You all know the recent OAuth history of course, Eran Hammer, the author of popular OAuth1 specification, leaving the OAuth2 work group, with OAuth2 not getting much of a praise from Eran afterwards.
Eran has started several projects afterwards, Hawk and Oz in particular. The former is the evolution of the MAC draft Eran and others authored as part of the OAuth2 work, the latter is the alternative to OAuth2.
Now, I do like the OAuth2 model, I think it's very flexible and allows for all sort of flows, grants and tokens being supported. I think it is next to impossible to write a perfect specification where the security risks can be ignored or forgotten about as such. I'll be happy to see Oz evolving, good luck to it, I guess it will be very healthy if it also gets the momentum, but for now OAuth2 is what I'm interested in mostly.
That said, I really liked that draft. May be because I could read it without feeling like I needed to become a security pro and even implement it in a couple of days (with the major help from Sasi. M) ? IMHO the draft was the closest to the original OAuth1 text describing how the temporary request token affects the signature, the details differ, but the idea is very similar, where the request token acquisition step is replaced by AS returning a Mac key to the client who becomes the holder of the key. I thought that draft was paving a direct path for OAuth1 users migrating to OAuth2.
As it happens, the OAuth2 group has initiated a new MAC token draft effort. This is a good news in itself but it just takes a different approach toward getting the MAC mechanism supported. I think it is fair to say the text is much more involved; it is written by the top experts who I happen to learn a lot from by hanging at the OAuth2 list, but the truth is, without going into the detailed analysis, is that the CXF MacAccessToken implementing the draft written by Eran and others has become lost in the translation. The draft is abandoned, the OAuth2 MAC effort will require a completely different implementation.
Throwing the CXF MacAccessToken code away to avoid getting into the 'conflict' with the OAuth2 MAC approach has not been an option, IMHO it's still useful as a custom token mechanism and custom tokens and authentication schemes are proper OAuth2 citizens. And as I said, I do like the simplicity of the original text, as well as the fact that a distribution of the symmetric key is left unspecified, recommending TLS, etc, and what can be simpler to a key exchange over a 2-way TLS ?
So I've looked at Hawk in more detail. It is indeed the evolution of the draft. But the core of it did stay, the simplicity of it is there. So what I just did, rather than throwing the CXF MacAccessToken code away, I simply replaced 'Mac' with 'Hawk' in the class and package names and the name of the HTTP scheme they understand, this is all I did. For example, this code implements the Hawk scheme without me changing anything (well, I added one extra space to indicate the extension data is missing in the normalization function which was required by the draft) from the original CXF code.
The Hawk documentation goes at some length clarifying it is nothing to do with OAuth. I think it is a bit off-topic given that Hawk is a proper HTTP authentication scheme, and as such it is kind of immaterial which HTTP servers rely on it to secure its resources. I guess some of its extensions are better utilized as part of Oz, but I see no problems in getting a custom OAuth2 token supporting the clients authorizing via Hawk, the new HTTP scheme.
So I'm happy that the draft has not died after all and got resurrected in the form of Hawk. Please check the documentation and contribute to the Hawk project.
And in meantime we will keep an eye on the OAuth2 MAC effort too, we can have Hawk and OAuth2 Mac tokens coexisting happily.
Enjoy.
Wednesday, February 12, 2014
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment