oidc-deploy - oidc/oauth references in fim4rv2
Subject: OIDC Deployment Working Group
List archive
- From: Nathan Dors <>
- To:
- Subject: oidc/oauth references in fim4rv2
- Date: Tue, 17 Jul 2018 07:46:51 -0700
- Ironport-phdr: 9a23:La4EExLhNlkS/gw/R9mcpTZWNBhigK39O0sv0rFitYgRLvzxwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhicJOTA67W/ZlNB/gblBrx69vRFy2ZLYbJ2XOfd4Y6jTfckaRW1EXstJTyJOGJ+8b4sVAOoHIO1WoY79p0EVrRCjAgSjGeTvyiVThnLtwK073f4tHh/b0ww9Bt8DtmnfotvyNKcXS++1za/IwC3eYPNR2Dfx8o/IcgouofyKQLl+ctLRxFEyGw/bjVics4joMjOP2ugTvGWX8fBsWfyxh2I5sw19vCSjy8M2hoTKho8Z0E7I+Tl6zYovJ9C0Vkh2asO+HpRKrSGVLY52T9siQ252vCY6zaULuZu0fSgN1ZQn2wDTZ+Kdf4iT+B7jSeiQLS1mi314ZbKznxey8U6+xe3gTsS4zUhGoylfntTItn0BzQLf58eZRvdn4EutxyiD2xjW6u5eIEA0kaTbK4Qmwr41jpccrEPDHjXtmEjtka+XeF8o9fa15OT6ernmvIOTN5doigHiNaQjgs2/AeIkPQgJWmib/OO81Lv58U3+WrVKgeQ6kq7YsJ/HOcsXv7O2DBFN0oYn7Ba+Dyyr0NAZnXkcMFJFYwyLg5LoO1HIPPD3E+2/g1Kynzd32fzKJKPuDYjQLiuLrLC0erdx4AtQxRI3ysF35pRfDbQEJ/S1XVX+5/LCCRpsFQWow+/hQPl6zJhWDW6IGLSxLbyUvFOVsLF8a9KQbZMY7W6uY8Mu4OTj2Cc0
I did a quick keyword search of fim4rv2:
https://doi.org/10.5281/zenodo.1296031
keywords: OIDC, OAuth, OpenID, JSON
Here are the matches, without context or commentary.
p.5, on evolution of FIM: Additional federating technologies such as OAuth2/OIDC9 and Moonshot10 began to be used to address use cases ill-suited to many SAML implementations. And the sheer scale of FIM has begun to bog down the means by which R&E federation operators have been managing their members’ SAML metadata, prompting a shift in this fundamental process a step in the direction of how it’s proposed to be done for OIDC.
pp. 8-9, table 2, tech usage by user community; authn/authz columns include current use and future intentions to use OIDC/OAuth. Here's a summary.
AuthN technologies (now):
AuthN Technologies (future):
AuthZ (now):
AuthZ (future):
p26, p.26, B.2 Climate Science, Alongside this federated capability, for CMIP5 there was also the requirement for access control, to ensure users agree to terms of use for the data, to provide metrics to stakeholders and sponsoring organisations and in order to keep in contact with the user community to inform them of changes to the data. At the time, there was no federated infrastructure for identity management that could fully bridge international boundaries and meet the requirements for the programme. Consequently, participating organisations in ESGF developed and deployed a system based on standards and tools available at the time including OpenID 2.0, PKI for single sign-on and SAML 2.0.
p.27, B.2 Climate Science, OAuth 2.0 is being used for ESGF and with JASMIN to support user delegation access scenarios. Both use an approach similar to CILogon, securing certificate issuing service with OAuth 2.0 thus providing a means to bridge to legacy services dependent on X.509-based user credentials. It is hoped to migrate towards OpenID Connect for SSO provision.
p.31, B.7 High Energy Physics, As infrastructure services move towards authorisation schemes, such as OAuth2 and JWT, federation support for standard tokens beyond SAML will aid interoperability. An Authorization Working Group has been established in WLCG to follow the impact of these changes.
p.35, B.10 Life Sciences, Scientific service providers relying on ELIXIR AAI benefit from a centralised user identity and access management services. The growth rate for number of users and relying scientific services is rapid. Supported protocols are SAML2, OpenIDConnect.
p.36, B.11 Linguistics, Although attempts have been made to leverage the CLARIN SPF [Service Provider Federation] also in providing access to web services using OAUTH2 but this has until now not resulted in a ready to use service.
