Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "Org.eclipse.higgins.iss"

(Overview)
(Details)
 
(19 intermediate revisions by 7 users not shown)
Line 1: Line 1:
==Overview==
+
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
Broadly speaking the [[I-Card Selector Service]] (ISS) negotiates between relying party on the one hand and the user's identity provider(s) on the other. It attempts to discover possible options for authentication and/or other identity related exchanges between the two.
+
The [[org.eclipse.higgins.iss]] uses a policy engine to attempt to determine a matching between the Relying Party's Security Policy and one or more I-Cards that can satisfy that policy.
  
'''Understanding the relying party's policy'''
 
  
ISS is invoked by a Higgins client. Let's first look at the case of the special Higgins client called the [[Higgins Browser Extension]] (HBX). When, as controlled by the user's brower, HBX lands on a new site, HBX discovers the sites policies. Some of these policies are related to authentication, others are related to other kinds of allowable/supported identity exchanges (for which the term ''policy'' often seems a bit awkward, but we use it all the same). HBX invokes the [[I-Card Selector Service]] to attempt to satisfy the site's policy. The policy states what kind of digital exchange protocols, payloads (e.g. token types, RSS feeds), etc. that it supports as well as the required claims and/or the required claimants and/or issuers of these claims.
 
  
Analogously, a non-HBX Higgins client (e.g. an enterprise service, RCP app, etc.) may require the user to authenticate into the application. This client would invoke ISS, passing in its authentication policy and desiring/requiring some kind of digital data payload, tokens, URLs, etc. in return that satisfies the policy.
+
==Service==
 +
I-Card Selector Service is an extension of [[Registry]] which manages loading and configuration of plugins that implements IICardSelector interface.
  
'''Matching against the user's [[I-Card]]s'''
+
===Responsibilities===
 +
* Determine a matching between the Relying Party's Security Policy and one of IICardSelectors that in turn determine matching I-Cards that can satisfy that policy.
 +
* Provide convinient way to call getIdentityToken method of apropriate IICardSelector.
  
With the RP policy in hand, the ISS iterates through the cards in the [[I-Card Registry]] invoking isMatch method on each and making the RP policy available as a parameter.
+
===Dependencies===
 +
* [[I-Card Registry]]
 +
* [[Token Service]]???
  
'''Displaying the I-Card Selector'''
+
===API===
 +
// Iterate through cards in the [[I-Card Registry]], use Policy engine
 +
// to examine the supported claim of each to find one or more cards that
 +
// singly or together satisfy the policy. Invoke the [[ISS Web UI]]
 +
// if 'hbx' is true, else invoke the [[ISS Client UI]] to display all cards
 +
// highlighting matching card(s). After user selects card(s),
 +
// getDigitalIdentity from the card(s) (combining DIs if needed?)
 +
IDigitalIdentity getDigitalIdentity(RPSPolicy policy, boolean hbx)
 +
 +
// (Presuming that only one card matched, and of course that the
 +
// card was a URICard for which IdAS can connect and open a Context)
 +
// Return the Context of the selected card.
 +
IContext getContext(RPSPolicy policy)
 +
 +
// Return a URI to a network endpoint (e.g. an OpenID IdP) that the
 +
// RP will interact with directly --Higgins steps out of the flow
 +
URI getURI(RPSPolicy policy)
 +
 +
// Matching functionality is now exposed by the ISS
 +
Choices match(RPSPolicy policy) throws UnsatisfiablePolicyException
  
Depending on the results of this matching process and the I-Card's release policy, the ISS may invoke the [[ISS Web UI]] or [[ISS Client UI]] to display an I=Card Selector visual interface. Some or all of the user's I-Cards are displayed in this UI with all but the matching I-Cards greyed-out (diabled). The user can review the relying party's required claims, review the claim data that they may be about to release, etc. Unless the user cancels out of the interaction the user clicks on one of the non-greyed-out cards and thereby approves the release of the digital information.
+
===PolicyFactory Interface===
  
'''Releasing digital information'''
+
PolicyFactory: This class has one method which instantiates a class that
 +
exposes the Policy interface below for the given policy type.
  
If the user approves the release, then the information in whatever form and protocol was desired by the Higgins client (on the RP's behalf) is released to that client. For RPs involved in traditional authentication interactions, the RP will typically be requesting a [[Digital Identity]] in token form as presented over some common identity protocol. In other cases (e.g. RSS-P) the Higgins client (again, on behalf of the RP site) receives a URL of an RSS feed from which to gain the information.
+
  Policy ParsePolicy(String policy, String type) throws PolicyParseException, UnsupportedPolicyTypeException
  
==Service==
+
The factory implementation is quite simple, but it allows for
* [[ISS API]]
+
extensibility---various different policies can be registered and
* Requirement: ISS need to run in both normal and headless modes. Headless mode means that a web or rich client UI is not available, and that all (if any) matching i-cards should be returned based on a given "input" policy
+
instantiated dynamically, etc.
  
