here, on Twobo's blog, and on Twitter w/ the hash tags #BBWF and #idn12. As a speaker at IDentity.Next and an official blogger for the Broadband World Forum, I'll certainly have more to say about these events.

(This blog post was sponsored in part by Informa, organizers of the Broadband World Forum.)

Update on SCIM

2012-04-09T11:47:57Z

The SCIM crew descended on Paris two weeks ago for the IETF 83 meeting. We kicked it off by testing the interoperability of our SCIM implementations for the second time. (IIW last fall was the first.) We paired up about a half dozen clients with roughly the same number of servers, and ran them through two dozen use cases. Participants were there from BCPSOFT, Courion, Gluu, Nexus, SailPoint, Salesforce, UnboundID, WSO2, and I was there testing Ping's new on-demand cloud identity management service, PingOne. It was a great time, and the results were very positive.

The next morning was the Birds of a Feather (BoF). Trey Drake of UnboundID and Morteza Ansari of Cisco WebEx gave an overview of SCIM 1.0, and talked through the proposed charter of an IETF Working Group (WG) that would define the next version of the protocol. I have never participated in the formation of a WG before, so the process was unfamiliar to me. I was expecting the WG to be formed on the spot, but, apparently, that's not the way it works. Instead, BoF attendees raise issues that are ironed out on the mailing list. After the issues are addressed, an IETF Area Director (AD) will decide if the WG should be formed, who should chair it, etc. This will take about 2 to 3 months, so stay tuned.

In the meantime, some of us will be chatting at EIC on a panel about SCIM, we'll be doing more interop testing at IIW 14 (or nearby), and we'll be discussing stuff on the new IETF mailing list. So, come join the growing SCIM community in Munich, San Francisco, or in cyberspace :-)

Authenticating to a WCF service with a SAML bearer token

2012-01-22T14:40:55Z

A question that has been coming up a lot lately is how does one send a SAML bearer token to downstream WCF service? In each of the recent cases, a front-end app was being presented with a token that it needed to convert to SAML before calling the back-end service. To do this, the Web app would send the incoming token or some other credential to an STS, get the SAML token back, and include it in its request to the next service as shown in the following sketch:

To create such a system using .NET requires certain config on the client and server, so I'll enumerate what's required on each. At the end of this post, you'll find links to other blog entries w/ more detail and a link to download a sample project.

Web Service Client

Get a bearer token from the STS using the credential the client has (another token, username/password, cert, etc.)
Call the service

Use the WS2007FederationHttpBinding binding and set the security mode to WSFederationHttpSecurityMode.TransportWithMessageCredential
On the binding's security object, set the Message.IssuedKeyType to SecurityKeyType.BearerKey
When creating the channel factory, call the ConfigureChannelFactory extension method from WIF
When using the factory to create the channel, call CreateChannelWithIssuedTokenand and pass it the SAML token you got from the STS

Web Service

Use the WS2007FederationHttpBinding binding w/ transport security (as in the client)
Like in the binding of the client, set the Message.IssuedKeyType to SecurityKeyType.BearerKey
Make sure it's expecting the assertion to be signed by the cert of the STS (by wiring up an IssuerNameRegistry that will check)
Configure the audience restriction to be the same one included in the SAML assertion

If you're self-hosting your WCF service on Windows 7, check out this write up from Aviad P. about using netsh to configure HTTPS. (This was the part of all this that took the longest for me. Grr!)

If after reading the above, things aren't quite clear yet, check out these blog posts for more details:

If you're still stuck, have a look at this sample (licensed under the GNU GPL), leave a comment here, and/or email me.

CallingBackendServiceWithBearerSamlToken.zip

A Manageable System for Managing Passwords

2012-01-18T14:47:52Z

Tons of passwords are an unfortunate reality. I'm working hard every day to reduce the number of passwords that we have to use around the Web. Till it gets to a management number though, we need a way to cope. Everyone has a technique -- some put their passwords in a spreadsheet, others write them on post-its stuck to their computer screen, others use the same password(s) everywhere, some use a password manager in their browser. All of tese techniques have various security implications, however. We have to manage this chaos some how though, so the security issues are often disregarded. Is there a more secure way?

