REST assured, OAuth security

I have been investigating REST oriented workflow in a secure environment for the past couple of months. I covered OpenID a few months ago which is perfect for allowing for a kind of single sign on (SSO) in a web 2.0 environment without giving any service your password. Signing on to services is important, but how do you get a service to talk to another service, without giving one of them your password?

That is where OAuth comes in. There are a number of proprietary protocols that accomplish a secure interchange, all based on something similar to Kerberos from years back. The OAuth designers took a look at all of them, and put together a best of breed solution, and at the same time avoided unnecessary embellishment. Below is a role interaction diagram I drew up in order to understand the exchange, because I could not find a similar diagram in the OAuth literature: you might find helpful.

OAuth Role Interaction

Workflow / BPM has some special considerations when it come to authentication, specifically because of delay. In many service to service scenarios, the person authorizing the interchange is standing by, and can be involved in the exchange if necessary. But workflow on the other hand operates asynchronously, after the user has logged out, and so we need to prepare for that.

A the WfMC member meeting this week, we had a visit from Eran Hammer-Lahav (Hueniverse) who is one of the key people behind OAuth. He ran through a number of scenarios in detail, and offered the kind of insight you would expect from a consummate expert in the field. As a result, it is clear that OAuth can play a key role in REST oriented workflow in a secure environment. It seems likely that this will make its way into the new Wf-XML-R specification due early next year.

WfMC is very thankful for Eran’s visit, and for the good work that all the contributors to OAuth are doing. We look forward to more useful things from this group.

3 thoughts on “REST assured, OAuth security

  1. Pingback: links for 2008-12-12 « MyNotePad

  2. Pingback: Identity Update: Browsers with OpenID? « Go Flow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s