OAuth: Does it replace federation?

Today I received a question about OAuth and whether it replaces existing federation deployments. Would OAuth, WS-Trust, and SAML work together? The answer is no. In fact, OAuth is built to use any authentication system, local or federated.

Note: Coincidentally, Paul Madsen, also posted an interesting graphic that gives a swim lane view of OAuth's flow with an IDP. 

I discussed some of this in my earlier post "OAuth: Does it authenticate?" Instead of prescribing what authentication is possible with OAuth, the OAuth specification simply assumes that there is some form of authentication mechanism in place that is acceptable to the service provider. It could be local authentication (e.g. as seen on Facebook, etc), or federation from SAML, OpenID, etc.

Here are a couple of diagrams (click to enlarge) showing the use of OAuth with a federated IDP. In Figure 1, the client application "ClientApp" of an employee of "IndependentId Enterprise" wants to access a cloud application service hosted by cloudsvc.org. In step 1, ClientApp sends an authorize request to the cloud service via the smartphone browser to the endpoint:

https://cloudsvc.org/authorize/cloudService/independentid

The authorization service determines if the browser already has an authenticated Web SSO session with the user. If not, the authorization point determines the user's home IDP by looking at the original authorize URL. In this case, it indicates the authorization was for IndependentId.com. The user's browser is redirected to IndependentId's SAML IDP where the user authenticates and a SAML Assertion is returned (step 2).

Figure 1

In Figure 2, the Cloud Service Provider having received the users SAML Assertion and authenticating the user, determines by policy that all IndependentId users automatically grant access to the "CloudApp Service". In step 3, the authorization service then redirects the users browser back to:

clientApp://independentid&code=i1WsRn1uB1&

The phone switches to ClientApp and passes it the redirect URL which contains the authorization code. In step 4, ClientApp then uses the code, along with its own client_id and client credentials (e.g. client_secret) and obtains an access token. Finally, in step 5, the client app is able to access the CloudApp Service. Note that the ClientApp can continue accessing the service for as long as the access token is valid which may be minutes, hours, days, or permenantly depending on the security requirements.

Figure 2

There are lots more variations on this. For example, during the authorization request, the IDP endpoint may not be known. In that case a NASCAR style authentication process could take place. Also, in step 4, the token server could elect to return a refresh token. This allows the ClientApp to maintain a longer session with the service without having to re-authenticate the user. Meanwhile, access tokens still maintain a shorter lifetime forcing the ClientApp to silently re-authenticate and provide a refresh token to continue to validate the clients access over time.

OAuth: Does it Authorize? Yes, but much more

My previous post asked the question "Does OAuth do authentication"? In this post, I explore OAuth2 and its support of authorization.

When most people ask the question about whether OAuth2 supports authorization, you might be thinking in terms of today's authorization/access management/policy systems. But, as mentioned in my previous post, authorization here is within the terms of how HTTP defines it. A fairly low-level distinction that convolves authentication and authorization. To really answer the question we must look at how HTTP defines authorization. Then we can begin to look at the larger implications of how OAuth2 impacts authorization in a more modern, higher level view.

What is HTTP Authorization?

Consider authorization from the standpoint of HTTP/1.1 (RFC2616). Section 14.8 defines authorization as a user-agent providing an authorization request-header field with its HTTP request(often after receiving a 401 response). The value of the authorization field consists of

"credentials containing the authentication information of the user agent for the realm of the realm of the resource being requested."

It seems that the authorization header specified in RFC2616 is not really an authorization, but rather an authentication credential. But consider the time frame when RFC2616 was authored. In that timeframe, authorization was rather simplistic. Do you have an account? If so, you are 'authorized'. Note: I may be over-simplifying the specifications here, but I think it you'll see more clearly where this is going.

So what does OAuth2 do for authorization?

Classic web access management (e.g. Oracle Access Manager) support users who use browsers accessing protected web sites. Over time, the control exerted over what users could do has become increasingly fine-grained such is the vision with XACML. Yet, typically these systems involve end-users requesting web resources rendered in browsers, or distinctly there may be separate "service" managers (such as Oracle Web Services Manager) supporting WS-* based services over SOAP.

OAuth2 supports a range of new use case scenarios. Many do not directly involve a user or a browser, but rather define a client application acting on behalf of a resource owner's (e.g. the user) behalf using only HTTP to access REST based services in a lightweight fashion. From an authorization perspective, OAuth2 use cases introduce the new capability that client applications, each with their own identity, act on behalf of a users that own resources and can perform service calls with a specified "scope". In its simplest form, OAuth2 provides a means to identify and perform authorization of two security credentials: that of the user that owns a resource, and that of an application.

What credential relationships are supported?