A better alternative would be one that doesn't require you to write anything down, isn't locked away in a computer that you don't have ready access to, and is unique per site and per account. One such technique is to create a set of steps, an algorithm, that you follow to create a unique password for every user account on every site that requires one. To do this, start by using something from the Web site that won't change, like the name; this is your "seed" value. For instance, your algorithm could be something like this:

Capitalize the first letter of the Web site's name and make the rest lowercase.
Take the first 4 characters of this name. If it is less than four characters, add underscores to make it at least four characters long.
Add some word that contains a symbol and a number and is easy to remember (e.g., P@nda1). The result is the password to use on the site.

So, using this sample algorithm, the password for CNN would be this:

Cnn
Cnn_
Cnn_P@nda1

For Spotify, it would be this:

Spot
Spot
SpotP@nda1

The result is a strong passwords that while difficult to remember is easy to reproduce because the necessary steps are memorable. There's a problem w/ this though. If a baddie ever sees just two of your passwords, they'll have a very easy time guessing any of your others because they are so similar. So, here's an easy fix that makes things more secure

Download an app to your phone that can generate a password from an input phrase. This app should produce the same password every time it's given the same input. It should produce passwords that includes uppercase, lowercase, numbers, and symbols. This app should not have permission to access the Internet. Some of the free ones require it, so they can download ads. Who knows though? They might also be uploading your passwords. An example of a good one for Android is Password Generator Pro.

Now, when you have to sign up for a new account and create a password, use your algorithm as described above. However, don't use that as the password. Instead, use it as input to the app. This will produce a random password from a phrase that's hard to guess but associated to the site you're visiting. With the the site-specific "seed," the common algorithm, and an app that's running on your phone which generates strong passwords, you'll have a pretty easy system for managing the chaos where you don't have to write anything down, each password is unique, and they can't be guessed.

Make sure you don't let people know your algorithm though or all this security breaks down.

If you have a better way to manage this mess or if you think there are issues w/ this system, leave a comment here or drop me a line.

AT&T's use of OAuth in new API Platform

2012-01-15T00:53:51Z

Last Monday, AT&T announced that they have launched a new API platform. As I wrote about on Kin Lane's API Evangelist blog, the PaaS includes various components to help developers quickly build and launch new applications. One of these is an HTML5 SDK that simplifies what mobile Web application developers have to do to securely call the mobile network operator's new cloud services.

The carrier is securing their API with OAuth 2. They support both the authorization code and client credentials grant types defined by that spec. They also allow users to authenticate to the Authorization Server (AS) w/ a username/password, a MSISDN and a PIN, or by simply being connected to their network. Also, each of the services has a different scope. To get approval to use them, the app developer includes these when redirecting the subscriber to AT&T's AS.

The various authentication mechanisms are interesting, but what's even more intriguing to me is a Sencha Touch plug-in that is included w/ the SDK and how it works in tandem w/ a proxy. The plug-in exposes a JavaScript object model for the new cloud services that works naturally w/ this popular toolkit. Extending Sencha Touch like this allows developers who are already using that framework to quickly integrate the carrier's new services. For others that are not, it allows them to build UIs that look and feel like native apps on various mobile platforms while simultaneously simplifying the use of AT&T's API. To see how, let me explain how the Sencha Service Access Layer (SAL) works w/ the proxy.

As shown in the following figure, all requests to the AT&T cloud go through an intermediary. This proxy is hosted by the same developer as the HTML5 app. The first time a user invokes the application, it will call the proxy which will find that it doesn't have an OAuth Access Token (AT) or Refresh Token (RT). For this reason, it will return an error rather than calling the carrier's cloud service. The Sencha plug-in will catch this and pop up an IFRAME displaying AT&T's OAuth AS. (The samples don't display the address, but I would.) The user will authenticate as described above, and the AS will redirect the IFRAME to the callback handler which is hosted on the same server as the proxy. It will exchange the Access Code (AC) provided on the query string for an AT and RT. These will be persisted in a session. Subsequently, when methods are called on the plug-in, a request will be made to the proxy, the session will be used to find the AT, and the proxy will tack it onto the request that it forwards to AT&T.