p.39, B.13 Radio Astronomy, An evolutionary prototype for the Authentication and Authorization system covering several aspects of the user interaction has been implemented. It includes authenticated users using external identities, both for visualization and access to SKA [Square Kilometre Array] resources as well as for deep computation and management of the cloud infrastructures. The basic idea is to provide the users with the major authentication mechanisms (federation prone protocols like SAML or OAuth2, certificates, Kerberos tickets etc) at their choice.
p.40, B.13 Radio Astronomy, The authorisation sharing of information is protected via a trusted connection between the data centers. The strategy currently adopted for the trusted connection is to use the credential delegation protocol (a proxy certificate encapsulating a user certificate). A good choice could be to include more than one solution, so for example include also the Kerberos tickets and the exchange of private-public keys or a JSON array with the user attributes.
https://doi.org/10.5281/zenodo.1296031
keywords: OIDC, OAuth, OpenID, JSON
Here are the matches, without context or commentary.
p.5, on evolution of FIM: Additional federating technologies such as OAuth2/OIDC9 and Moonshot10 began to be used to address use cases ill-suited to many SAML implementations. And the sheer scale of FIM has begun to bog down the means by which R&E federation operators have been managing their members’ SAML metadata, prompting a shift in this fundamental process a step in the direction of how it’s proposed to be done for OIDC.
pp. 8-9, table 2, tech usage by user community; authn/authz columns include current use and future intentions to use OIDC/OAuth. Here's a summary.
AuthN technologies (now):
OAuth2 (DARIAH, SKA, NIH/NIAID (Cirrus Identity))
OIDC (ELIXIR)
OpenID 2.0 (ESGF)
AuthN Technologies (future):
OIDC (DARIAH, WLCG, Photon and Neutron, ESA/EOP, gw-astronomy, KAGRA, LIGO, Virgo, Nuclear Physics, EISCAT / EIS- CAT 3D)
OAuth2 (ESGF, Virtual Atomic and Molecular Data Centre (ORCID proxy)
AuthZ (now):
OAuth2 (DARIAH), ELIXIR)
AuthZ (future):
OAuth2 (WLCG, ESA/EOP)
p26, p.26, B.2 Climate Science, Alongside this federated capability, for CMIP5 there was also the requirement for access control, to ensure users agree to terms of use for the data, to provide metrics to stakeholders and sponsoring organisations and in order to keep in contact with the user community to inform them of changes to the data. At the time, there was no federated infrastructure for identity management that could fully bridge international boundaries and meet the requirements for the programme. Consequently, participating organisations in ESGF developed and deployed a system based on standards and tools available at the time including OpenID 2.0, PKI for single sign-on and SAML 2.0.
p.27, B.2 Climate Science, OAuth 2.0 is being used for ESGF and with JASMIN to support user delegation access scenarios. Both use an approach similar to CILogon, securing certificate issuing service with OAuth 2.0 thus providing a means to bridge to legacy services dependent on X.509-based user credentials. It is hoped to migrate towards OpenID Connect for SSO provision.
p.31, B.7 High Energy Physics, As infrastructure services move towards authorisation schemes, such as OAuth2 and JWT, federation support for standard tokens beyond SAML will aid interoperability. An Authorization Working Group has been established in WLCG to follow the impact of these changes.
p.35, B.10 Life Sciences, Scientific service providers relying on ELIXIR AAI benefit from a centralised user identity and access management services. The growth rate for number of users and relying scientific services is rapid. Supported protocols are SAML2, OpenIDConnect.
p.36, B.11 Linguistics, Although attempts have been made to leverage the CLARIN SPF [Service Provider Federation] also in providing access to web services using OAUTH2 but this has until now not resulted in a ready to use service.
p.39, B.13 Radio Astronomy, An evolutionary prototype for the Authentication and Authorization system covering several aspects of the user interaction has been implemented. It includes authenticated users using external identities, both for visualization and access to SKA [Square Kilometre Array] resources as well as for deep computation and management of the cloud infrastructures. The basic idea is to provide the users with the major authentication mechanisms (federation prone protocols like SAML or OAuth2, certificates, Kerberos tickets etc) at their choice.
p.40, B.13 Radio Astronomy, The authorisation sharing of information is protected via a trusted connection between the data centers. The strategy currently adopted for the trusted connection is to use the credential delegation protocol (a proxy certificate encapsulating a user certificate). A good choice could be to include more than one solution, so for example include also the Kerberos tickets and the exchange of private-public keys or a JSON array with the user attributes.
- oidc/oauth references in fim4rv2, Nathan Dors, 07/17/2018
Archive powered by MHonArc 2.6.19.