OAuth Service for Issuing Certificates to Science Gateways
This project aims to provide an OAuth service for issuing certificates to Science Gateways for TeraGrid users Jim Basney and Jeff Gaynor from the University of Illinois. The effort is supported by the National Science Foundation to enhance security, independent gateway access, and better resource utilization while avoiding user password exposure. The approach involves a new sign-in process, improved security protocols, and benefits like addressing password disclosure concerns and enabling user access via gateways.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
An OAuth Service for Issuing Certificates to Science Gateways for TeraGrid Users Jim Basney and Jeff Gaynor {jbasney,gaynor}@illinois.edu National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under grant number 0932251.
Goals Support use of individual TeraGrid accounts via gateways Independent of support for gateway community accounts For more accurate accounting, greater resource access Avoid disclosing TeraGrid user passwords to gateways Avoid risk to long-lived credentials (i.e., user passwords) Use TeraGrid passwords only on systems operated by TeraGrid Use standard security protocols: TLS, OAuth More trustworthy Ease of integration for gateway developers http://security.ncsa.illinois.edu/teragrid-oauth/
Current Approach New Approach + Welcome Sign In Welcome to the TeraGrid User Portal User Name jbasney Science Gateway Access The TeraGrid Science Gateway listed below is requesting access to your TeraGrid account. If you approve, please Sign In. Password ******** Name: Globus Online URL: http://www.globusonline.org/ Sign In The TeraGrid project is funded by the National Science Foundation and includes eleven resource providers. http://security.ncsa.illinois.edu/teragrid-oauth/
Benefits Security WG concerns about password disclosure to external science gateway sites are addressed Science Gateways can support individual TeraGrid account access via standard protocols Resource Providers can support user access via gateways using existing certificate-based interfaces Users can access their individual TeraGrid accounts via gateways using their TeraGrid Portal login http://security.ncsa.illinois.edu/teragrid-oauth/
OAuth Example Photo Sharing Service (Server) Authenticate & Grant Access to Photos 2 Token 3 6 Web User (Resource Owner) 5 Photos Token 4 Token Photo Printing Service (Client) 1 Request Access to Photos http://security.ncsa.illinois.edu/teragrid-oauth/
Current Approach New Approach MyProxy Server (unmodified) MyProxy password MyProxy Server 3 4 MyProxy password TeraGrid User Portal MyProxy password certificate 2 3 1 2 certificate OAuth token MyProxy password 5 Web Browser Science Gateway 7 8 OAuth token Web Browser certificate OAuth token 4 6 Science Gateway access using certificate Grid Service request certificate 1 9 Grid Service access using certificate http://security.ncsa.illinois.edu/teragrid-oauth/
science gateway TGUP User's browser OAuth client OAuth server MyProxy server initiate(certreq, consumer_key, callback, signature) temp_token authorize(temp_token) authenticate and approve get(username, password, certreq) MyProxy username and password given here certificate callback(temp_token, verifier) token(consumer_key, temp_token, verifier, signature) access_token req(consumer_key, access_token, signature) certificate http://security.ncsa.illinois.edu/teragrid-oauth/
Protocol RFC 5849 OAuth 1.0a OAuth client: science gateway OAuth server: TeraGrid User Portal OAuth resource owner: TeraGrid user All connections use HTTPS for integrity + confidentiality OAuth client messages signed using RSA-SHA1 PKCS#10 certificate request PEM encoded certificate Private key never sent over the network Future work: OAuth 2.0 (under IETF development) http://security.ncsa.illinois.edu/teragrid-oauth/
Current Status Code complete Java API: requestCertificate() and getCertificate() functions Acceptance testing with Globus Online in progress Next Step: Production User Portal deployment Code, Documentation, Specifications, etc. at: http://security.ncsa.illinois.edu/teragrid-oauth/ http://security.ncsa.illinois.edu/teragrid-oauth/
Design Decisions OAuth server independent from Liferay Store all server-side state in a replicated database Leverage existing User Portal load balancing, fail-over, and replication mechanisms No changes to TG MyProxy servers Initially support only password-based authentication Federated authentication (InCommon/Shibboleth) a possible future enhancement No initial support for certificate renewal Certificates valid for up to 11 days Explicit user approval for every certificate issuance Initial support for web browser use cases only http://security.ncsa.illinois.edu/teragrid-oauth/
Security Considerations Our paper addresses each security consideration identified in RFC 5849 (15 items) Summary: HTTPS provides message integrity+confidentiality and server authentication, avoids HTTP proxy caching RSA-SHA1 signature method: If gateway private key is compromised, revocation is a server-side database operation Only public key need be stored on server-side Address SHA-1 weakness in move to OAuth 2.0 Requiring user authentication+approval for every certificate issuance addresses clickjacking and similar threats http://security.ncsa.illinois.edu/teragrid-oauth/
Related Work OAuth use by Gateways Open Protein Simulator (OOPS) Open Life Science Gateway (OLSG) Open Grid Computing Environments (OGCE) Also future work for PolarGrid, QuakeSim, TG Viz Gateway OAuth for certificate access Confusa (confusa.org) used by TERENA Certificate Service with European SAML federations CILogon (cilogon.org) with US InCommon SAML federation http://security.ncsa.illinois.edu/teragrid-oauth/
Possible Future Work OAuth 2.0 update General-purpose MyProxy OAuth package w/o TeraGrid dependencies Integrate existing TeraGrid federated authentication (InCommon/Shibboleth) with OAuth Sign In page Certificate renewal using OAuth refresh tokens Support for non-browser use cases (e.g., REST services) http://security.ncsa.illinois.edu/teragrid-oauth/
Conclusion A new standards-based service to issue certificates to science gateways for TeraGrid users Available now for testing Eliminates need for TeraGrid users to disclose TeraGrid passwords to science gateways when accessing individual accounts Independent of support for gateway community accounts Questions? Comments? Thanks! http://security.ncsa.illinois.edu/teragrid-oauth/