Jérôme Gasperi
Single Sign On with OAuth and OpenID
WGISS-36
ESA/ESRIN - Frascati, Italy - September 19th, 2013
Slide 2
Slide 2 text
OpenID is an open standard for authentication.
Model is based on confidence links between Service
Providers and Authentication Providers (i.e. OpenID
providers) to achieve Single Sign On authentication
Slide 3
Slide 3 text
OAuth is an open standard for authorization.
It provides a method for clients to access server
resources on behalf of a resource owner
Slide 4
Slide 4 text
OAuth is an open standard for authorization.
It provides a method for clients to access server
resources on behalf of a resource owner
etc...
Slide 5
Slide 5 text
Experiment
Filter access to Kalideos (i.e. SPOT) data
through a secured WMS server using OpenID
Connect (i.e. OpenID over OAuth)
Slide 6
Slide 6 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
3. Authentication with OAuth
(OpenID Connect)
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
Slide 7
Slide 7 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 8
Slide 8 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 9
Slide 9 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
3. Authentication with OAuth
(OpenID Connect)
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
Slide 10
Slide 10 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
3. Authentication with OAuth
(OpenID Connect)
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
Slide 11
Slide 11 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 12
Slide 12 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 13
Slide 13 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 14
Slide 14 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 15
Slide 15 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 16
Slide 16 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 17
Slide 17 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 18
Slide 18 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 19
Slide 19 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 20
Slide 20 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 21
Slide 21 text
Kalideos Server
Identity
Server
LDAP
WMS
Server
1. Ask for authentication
2. Redirect to Identity Server
5. Send OAuth token
6. Get user information
using OAuth token
10. Return user information
9. Send OAuth token for
validation and get user
information
7. Return user information
4. Return OAuth token
8. Send OAuth token
14. Ask for WMS feed
15. Return WMS feed
11. Ask for user rights
12. Get user rights
13. Create user session
3. Authentication with OAuth
(OpenID Connect)
Slide 22
Slide 22 text
OpenID Connect planned to be used in Theia
(i.e. French Land Surface Thematic Center)