This new API and its SDK provide an innovative way of using OAuth that simplifies the work that mobile Web application must do. The docs were great, the samples were very helpful, and I quickly figured out how to use the toolkit. I also found it interesting that a helper was used here to aid in securely consuming services from mobile apps as I've talked about doing for other use cases.

If you have questions or thoughts about this or the other blog post I wrote about this new API, please feel free to lave a comment here or drop me a note.

Cryptographic operations are required but token has no keys

2012-01-07T09:32:19Z

Here's the scenario: You're creating a .NET app that uses active federation to get a token from an STS and submit it to a downstream service. That other service might be another STS or it might be a Web service written in .NET or some other language (doesn't matter). The token that you're getting from the STS is a bearer token. You have some code like this:

private static void CallWebService(SecurityToken token)
{
    var factory = GetServiceChannelFactory();
    var channel = factory.CreateChannelWithIssuedToken(token);

    var order = channel.DoFoo();
}

When the call to DooFoo is made, you get an error like this:

The signing token Generic XML token:
   validFrom: 01/07/2012 09:33:36
   validTo: 01/07/2012 10:03:36
   InternalTokenReference: Saml2AssertionKeyIdentifierClause( Id = 'U8ovpOcJlJFu7udUreVI_4I69vj' )
   Token Element: (Assertion, urn:oasis:names:tc:SAML:2.0:assertion)
has no keys. The security token is used in a context that requires it to perform cryptographic operations, but the token contains no cryptographic keys. Either the token type does not support cryptographic operations, or the particular token instance does not contain cryptographic keys. Check your configuration to ensure that cryptographically disabled token types (for example, UserNameSecurityToken) are not specified in a context that requires cryptographic operations (for example, an endorsing supporting token).

To fix this, do two things:

Make sure the binding you're using for the service (not the STS, that doesn't matter) is WS2007FederationHttpBinding not WS2007HttpBinding or WSHttpBinding.
On that binding, set Security.Message.IssuedKeyType to SecurityKeyType.BearerKey.

Error goes away and now you can fix the next problem ;-)

So, what was the deal? The token you had in hand was a bearer token, meaning there is no requirement on the presenter when submitting the token to prove that it was indeed the entity that got the token from the STS; however, in its default configuration, WCF is trying to do just that. Because the token doesn't have a proof key in it (the cryptographic key the error is talking about), WCF can't compute the digital signature it thinks it should send along.

Alternatively, if you really do want to prove to the RP Web service that you were the one who got the token from the STS, ask for a Holder of Key (HoK) assertion. You can do this by changing the TokenType in the RST, but your STS will have to support this.

If you have questions on this, leave a comment below or shoot me a mail.

Calling One OAuth-protected API from Another

2011-10-28T20:06:25Z

I got an email the other day from Pedro Félix, asking for my thoughts on an OAuth scenario that he was wondering about and discussing with Howard Dierking. As Pedro and I talked, I learned that he had a really interesting problem on his hands. Basically, he wanted to create an OAuth 2.0 protected service that called an OAuth 1.0a protected service (e.g., Twitter). So, what he had on his hands was a bunch of clients, tokens, services, and two different protocols that do things similarly but w/ slightly different names. Very confusing stuff.

To begin making sense of all this, it's helpful to list out what we know:

Pedro wants to call the Twitter API from his own API.
The Twitter service is an OAuth 1.0a Resource Server (RS).
Twitter has an OAuth 1.0a Authorization Server (AS).
The Twitter service naturally only trusts it's own AS.
Pedro's service is an OAuth 2 RS and an OAuth 1.0a Twitter client.
Pedro has an OAuth 2 AS.
Pedro's service naturally only trusts his own AS.
The Web app that calls Pedro's service is an OAuth 2.0 client and must submit Access Tokens (ATs) emitted by his own AS (not Twitter's) when calling his service.
The Resource Owner (RO) is a Twitter user and will authorize Pedro's service to call the Twitter API to modify their data.
The RO authenticates to Pedro's AS using Twitter's OAuth 1.0a AS.
Pedro's AS asks the RO to authorize the third-party client to access his service which in turn will access Twitter's.

