**MACE Call 9-May-2011**

 

**Attending**

RL "Bob" Morgan, U. Washington (chair)

Ken Klingenstein, Internet2

Renee Shuey, Penn State U.

Scott Cantor, The Ohio State U.

Von Welch, Indiana U.

Tom Barton, U. Chicago

Nick Roy, U. Iowa

Steven Carmody, Brown U.

Michael Gettes, CMU

Jim Jokl, U. Virginia

David Wasley, independent

Nate Klingenstein, Internet2

Jim Fox, U. Washington

Leif Johansson, SUNET/NORDUnet

Keith Hazelton, U. Wisc - Madison

Neal McBurnett, Internet2

Steve Olshansky, Internet2 (scribe)

 

NEXT CALL: 23-May-2011

 

 

Theme Call: OAuth

* brief intro about what OAuth is and its history

https://secure.wikimedia.org/wikipedia/en/wiki/OAuth

 

OAuth began as a reconciliation of several different SocialID services. It has been termed a "valet protocol."

 

Attending to hacked accounts, due primarily to bad password practices, are a major resource drain... Thus there is substantial motivation among SPs to support a method to accept external identities.

 

For reference:

http://wiki.oauth.net/w/page/12238516/FrontPage

https://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi

https://code.google.com/apis/accounts/docs/OAuth.html https://code.google.com/apis/accounts/docs/OAuth2.html

http://arstechnica.com/open-source/guides/2010/01/oauth-and-oauth-wrap-defeating-the-password-anti-pattern.ars

 

Note that OAuth2 in its current draft form looks quite different from OAuth1, or earlier versions of OAuth2. All of the Authn pieces have been factored out (many into separate drafts), and now it is primarily focused on Authz...

 

The spec has turned into something that looks like SAML in terms of factoring, and is reusing some pieces from HTTP.

 

Q: How to get permissions or tokens into the Authz svr?

A: Undefined...

 

Q: How "real" is this, or will it be? What is its trajectory? Why should higher-ed care?

A: OAuth1 is being used commercially, e.g. by Twitter (in lieu of password access by clients). Higher-ed may want to implement some of the valet protocol flows, and implement some of the architecture, which also may turn up in commercial SW. Also, there will be Authn support for process-to-process communication, platform independent. Mobile apps as well will be using OAuth.

 

Q: Should OAuth1 be the main focus, or OAuth2?

A: TBD. Note that many implementations of OAuth2 specify which version of the draft is supported.

 

Q: Since OAuth has been through many transformations, is token encryption still optional?

A: Yes, this is the essence of the token split.

 

Q: Who are the main participants working on the core, and is higher-ed represented?

A: Microsoft is heavily invested, and many traditional SW vendors are getting interested. Cloud-outsourcing may also drive this...

 

It was noted that one of the appeals to developers it that they don't need to rely on platforms or infrastructure. Abstracting AuthN and user objects out of the app, and relying on the infrastructure, has been a focus of IAM in recent years. Will OAuth2 persuade developers to embed this back into the apps?

 

Q: Is there work on dynamic provisioning, akin to the SAML onboarding process for SPs?

A: OAuth doesn't transport information, it is strictly layered alongside an app protocol to do work.

 

Q: Are developers at any R&E institutions building apps using OAuth now?

A: Not that anyone on the call is aware of, yet. Some big-science VOs are moving in that direction however, at the app-developer level.

 

Q: Can anything be said about what OpenID ABC Artifact Binding

adds or changes?

A: Not clear...

 

Q; What are the prospects for settling out interfaces for apps to support, whether internally or outsourced?

A: This will be a long-term coalescence of a number of proprietary specs into one framework. Its future is still unclear, and to a large degree up to the big players.

 

Q: Is there an implementation effort working on plugging into Tomcat?

A: There is support in some Apache project, building on the user-managed access work in Kantara. See e.g. http://wiki.apache.org/incubator/RaveProposal

 

 

+++

* IETF spec status of OAuth 2

http://datatracker.ietf.org/wg/oauth/

 

* observations from IIW etc. about industry uptake

 

* intersections with SAML

 

* use in OpenID next-gen

http://openid.net/2011/04/29/a-map-for-openid-abc/

 

* potential uses in R&HE scenarios; who's already using it for what

 

* speculation about enterprise support services

 

* speculation about things for our community to do