[security-dev] Entitlement versus Enforcement Model

Bill Burke bburke at redhat.com
Wed Nov 7 16:19:42 EST 2012

On 11/7/2012 4:02 PM, Anil Saldhana wrote:
> On 11/07/2012 02:44 PM, Bill Burke wrote:
>> On 11/7/2012 3:28 PM, Anil Saldhana wrote:
>>> On 11/07/2012 01:21 PM, Bill Burke wrote:
>>>> I'm working on prototype/protocol that combines client-cert and signed
>>>> tokens.
>>>> Token is signed by the IDP and contains:
>>>> * user identity
>>>> * roles/permissions
>>>> * expiration/timestamp
>>> Bill,  this translates to a SAML Response from an IDP that contains
>>> Authentication Statement (who the user is, who issued the assertion,
>>> public key of the IDP etc) and attribute Statements (roles/permissions
>>> can be viewed as attributes an identity has).
>>> If we can somehow translate this entire thing into a JSON construct, it
>>> will be lightweight and cool.
>> Translating all the verbose nonsense contained in SAML documents to the
>> much simpler domain of Java EE role-based model is something you'll have
>> to do anyways.  You probably have *already* it. :)
>> What I want to see happen is ditching SAML entirely for a very tight
>> token format that is as small as possible.  If you follow this route,
>> you can include signed tokens within URLs (Will work great with OAuth2).
>>     SAML documents are just WAY too big for these types of redirection
>> protocols.
>> IMO, SAML is ridiculous.  All the metadata a service needs in an
>> authenticated request is really userid, permission metadata, and maybe a
>> URL that references the full information about that user.  If the
>> service wants information like first/last name, email, etc., it can
>> query this URL and negotiate the desired format using HTTP.
> Bill - what I am proposing is a JSON structure that is in the worst case
> the full translation of a SAML structure. SAML can be daunting because
> it tries to solve everything for everybody and your usecases may not
> warrant all the goodies that come with SAML.

I think JWT already defines much of the crucial metadata that SAML 
provides (expiration, timestamp, etc.).  As far as user metadata, see my 
URL-based approach.

> But the JWT work going on in IETF lacks in the richness of SAML
> structures, if someone desires it.

IMO, instead of defining one uber-format, define media types per use 
cases.  JWS (Json web signature) has a content-type header that allows 
you to specify the type of the encoded data.  What you could do is add a 
negotiation protocol for this or just provide a callback URL for the 
service so it can obtain a more rich token format it desires.

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list