With these basics in mind, have a look the the following picture that presents an overview of the actors involved:

Now, to get an idea of how Pedro's service would call Twitter's, flip through animations in the following slide deck.

See how one OAuth protected resource can call another? Pretty cool stuff! It's also cool that if instead Pedro wanted to call the Facebook graph API which uses OAuth 2, it would work almost the exact same way. As if that we're cool enough though, what's even cooler is that this isn't just theory. I was able to implement this in PingFederate in about half the time it took me to write this blog post! If I have some time over the weekend when I'm not celebrating my little one's second birthday, I'll try to post a screencast.

Anyway, thanks Pedro and Howard for inviting me into your conversation. If you or anyone else has questions about this or other OAuth matters, please feel free to post a comment here or send me a mail.

Implementing new OAuth Technique on Android

2011-10-25T13:35:11Z

The other day I wrote about a way to use OAuth w/ mobile apps that was not susceptible to phishing and does not use the password anti-pattern. I just had to code it up and make sure it worked. What better time then 4 AM when the house is quite? Ah, jet leg ;-)

Using Lars Vogel's tutorial on C2DM, PingFederate's new OAuth server, and a little Python Web app running on CherryPy, I found that it does actually work! Here's the high-level points to be aware of if you want to implement this:

The C2DM API is in beta, and you'll need to sign up for access using a Google account. Developer accounts have a limited quota.
You need to provide the email address you sign up w/ and a password to the Google ClientLogin service to get an OAuth-like Access Token (AT). You don't have to use your own password though; you can create one specifically for this purpose (which you'll have to do if you're using 2FA w/ your account like I am).
These tokens need to be renewed every so often, so, in your Web app, keep an eye out for errors. (It's not indicated by the HTTP status code but the contents of the body IIRC.)
PingFederate's OAuth token endpoint is configured w/ a self-signed SSL cert by default, so you'll need to work around that during development.
There can be a bit of leg between the time you publish the OAuth Access Code (AC) and the time your app gets the message. Meanwhile, your user will be looking at a blank white browser window. To avoid this second or so delay, you can register a customer scheme in your app. Then, in the helper Web app, return a 302 to that as soon as you send the AC to the Google C2DM service. This will cause the app to come to the foreground immediately. Alternatively, put a little spinner in the Web page.

That's basically it. If you follow Lars' tutorial and keep these things in mind, I'm sure you'll be up and running in no time -- especially if you've woken up before anyone else and it's really quite out ;-) Here's a little demo of it running that will hopefully motivate you to get it coded up too. If you get stuck, drop me a note.

Integrating OAuth with Mobile Apps

2011-09-02T11:22:07Z

When creating a native mobile app, it is often necessary to call RESTful Web services securely using OAuth. To do this, the native app needs an Access Token (AT). There are various ways for the app to get such a token, each presenting certain pros and cons. Around the Web, you will find two primary suggestions on how to do this:

From the native app, pop open a browser to the Authorization Server (AS) where the user will authenticate and authorize the native app to access their resources. Return the AT to the native app via a scheme registered with the mobile OS.
Embed a Web browser control in the native app that renders the AS's Web pages inside it and get the AT as it goes by.

The problem with the first is that multiple applications can register for the same scheme, opening up the native app to phishing. The latter is a problem because the native app can see everything that goes by including the Resource Owner's (RO's) credentials. This is OK if you trust the app not to do that, but that isn't always the case and is reminiscent of the password anti-pattern that OAuth was designed to fix. For more details on these attacks, see this whitepaper (PDF).

At IIW this week, Personal's CTO, Tarik Kurspahic, organized a session to talk about how best to get OAuth tokens into native apps. In it, he, Scotty Logan of Stanford University, myself, and the other participants came up with the following alternative to the popular suggestions above which does not allow the installed app to see the RO's credentials and is not susceptible to phishing.

Here's a diagram showing what we came up w/.

