• Guide Services Links Forum
  • OSGi
    • Guide
    • Quick Start Tutorial
    • Overview
    • Building Service Oriented Systems
    • Base Tutorial
    • Principles
    • Service Catalog
    • Where to Find Stuff
  • Prev Next

    osgi.enroute.authentication.api

    Authenticator Service Collaboration Overview

    Introduction

    It goes without saying that automated systems that are networked are highly vulnerable to external attacks. Malicious people are continuously scanning ports of every accessible IP number. One of the first line of defense is to prevent unauthorized users to access the system in the first place. To decide the authorization, it is first needed to establish the identity of the user (or its role). As usual, there are many ways to skin a cat and authentication is trying to prove that point. There are hundreds if not thousands of types of authentication; from the humble password verification, the iris scan, all the way to the multi-factor authentication mechanisms.

    It is unlikely that a single API can handle this myriad of mechanisms, however, let’s have a try. This service API assumes the credentials are collected remotely, usually a browser. Credentials are the information tokens that allow users to prove that they are who they say they are. Simple credentials are user id and a password. Since the password is only known to the user (hopefully) we can assume that the remote side is indeed manned by the proper principal.

    Modern authentication systems use a delegation model to minimize the need to keep credentials. For example, Mozilla’s Persona uses a more complicated scheme to reduce the number of places where a user has to use a password. This scheme works as follows:

    • The application Javascript requests a login token
    • The user is providing its user Id and password to Mozilla’s server over a protected connection
    • The Mozilla server returns a unique token
    • The application Javascript receives the token and ships it to its own server
    • The application server contacts the Mozilla server, which returns the user id

    In this model the user does not have to entrust its password with every site while still providing proper authentication. Schemes like OAuth extend this model further allowing the user to give limited access to its profile data to the visited site. The beauty of the scheme is that the user can always withdraw that authorization without talking to the specific site.

    So, assuming we have these kind of schemes we need a mechanism to allow the remote party to provide some credentials to an authenticator module that knows what to do with these credentials. This authenticator should then provide us with a system wide unique id for that user. Well, unique within our system. In general this should be an id that can be used, for example, with the User Admin service.

    Prev Next