An OpenID Scenario for NMCDSP/GSCF
OpenID is a single sign on method for authentication. OpenIDs are given out by providers. Anyone with a Google, Yahoo, or Facebook account has already an OPenID. There are many other providers.
The exact protocol is described on these pages.
Below a scenario is described for using the GSCF and the NMCDSP by a sinle sign on from a user. OpenID is used to achieve a single sign on session for both systems.
The scenario is depicted below.
The user wants to access the NMC DSP and opts to sign in with his Google account. The OPenID module of the NMC DSP then contacts Google and the user will have to login at the Google login site. Google will send some information to the NMC DSP prior to this redirection (not shown in the picture). The user logs in at Google and Google notifies the NMC DSP. the user is then granted access by the NMC DSP and can continue working.
Next, when the user wants to use the GSCF, the situation is equivalent to the steps described above. But since the user is already logged in at his Google account, there is no need to redirect to the Google logon page. This feature should be tested.
See also here.
A potential problem is that the NMC DSP will make calls to the GSCF which include user information. In fact, this can be seen as a form of delegation where the NMC DSP makes requests to the GSCF on behalf of the user.
One way of circumventing this is that the DSP sends the user id along with the call (over HTTPS). The GSCF trusts the idendity of the user (it trusts the GSCF for having done so) and checks the authorization of the user for the requested information.
Another possibility is that when logging on to the DSP, the user will also, automatically sign in at the GSCF. Most likely the DSP is then still not able to request information on behalf of the user. In other words, delegation is still not possible. In that case, the DSP and GSCF soehow have to agree that the user is authenticated and that it is safe to trusts the id of the user in communication between the two systems.
All users can be given access by default to all OpenID accounts. Both systems check the authorizations only. These are zero for unknown users.
OpenID is well supported. The shiro and nimble plugin both should be able to handle it pretty well. There is also a Grails OpenID plugin
The following actions have to be taken.
- Set up OpenId support for NMC DSP and GSCF
- Test the above scenario with a Google account
- Test is a user who has already signed in with Google is automatically accepted by both systems
- See how the DSP and GSCF can perform authorization of the user
- See how DSP and GSCF can communicate about an authenticated user
GUI tips from Google User Experiences for UI.