This is basically traditional 3-legged OAuth w/ a twist, but it's involved. So let me explain:

The native app pops open the mobile phone's browser to a Web page that is developed and hosted by the same org that owns the native app. On the URL of this request is the registration ID of the app. This ID is unique to the app on a particular device and is provided by the Google or Apple notification service (see below).
This Web page redirects the RO's Web browser to the AS. In the 302, it stores the registration ID in a cookie.
The RO authenticates to the AS and grants the native app access their resources.
The AS redirects the RO back to the helper page which is registered as the callback. On the query string of this request in the Access Code (AC) and the cookie w/ the registration ID is also sent.
Rather than resolving this code for an AT as in a traditional Web server flow, it sends the AC as the payload to either Google's or Apple's notification service. To do this, the helper app needs to use an app-specific credential to authenticate to the notification service. By authenticating the call w/ this app-specific key and by providing the saved registration ID, only the right app on the right device will receive the AC.
The notification service sends the message to the appropriate app on the appropriate mobile device.
The app then sends the AC to the AS to get an AT.
It can then use the AT to securely call the API.

After the session, I ran this by Paul Madsen, Brian Campbell, and others. No one found any issues w/ it, but, like some in the session, they wondered why such a complicated arrangement was needed. Till the folks on the Android team and at Apple provide secure IPC in their mobile OSes, I don't see any alternative unless you can make certain assumptions or are comfortable w/ the risks associated w/ the common alternatives. If you know a better way or see any security issues w/ this, please leave a comment below or drop me a line.

Thanks all for a great IIW and see ya in the spring!

Update on OpenID and OAuth

2011-05-09T07:30:56Z

OpenID and OAuth are undergoing a lot of work ATM, and it can be confusing to those that aren't in the thick of it to keep up w/ where things stand. Based on what I heard last week at IIW, where a lot of this work happens, I thought I'd put together an update in hopes that it helps.

After OpenID 2.0 was around for a while, Google and IINM Facebook proposed a new version of the standard called OpenID Connect. This version of the protocol uses OAuth on the front-channel to securely access an API on the back-channel to get user attributes. Around the same time, a need in Japan to provide higher levels of assurance (LOA) and secure interaction w/ Web APIs from mobile applications resulted in the creation of another derivative of the protocol called OpenID Artifact Binding (AB). Last fall at IIW, the authors of each of these vNext protocols started working to align their efforts. The combined spec was commonly referred to by the authors and other insiders as OpenID ABC (as in Artifact Binding + Connect). This harmonization was tricky though because OAuth 2, which they each depend on, wasn't done and the timeframes of the initial customer needing OpenID AB and funding its development might not allow for the work to wait till OAuth was ready.

As of last week, it looks like the stars are aligning and these two updates of OpenID will be merged. This result will be called OpenID Connect rather than OpenID 3.0, OpenID AB, or OpenID ABC. It also looks like OAuth will finish in time for OpenID Connect to normatively reference it, something that isn't allowed by the IETF (which governs that emerging standard) unless the spec has been officially ratified. If OpenID Connect finishes before OAuth 2, it will have to reference the latest draft (which hopefully won't happen). A draft of OpenID Connect is on tap for Julyish.

OAuth was conceived of and developed in an open community where it became increasingly popular. Because of concerns about intellectual property rights (IPR), however, many large organizations couldn't or wouldn't adopt it. For this reason, it was submitted to the IETF and an IPR regime was put in place to alleviate such concerns. Soon after, a security issue was found, and the community rallied to fix it. This update was also contributed to the IETF. Not long after, Microsoft created a RESTful token issuance protocol which they called OAuth WRAP. This protocol wasn't compatible w/ OAuth in anyway, but, to the chagrin of some in the OAuth community, used its brand. Unlike OAuth proper, WRAP didn't support signatures; it relied solely on transport security and didn't define a way to do security at the message level. Signatures were purported to be the Achilles' Heel of OAuth which tripped up many developers, so this change would make implementation simpler and adoption greater (its proponents said). As a result, it too was contributed to the IETF and formed the basis of OAuth 2.

Since then, support for signatures has been added and other ideas from OAuth proper have been fused together w/ WRAP. As the emerging standard grew, it was decided to break it apart into a core specification and other supporting ones. Some of supporting standards are JSON Web Tokens (JWT) which defines a way of representing security token in JSON (think WS-Security w/ curly braces). There are also specs for defining specific types of tokens, namely bearer and signed tokens. A supplementary profile defined by my colleague Brian Campbell specifies how a client should send a SAML assertion to an OAuth Authorization Server (AS) when it wants an access token in exchange. Currently, it is expected that the main specifications will be finalized in Julyish around the same time the draft of OpenID Connect will surface.

