Upload
forgerock
View
276
Download
1
Tags:
Embed Size (px)
DESCRIPTION
A Breakout Session by Dirk Hogan, Sr. Software Engineer at ForgeRock at the 2014 IRM Summit in Phoenix, Arizona.
Citation preview
IRM Summit 2014
ELECTRONIC DREAMS:The Rise of Machine to
Machine Communication
Dirk Hogan, Sr. Software Engineer,
ForgeRock
2IRM Summit 2014
What is REST STS ?
3IRM Summit 2014
What is REST STS ?
REST-based token transformation service, inspired by the Security Token Service defined in WS-Trust.
4IRM Summit 2014
WS-Trust STS
Overly ambitious
Abstraction is lossy
Complexity
Interoperability challenges
SOAP / XML
5IRM Summit 2014
REST STS
■ WS-Trust supports an explicit token transformation
■ WS-Trust supports an implicit token transformation
Building on WS-Trust
Why not make the implicit explicit ?
6IRM Summit 2014
REST STS
■ Instead of a single (ambiguous) abstraction set to rule them all, why not specific, explicit json payloads defining a token transformation POSTed to RESTful endpoint?
Why Not Simplify ?
{ "input_token_state": { "token_type": "OPENIDCONNECT", "oidc_id_token": "eyZTQxODkzM2ZlMmQifQ.eyJpc3MiOiJhDA2OTM2NTJ9.enWa7YcxO6PsXMFQZXMuPn7o8PF5Cv71PNLcIQ" },"output_token_state": { "token_type": "SAML2", "serviceProviderAssertionConsumerServiceUrl":http://tomcat-host.dirk.internal.forgerock.com:8080/openam/Consumer/metaAlias/sp,"subjectConfirmation": "BEARER"}}
7IRM Summit 2014
REST STS
■ Apache-CXF has all the elegant abstractions
Built On Apache-CXF STS
Why not re-skin CXF-STS ?
Why not replace SOAP/XML withREST/JSON ?
Open Source Rocks !!
8IRM Summit 2014
REST STS
■ Heterogeneity in the identity space
■ Different services require different identity formats
■ Any combination of tokens validated and issued by OpenAM candidate for STS token transformation
Identity Meta-System
9IRM Summit 2014
Why Does It Matter ?
10IRM Summit 2014
Demo
Demo AppDemo App
4
0/73
6
2
5
1
OpenAM OpenAM
Legend:0: Publish STS Instance1: STS instance created2: Obtain OIDC ID Token3: Invoke STS OIDC->SAML24: OIDC token validation5: SAML2 Assertion Generation6: Present Assertion to Service Provider7: Un-publish REST STS instance