<html> <head> <style></style> </head> <body class='hmmessage'> > Date: Thu, 3 Jun 2010 07:41:25 -0600<br>> From: stpeter@stpeter.im<br>> To: jdev@jabber.org<br>> Subject: Re: [jdev] Claims-based Authentication<br>> <br>> 1. Is there a compelling use case for this?<div><br></div><div>I have seen a few devs approach the mailing list with this problem. It most often appears in the form "How to use OAuth".</div><div><br>> <br>> 2. Why wouldn't the WS-* folks define a new SASL mechanism?</div><div><br></div><div>The problem is the XML - WSF uses XML to do the exchange, to base64-ing it wouldn't be the best (as per requirement from the SASL RFC). If that lands up being the route taken they would probably only need to reserve a namespace.</div><div><br></div><div>This would probably land up being an XMPP-specific thing that would indicate how to do authentication exchanges using XML-based protocols (like WSF); but that is a big hunch on my part.</div><div><br>> <br>> On 5/31/10 8:18 AM, Jonathan Dickinson wrote:<br>> > Hi All,<br>> > <br>> > I have been doing some research lately on claims-based authentication<br>> > [CBA] (Microsoft implementation - AFAIK based on WS-Federation/WS-Trust<br>> > <http://en.wikipedia.org/wiki/WS-Federation>). The previous discussions<br>> > about OAuth and its limitations came to mind immediately - CBA seems to<br>> > resolve the issues that we discussed (it is not tied to the web).<br>> > <br>> > For those who are not familiar with it; it basically is an identity that<br>> > consists of one or more claims. For example a Jabber claim might look<br>> > like this:<br>> > <br>> > JID: jonathand@jabber.org<br>> > UPN: jonathand@jabber.org<br>> > Name: Jonathan Dickinson /from VCard/<br>> > etc.<br>> > <br>> > In this scenario jabber.org is the sole /issuer/. This identity (and<br>> > it's claims) can be passed to other issuers so that they can fill in the<br>> > blanks. For instance, if I were to start off with a X509 claim:<br>> > <br>> > Thumbprint: BCF189...<br>> > Name: CN=jonathand...<br>> > <br>> > I could send it to my internal JID issuer and land up with the following:<br>> > <br>> > Thumbprint: BCF189...<br>> > Name: CN=jonathand...<br>> > JID: jonathand@jabber.org<br>> > UPN: jonathand@jabber.org<br>> > <br>> > The idea of a claim is that you can use that claim to authenticate with<br>> > SSO capabilities (this works particularly well with the Microsoft<br>> > implementation of it). I could authenticate against a server using<br>> > SQL-orientated credentials (e.g. PLAIN) - with appropriate translation<br>> > components in place I could pick up my SAP creds, Windows creds and HTTP<br>> > creds without the user having to enter them in. The whole exchange<br>> > occurs using XML (primarily SAML).<br>> > <br>> > The XML is where the problem lies - SASL dictates that the contents be<br>> > base64-encoded. While this is perfectly valid it just feels plain wrong.<br>> > After thinking about it (less than I should - but here goes):<br>> > <br>> > <stream:features><br>> > <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><br>> > <required/><br>> > </starttls><br>> > <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' /><br>> > <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><br>> > <mechanism>DIGEST-MD5</mechanism><br>> > <mechanism>PLAIN</mechanism><br>> > </mechanisms><br>> > </stream:features><br>> > <br>> > The WS-Federation SignOn exchange could then be done via <federation><br>> > tags. Obviously one would need to be careful around namespace prefix<br>> > conflicts etc. - but nothing too hairy.<br>> > <br>> > Ideas/thoughts?<br>> > <br>> > -- <br>> > Jonathan Dickinson<br>> > <br>> <br><div><br style="text-indent: 0in !important; ">-- Jonathan Dickinson<br style="text-indent: 0in !important; "></div></div> <br /><hr />Hotmail: Trusted email with powerful SPAM protection. <a href='https://signup.live.com/signup.aspx?id=60969' target='_new'>Sign up now.</a></body> </html>