Tony Nadalon, who has been much more involved in this process than I have will be giving his update tomorrow at EIC, If you're here in Munich, don't miss that. (If he says anything contradictory to what I've written, I'll update this post.) In the meantime, if you read something that isn't accurate here, you have details to add, or if you have questions/comments, please let me know.

Calling On-prem Web Services from the Cloud

2011-04-25T10:56:40Z

As organizations begin using and deploying cloud applications, some of their services are left on-premises (for various reasons), resulting in a hybrid architecture. In such deployments, the on-prem services sometimes need to be invoked securely from the cloud. When doing so, an STS can be used to broker trust from the cloud into the organization. Unfortunately, the token issued by the IdP when authenticating end users isn't always available to the cloud-based caller due to restrictions/limitations of the cloud platform. In such cases, the on-prem STS can't be given a token asserted by a trusted issuer that it can validate and transform. As a result, the on-prem services do not have all the data needed to make authorization decisions, enforce licensing agreements, etc. One possible solution to this problem is to allow the cloud-based caller to specify in the message sent to the STS certain end-user-related data that should be put in the token that is minted. This will then be passed along to the on-prem services in a token asserted by the local STS. This idea is shown in the following figure:

At first, this may seem odd since the STS is the asserting party and it is being told what to assert. In cases where there is a trusted subsystem in place between the STS and the cloud app, however, it is safe IMO. Consider the alternative where the cloud app doesn't have the original security token. Since the interface of an STS is restricted to security tokens (by design), the client must create one using the identity attributes provided to it by the PaaS environment in which it's running. In other words, if the token asserted by the IdP isn't available, the cloud app has to cook one up. In this case, it is the asserter, resulting in the same sort of situation where it's the authority not the STS. The nice thing about passing the end user data in the message is that the caller needn't create a security token. There are tradeoffs w/ this approach, but there always are ;-)

The WS-Trust specification allows any XML to be included in the RST that the client sends to the STS. Ping Identity has used this extensibility point in the protocol to allow callers to include name/value pairs that PingFederate should include when minting security tokens. As a result, it is very easy using that STS to implement the sort of architecture described above. To do so, you would configure the STS w/ the attribute names that can be passed in the request, stipulate what to do if they are not (fault or do nothing), and include them in the RST. Totally simple.

To make this even simpler though, I extended WIF's RequestSecurityToken and WSTrustRequestSerializer classes to make the client-side programming model natural and easier for .NET developers. Using these, a cloud-based STS client could pass the end user's identity info in the request rather than having to create a security token. The result would look something like this:

private static RequestSecurityTokenResponse RequestSecurityToken(
 UserData userData)
{
 // Send a request parameter in the RST sent to the PingFederate 
 // STS. These should be included in the security token that it 
 // mints and sends back in the RSTR.
 var factory = GetChannelFactory();
 var requestParams = new RequestParameters("ShoeSize", 
   userData.ShoeSize, "HairColor", userData.HairColor);
 var rst = new TravisSpencer.IdentityModel.Protocols.
  WSTrust.RequestSecurityToken
 {
   RequestParameters = requestParams,
   RequestType = WSTrust13Constants.RequestTypes.Issue,
   AppliesTo = new EndpointAddress(appliesTo), 
 };
 RequestSecurityTokenResponse rstr;
 var channel = factory.CreateChannel() as WSTrustChannel;
 var token = channel.Issue(rst, out rstr);

 return rstr;
}

If you have questions about this or if you have this sort of problem and would like to talk, please let me know.

Federation, Entitlement Management, and the Cloud

2011-04-15T10:44:23Z

Now that I'm w/ Ping Identity in Sweden, it was only a matter of time before I bumped into the guys at Axiomatics. When I was in Stockholm the other day, we had fika and talked about federation, entitlement management, financial services, and the upcoming EIC conference. While we sipped our coffee, we discussed what it would look like to put our products, PingFederate and Axiomatics Policy Server (APS), together to form a best-of-breed solution that provides organizations like financial institutions with the ability to easily get prospects into the customer corridor by leveraging identities that they already have while simultaneously removing authentication and authorization from their line of business (LOB) applications.

