Google Site Search


Monday, March 21, 2011

Does OAuth need more legs?

OAuth is currently being worked out at the IETF. One of the concepts that is prevalent right now in OAuth is the concept of "legs". I am glad that I am not the only one who thinks that "legs" is a bad choice for describing the number of parties involved in an exchange.

Refer to

Basically, a "leg" involves one party.

So, "two legged oauth" involves two parties. As an example, if two end points (without user intervention) agree on an exchange, then it is two legged. If the endpoints are trusted, from the same entity or within corporate firewall, then 2-legged oauth makes sense.

Now, if we bring in the "user" to the mix, then we increase a "leg". That is, we have a 3-legged oauth. An user approves another service such as twitter client (leg) to get/set/operate his account in a 3rd service such as twitter (leg).

In my view, "party" is the right choice as it is very intuitive to have "2 party oauth", "3 party oauth".

I definitely want to hear your opinion or any corrections in my understanding of OAuth.

Friday, March 18, 2011

Book Review: OpenAM by Indira Thangaswamy

Title: OpenAM
Author: Indira Thangaswamy
Publisher: Packt Publishing (January 25, 2011)
ISBN-10: 1849510229
ISBN-13: 978-1849510226

Link on Amazon:

My Rating: Buy

General Comments
Books on security projects are quite rare. It is also quite difficult to fully document the breadth of possibilities with Open Source Software. Toward this, I commend Indira’s efforts at writing a book on an open source product, OpenAM. Over the years, I have seen Indira answer user questions on the openam/opensso user forums. So he does know a lot about it. Writing books is not a joke. In the preface, Indira just hint at the pain he took in writing the book. Books take away quality family time. Kudos to Indira.

Detailed Review
Indira has done a fine job with the book. He has clearly divided the content into 3 areas. The first area that occupies the first few chapters are completely devoted to what OpenAM is, what problems that it solve and where do you get it from. Then the next few chapters that occupy the bulk of the book are devoted to HOW YOU do things with OpenAM. Finally, he closes the book with Troubleshooting and Diagnostics.

The first chapter begins quite well with a description of why Identity and Access Management (IAM) is required in the industry. The short example of the FBI breach in the early 2001 highlights the need for proper entitlement management. After an introduction of benefits of IAM, Indira moves on to the history of OpenAM starting its roots at Sun Microsystems in 2000. This is good for obtaining an historic perspective on OpenAM. The OpenSSO architecture diagram is valuable to users who want to grasp the elements of the software packaged in OpenAM.
The section on “what kind of problems does OpenSSO solve?” describes at an high level the features OpenSSO provides: Access Management, Federation, Securing Web Services and Entitlements. I particularly liked the table at the end of this section that gives a graphical description.

In the second chapter, Indira talks about configuring opensso on Tomcat. He also shows how to configure OpenSSO using the console.

The third chapter is all about administration. We see snapshots of the console as well as some CLI interactions to configure. I think the section on customizing the console with user schema needs some additional work (with examples of course).

I liked the fourth chapter that describes the various types of authentication as well as session services. The authentication types (Module, Level, Service etc) have been sufficiently described. If the reader is interested further, hopefully he can get additional information from the project guides.

Chapter 7 was decent with integration with salesforce and google apps. This chapter basically empowers the user to use SAAS based apps with OpenAM as the IDP. The console snapshots should be sufficient for the reader to get it to work. Since I did not try it out, I am not 100% whether this chapter needs additional work.

Suggestions for improvement
* Indira shows how to configure things with the console as well as the command line interface. You should try to add warning boxes in the book stating which settings need the CLI.
* I am not sure if the reader is able to obtain the ldap schema for various ldap servers. Or the openam console does it for you automatically. Please clarify in the book.
* In the administration of OpenAM, things can go wrong. There is very little information on what things need to be watched out, while administering the product. Showing console snapshots or CLI is not sufficient to administer. Please describe what the CLI parameters are.

Disclaimer: I am not endorsing the product OpenAM. All I am doing is reviewing a book on an open source project. I need to play around with OpenAM/OpenSSO such that Project PicketLink is interoperable with it.