[foaf-protocols] wif identity SDK, nice opportunity for webid integration
kidehen at openlinksw.com
Mon Mar 7 22:52:53 CET 2011
On 3/7/11 4:39 PM, Peter Williams wrote:
> In the
> In the WIF SDK, there is sample code. A service client authenticates
> to an STS associated with the service endpoint. It consume something
> like http webauth headers, and signs a token. The code shows how to
> easily add a custom property or two, to that token. For example, the
> webid URI known to be associated with basicAuth user Fred.
> Assume that said STS signs for user Fred, with the user's signing key
> (much like a client authn key). If you want, assume the STS is on the
> user Fred's host (or not, since it might be on the users smartcard
> The code src also has the validation callback done, so that the
> service can consume the custom signed token format (now bearing
> webid). Presumably, it can now do the VA processing steps, per the
> spec -- rather than simply test that a particular custom value exist
> (in the sample).
> Would it matter that no SSL was involved?
> Presumably not. A user signed token has been received, claiming
> (write-level) control over a resource document identified by name in
> the signed token. VA confirms this, to be true or not. It can be a
> user signed token minted by ws-trust, or SSL. It really doesn't matter.
> If that STS minting an signed XML token happened to direct it as
> another STS (e.g. the ACS cloud), this could re-sign the content using
> the SWP token -- for consumption by WIF libraries supporting WCF
> services exposing their REST bindings instread of SOAP bindings.
> Now as part of "claimsauthorization" code class customization of ACS,
> per tenant, could we imagine IT doing the foaf card callback (or it
> callin further back itself, to Kingsley's sparql server) -- offloading
> this duty from the RP app?
> Alternatively, perhaps Kingsley's server already exposes an STS
> endpoint directly -- and just can play the [integrated] role of ACS?
That's possible too. I just use WebID to constrain who (as in Agent with
a WebID) can do it etc..
> Since MSFT are assuming a million tenants will setup ACS accounts (to
> define their federation network), sounds like Kingsley's service could
> compete -- with a million dataspaces doing the same thing.
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the foaf-protocols