Before our bullar were done, we had come up w/ an architecture that used PingFederate's Cloud Identity Connectors to reduce the number of steps prospective retail banking customers have to perform when deciding whether or not to do business with a particular financial institution. Using these, prospects can connect with Facebook, Google, Twitter, or other social networks to easily provide basic information about themselves (e.g., the country they live in). With this, a bank can show the prospect personalized and targeted information such as local contact phone numbers, state- or country-specific terms of service, local market news (e.g., exchange rates for the Krona if in Sweden or USD if in the States), and locations of nearby branches and ATMs. Using existing identities, organizations can provide Web surfers with more relevant information, helping them find what they need to decide to begin doing business with the provider.

In the banking scenario that we were chatting about as well as in many others, security in critical. In such cases, social sign-on, though helpful in reducing friction and increasing conversion rates, cannot provide a high enough level of assurance (LoA) that a person really is who they say they are. To overcome this, after someone signs up for an account, a bank would verify their physical identity and then provide them w/ a new digital identity. Using the new one and not a social network identity, the customer could gain access to higher value assets like online banking. This account would be stored in a directory maintained by the financial institution. Even with this and the support for all the different protocols used by the various social networks, our architecture was simple because PingFederate supports so many types of identity providers. The overall scheme we cooked up is shown in the following sketch:

When a prospect or customer accesses the banking Web site, they are given the opportunity to use a social login or an identity provided by the bank. Regardless, information about the requested page and how the user authenticated is sent to APS in a XACML message which renders a decision about whether or not access should be granted or denied. As a result, if a prospect has authenticated using a social networking account, APS will not allow them to access sensitive area of the Web site; instead it will redirect them back to the login page where they can login using a more trustworthy identity. If APS decides that access should be allowed to the page, which buttons, tabs, bank accounts, and other elements should be render will also be determined using claims asserted by PingFederate.

With an architecture like this, the application doesn't have to understand the numerous federation protocols and security tokens used by the various social networks. It also doesn't have to interface directly with the identity store where customers are kept which could be an LDAP directory, a RDBMS, a mainframe, and/or something else. The LOB application handles identities as claims asserted by PingFederate, giving it one normalized representation of the customer or prospect. Authorization rules that governs access to resources are also maintained outside of the application. Policies can be stored centrally and updated without recompiling or redeploying the application.

After finishing our coffee, we couldn't help ourselves; it seemed so simple, we had to try to implement it. Before I had to catch my train home, we had the basics working. It didn't require any custom coding whatsoever. (The only coding needed was for the online banking application because neither of us had one of those.)

Given that we are both going to be at EIC, we thought we might show it off there. Stay tuned on that. In the meantime, if you have questions or thoughts about this, please drop me a line.

Upcoming Conferences

2011-04-14T06:48:26Z

Connecting w/ you all here, on Twitter, and elsewhere around the intertubes is great, but it is no substitute for meeting face to face. In hopes that I can do so w/ as many of you as possible, I wanted to let you know that I'll be at a number of upcoming events. If you're attending any of these, please drop me a line, so we can hookup. Here's the specifics:

I'll be presenting on the fundamentals of Identity and Access Management (IdM) at the University of Surrey outside of London next Tuesday at 14:00. (Ping me right away if you'd like to attend.)
I'll be on a panel at the Cloud Security Alliance (CSA) Summit in London next Thursday talking about information risk management w/ folks from Symantec, Qualys, and others.
I'll be in Portland, Oregon from April 30 to May 1 to graduate from GFU w/ my MBA :-)
Off to San Francisco after that for the Internet Identity Workshop (IIW) from May 2 to 5.
Then, I'll be presenting and participating in some panel discussions at the European Identity Conference (EIC) in Munich, Germany from May 10 to 13.
July 18 to 21, I'll be attending and presenting at the Cloud Identity Summit in Keystone (which is in the Rockies outside of Denver, Colorado).

I may also attend Catalyst in San Diego at the end of July. If you're going to be at that or any of the others, please let me know. I'd love to get together for a coffee.