==See Also==
+
===Policy Interface===
* [[ISS Web UI]]
+
 
* [[ISS Client UI]]
+
  // contains the parser for the policy string
* [[I-Card Registry]]
+
  new(String policy) throws PolicyParseException
* [[Core Components]]
+
 
 +
  // matches the policy and returns a list of lists indicating the user choices
 +
  // can return an empty Choices structure if no choices are needed
 +
  Choices match(Icard Registry) throws UnsatisfiablePolicyException
 +
 
 +
  // makes a token which satisfies this policy using the Selection of credentials
 +
  DigitalIdentity getDigitalIdentity(Selection) throws InvalidSelectionException
 +
 
 +
 
 +
 
 +
===The Cardspace Policy Class===
 +
The cardspace policy class implementation of _new_ would parse the policy.
 +
The _match_ method would subsume the role of the ISS as it is currently described.  In particular, it would
 +
iterate through the list of cards retrieved from the registry,  call
 +
isMatch on each one, and return a list of those which matched.
 +
 
 +
The getDigitalIdentity would simply call the similar function of the underlying I-card.
 +
 
 +
===Idemix Policy Class===
 +
An Idemix policy class implementation would have the flexibility to do
 +
more complicated matching, and more complicated processing to get the
 +
token.
 +
 
 +
Given these two classes, the RP protocol support class would then handle
 +
the details of marshalling/unmarshalling, formatting parameters and
 +
inputs, and making the right calls to the PolicyFactory and resulting
 +
Policy class.
 +
 
 +
This architecture allows for many more interop  possibilities.  Anyone
 +
who can implement a policy language for _requesting_ such credentials
 +
can plug into this.
 +
 
 +
==Links==
 +
* [http://www.eclipse.org/higgins Higgins Home]
 +
[[Category:Higgins Components]]

Latest revision as of 23:40, 10 July 2009

{{#eclipseproject:technology.higgins|eclipse_custom_style.css}} The org.eclipse.higgins.iss uses a policy engine to attempt to determine a matching between the Relying Party's Security Policy and one or more I-Cards that can satisfy that policy.


Service

I-Card Selector Service is an extension of Registry which manages loading and configuration of plugins that implements IICardSelector interface.

Responsibilities

  • Determine a matching between the Relying Party's Security Policy and one of IICardSelectors that in turn determine matching I-Cards that can satisfy that policy.
  • Provide convinient way to call getIdentityToken method of apropriate IICardSelector.

Dependencies

API

// Iterate through cards in the I-Card Registry, use Policy engine
// to examine the supported claim of each to find one or more cards that 
// singly or together satisfy the policy. Invoke the ISS Web UI 
// if 'hbx' is true, else invoke the ISS Client UI to display all cards
// highlighting matching card(s). After user selects card(s), 
// getDigitalIdentity from the card(s) (combining DIs if needed?)
IDigitalIdentity getDigitalIdentity(RPSPolicy policy, boolean hbx)

// (Presuming that only one card matched, and of course that the
// card was a URICard for which IdAS can connect and open a Context)
// Return the Context of the selected card.
IContext getContext(RPSPolicy policy)

// Return a URI to a network endpoint (e.g. an OpenID IdP) that the
// RP will interact with directly --Higgins steps out of the flow
URI getURI(RPSPolicy policy)

// Matching functionality is now exposed by the ISS
Choices match(RPSPolicy policy) throws UnsatisfiablePolicyException

PolicyFactory Interface

PolicyFactory: This class has one method which instantiates a class that exposes the Policy interface below for the given policy type. 

 Policy ParsePolicy(String policy, String type) throws PolicyParseException, UnsupportedPolicyTypeException

The factory implementation is quite simple, but it allows for extensibility---various different policies can be registered and instantiated dynamically, etc.

Policy Interface

 // contains the parser for the policy string
 new(String policy) throws PolicyParseException
 
 // matches the policy and returns a list of lists indicating the user choices
 // can return an empty Choices structure if no choices are needed
 Choices match(Icard Registry) throws UnsatisfiablePolicyException
 
 // makes a token which satisfies this policy using the Selection of credentials
 DigitalIdentity getDigitalIdentity(Selection) throws InvalidSelectionException


The Cardspace Policy Class

The cardspace policy class implementation of _new_ would parse the policy. The _match_ method would subsume the role of the ISS as it is currently described. In particular, it would iterate through the list of cards retrieved from the registry, call isMatch on each one, and return a list of those which matched.

The getDigitalIdentity would simply call the similar function of the underlying I-card.

Idemix Policy Class

An Idemix policy class implementation would have the flexibility to do more complicated matching, and more complicated processing to get the token.

Given these two classes, the RP protocol support class would then handle the details of marshalling/unmarshalling, formatting parameters and inputs, and making the right calls to the PolicyFactory and resulting Policy class.

This architecture allows for many more interop possibilities. Anyone who can implement a policy language for _requesting_ such credentials can plug into this.

Links

Retrieved from "https://wiki.eclipse.org/index.php?title=Org.eclipse.higgins.iss&oldid=163247"

This page was last modified 23:40, 10 July 2009 by Paul Trevithick. Based on work by Valery Kokhan, Anna Gorb and Alexandra S and others.

Back to the top