OAuth2 enables most combinations of relationships and in theory allows for extensions define new ones. Currently defined are:

• A client app, who also has the resource owner credentials, acting on behalf of a resource owner (see Resource Owner Password flow).
• A client app obtaining user/owner authorization (see Authorization Code flow).
• An unidentified client (typically javascript in a browser) acting on behalf of a resource owner (see Implicit Grant flow).
• A client app acting using its own authority (see Client Credential flow).
• A relationship defined using an extension (see Extensions flow). For example, a client app using an externally generated SAML2 Bearer assertion. The SAML assertion defining what Identity and/or what rights are being expressed.

What about OAuth2 authorization goes beyond security credentials?

RFC 2616 together with sister specification RFC2617 (Basic Authentication) define a rather simple notion of "authorization" as simple rights corresponding to a single user account. In OAuth2, we have the possibility of 2 entities: a client app acting on behalf of a resource owner.

But, to further narrow the focus from specifically what a specific client can do can do in a particular credential relationship, OAuth2 introduces the notion of scope. Scope defines capabilities of a client application performed on behalf of the resource owner. These capabilities may be thought of as roles or entitlements within the resource API. Typical examples are of the style: readProfile, updateProfile, readStatus, updateStatus, readBalances, payBills, executeTrades and so on. OAuth2 says almost nothing about what the possible values of scope can be - it is entirely up to the site being protected to determine meaning. In theory then, it is possible to set very specific scope such as the right to access a very specific URL. But in practice, it seems the use of scope is usually defined by the underlying web service API as enabling simple "capabilities".

For a more in depth discussion on capabilities, check out Hal Lockhart's recent post on "The Property-Capability Spectrum of Attributes".

What forms of authorization can be supported by OAuth2?

OAuth2 systems can support any number of authorization systems so the types of authorization that can be supported are unlimited. However, because the end-result of an OAuth2 authorization flow is always an authorization token (aka access token) to be used in a subsequent operation, the types of authorizations that can be handled are limited to those decisions that can be calculated in advance. At the time of authorization in OAuth, remember that that actual resource has yet to be accessed, so no transaction is occurring.

As an example, consider that OAuth2 systems can clearly handle [actors and scopable actions bolded for emphasis]:

"CheckPayer may writeChecks for Phil"

vs. a contextual or transactional authorization decision of

"CheckPayer may write a check on behalf of Phil for $50 payable to Nishant now".

The latter decision will still have to be decided by a policy system within the context of the transaction rather then within the context of an OAuth2 authorization. The reality is the likely OAuth2 products will define a mix of "capability" style authorizations together with access management systems. Thus if, the first statement was known as "philCheckToken" embodies the right of a client to write checks for "Phil", then the transactional statement might be:

"philCheckToken writes check for $50 payable to Nishant"

We know that the client (identified by philCheckToken) is allowed to writeChecks for Phil. Now the transaction policy simply checks to see if Nishant is a valid recipient and if the amount is within policy (and potentially whether Phil has $50). In OAuth2, these authorization systems will work together to make in-advance "capability" assertions, together with applying fine-grained decisions in the context of actual transactions.

OAuth: Does it authenticate? Well...Yes and No. And that's a good thing!

I'm not kidding. OAuth itself doesn't seemed to be defined. It's not an acronym just a name. In fact the specification draft simply says:

The OAuth 2.0 Authorization Protocol

"OAuth" itself isn't spelled out in most places. Wikipedia says its "Open Authorization". But who knows. I can't tell you how many times this question comes up. But if you ask me, it doesn't matter and that is a good thing. Let's dive into the question of authentication...

Does OAuth authenticate users?

No. The answer here is clearly no. Not only does OAuth not authenticate users, but it doesn't have anything to say about user authentication. But hang on, see the next question...

Does OAuth accomplish user authentication?

Yes. The answer here is yes, but the method is indirect. If you read my post on OAuth flows, you will know that OAuth has an "authorization" step that requires users to authorize clients to act on their behalf. For OAuth, authentication then is a logical conclusion of authorization.

In order to authorize a client to act on behalf of a user, the user must be known.

For a user to be known, the user must be authenticated.

Therefore, if a user has authorized a client, they must have authenticated.

This logic flow is at the heart of OAuth's power. Because authentication of participants is a necessary requirement of authorization, OAuth doesn't have to say how authentication is accomplished. Because of this, OAuth can be integrated with all sorts of authentication systems and protocols such as: LDAP, OpenID, SAML, WS-Trust, WebSSO, etc - placing OAuth at the crossroads of identity.

Ok, so does OAuth authorize?

Now you're jumping ahead. That's the subject for the next blog post. Stay tuned.