Upcoming identity work from Google announcement

Tim Bray, a developer at Google who I disagreed with in a previous post has just posted on his blog that the team he is currently working in is going to shortly be announcing some of their early work and thinkings soon.

He says problems they’ve identified and they want to try and solve include:

  • The username/password dance sucks and doesn’t scale, particularly on mobile.
  • People putting up apps and sites regard identity — getting people signed up & signed in — purely as a tax; something they gotta do, but unrelated to what they care about.
  • Most developers don’t understand identity standards like OAuth, or the related crypto and signing technologies, don’t want to learn them, and shouldn’t have to.
  • If you can get new arrivals signed up quicker with less work, that’s a good thing.
  • If you can get people you know signed in quicker, ideally with one click, that’s a good thing.
  • People are paranoid and really don’t want to be in the headlines for next week’s embarrassing password leak.
  • People don’t want to think about privacy and tracking and transparency, but the risk of not doing so (just) exceeds the pain.
  • People like the notion of outsourcing the icky identity work, but are nervous about putting all their eggs in the Facebook’s or Google’s or Yahoo’s or whoever’s basket.
  • On the other hand, having a cluster of Sign in with… buttons on your landing page dilutes your brand and feels like watching NASCAR on TV.

I’m looking forward to seeing what they come up with.

Linkey Project Status Update 1

We’re now a quarter of the way through the Linkey project calendar so I’m going to try and summarise where we are at and where the project is heading.

I’ve spent a considerable amount of time working away on the OAuth PHP library which features code to build an authorisation platform, a resource server, and an abstract client class so that you can easily interact with 3rd party OAuth endpoints.

With this code almost finished and tested I’ve started designing the next generation OAuth endpoint for use here at the university. Coupled with the work we’re doing on the side for our next generation API and open data platform, as well as ICT’s own enterprise service bus and UAG development all together we’re developing a beautiful data driven environment that will allow us to go forth and build rich, personalised and secure services and applications.

My colleagues here in ICT have been testing the UAG on our development network over the past few months and they now feel comfortable to start building a production platform which we can start integrating services into. This will hopefully be ready in the next few weeks and I will be able to go into much more detail about how OAuth and UAG can work together.

The main clients for Linkey are the university library and they have already started reaping some of the benefits of a single sign on environment thanks to an installation of EZProxy which offers reverse proxy authentication to a large number of 3rd party journal and database services. Currently EZProxy is piggybacking off of our Blackboard installation for authentication which benefits students – we know from our analytics that most students access library services through Blackboard – because there are now 35 (at the time of writing) resources which they can access with one click and they won’t have to authenticate a second (or in some cases a third) time.

With a production UAG we should be able to hook up a large percentage of sites and services with relative ease. As a refresher here is the current authentication situation:

https://raw.github.com/lncd/AIM-project/master/SSOCurrentSituation.png

and here is the ideal situation which we should be able to achieve:

https://raw.github.com/lncd/AIM-project/master/SSOIdealSituation.png

Over the next 9 months there are a few other areas of access and identity which I want to cover.

At EduServ’s Federated Access Management conference last year there was a talk by Jonathon Richardson, assistant CIS director at the University of East Anglia where he discussed how students and staff can access some of his institutions’ services with their own 3rd party Internet services accounts (e.g. Facebook/Twitter/Google). I would like to look into what are the benefits and risks associated with allowing staff and students to access university resources with their own accounts instead of the brand new account which they are given by us when they start at the university.

Hopefully the OAuth 2.0 specification will also be completed very soon and I want to further investigate OAuth’s potential use cases. I have submitted a conference talk proposal to ConFoo in Montreal, Canada to discuss my findings.

We have also committed to publishing a case study and organising a workshop about OAuth (and access and identity in general) which we will work with JISC to organise and promote.

OAuth 2.0 Security: Going Beyond Bearer Tokens

The OAuth working group have released an initial security review of the OAuth 2.0 specification which looks at a number of potential threats that implementors could face and how to mitigate them.

The document can be read here http://tools.ietf.org/html/draft-tschofenig-oauth-security-00.

The abstract of the document is below:

> The OAuth working group has finished work on the OAuth 2.0 core protocol as well as the Bearer Token specification. The Bearer Tokenis a TLS-based solution for ensuring that neither the interaction with the Authorization Server (when requesting a token) nor the interaction with the Resource Server (for accessing a protected resource) leads to token leakage. There has, however, always been the desire to develop a security solution that is “better” than Bearer Tokens (or at least different) where the Client needs to show
possession of some keying material when accessing a Resource Server.

> This document tries to capture the discussion and to come up with requirements to process the work on solutions.

> This document aims to discuss threats, security requirements and desired design properties of an enhanced OAuth security mechanism.

Athens is a crappy experience for users

This afternoon I decided to join the JANET Access and Identity Management group.

I hit the join group button on the site and was then prompted to join the JANET community. Seeing that it supported UK Access Management Federation (UK AMF) sign in, I entered my university’s name and clicked continue.

I was then forwarded to a login screen on the OpenAthens site. I don’t think I have any OpenAthens credentials so I clicked “Alternative login” (but first I accidentally clicked “Forgotten password?” thanks to my haste and the tiny links).

Then I had to choose my institution (again???).

Then I was asked to click on a link to take me to my institution’s login page.

Then I was forwarded onto our current Athens sign-in endpoint where I authenticated with my University of Lincoln network credentials.

Finally I was returned to the JANET Community sign-up screen only to see that none of the form fields had been pre-filled because of course the UK AMF is anonymised.

What a waste of time and a terrible user experience.