#standards
By George Fletcher and Lovlesh Chhabra
When Yahoo and AOL came together a year ago as a part of the new Verizon subsidiary Oath, we took on the challenge of unifying their identity platforms based on current identity standards. Identity standards have been a critical part of the Internet ecosystem over the last 20+ years. From single-sign-on and identity federation with SAML; to the newer identity protocols including OpenID Connect, OAuth2, JOSE, and SCIM (to name a few); to the explorations of “self-sovereign identity” based on distributed ledger technologies; standards have played a key role in providing a secure identity layer for the Internet.
As we navigated this journey, we ran across a number of different use cases where there was either no standard or no best practice available for our varied and complicated needs. Instead of creating entirely new standards to solve our problems, we found it more productive to use existing standards in new ways.
One such use case arose when we realized that we needed to migrate the identity stored in mobile apps from the legacy identity provider to the new Oath identity platform. For most browser (mobile or desktop) use cases, this doesn’t present a huge problem; some DNS magic and HTTP redirects and the user will sign in at the correct endpoint. Also it’s expected for users accessing services via their browser to have to sign in now and then.
However, for mobile applications it’s a completely different story. The normal user pattern for mobile apps is for the user to sign in (via OpenID Connect or OAuth2) and for the app to then be issued long-lived tokens (well, the refresh token is long lived) and the user never has to sign in again on the device (entering a password on the device is NOT a good experience for the user).
So the issue is, how do we allow the mobile app to move from one identity provider to another without the user having to re-enter their credentials? The solution came from researching what standards currently exist that might addres this use case (see figure “Standards Landscape” below) and finding the OAuth 2.0 Token Exchange draft specification (https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-13).
The Token Exchange draft allows for a given token to be exchanged for new tokens in a different domain. This could be used to manage the “audience” of a token that needs to be passed among a set of microservices to accomplish a task on behalf of the user, as an example. For the use case at hand, we created a specific implementation of the Token Exchange specification (a profile) to allow the refresh token from the originating Identity Provider (IDP) to be exchanged for new tokens from the consolidated IDP. By profiling this draft standard we were able to create a much better user experience for our consumers and do so without inventing proprietary mechanisms.
During this identity technical consolidation we also had to address how to support sharing signed-in users across mobile applications written by the same company (technically, signed with the same vendor signing key). Specifically, how can a signed-in user to Yahoo Mail not have to re-sign in when they start using the Yahoo Sports app? The current best practice for this is captured in OAuth 2.0 for Natives Apps (RFC 8252). However, the flow described by this specification requires that the mobile device system browser hold the user’s authenticated sessions. This has some drawbacks such as users clearing their cookies, or using private browsing mode, or even worse, requiring the IDPs to support multiple users signed in at the same time (not something most IDPs support).
While, RFC 8252 provides a mechanism for single-sign-on (SSO) across mobile apps provided by any vendor, we wanted a better solution for apps provided by Oath. So we looked at how could we enable mobile apps signed by the vendor to share the signed-in state in a more “back channel” way. One important fact is that mobile apps cryptographically signed by the same vender can securely share data via the device keychain on iOS and Account Manager on Android.
Using this as a starting point we defined a new OAuth2 scope, device_sso, whose purpose is to require the Authorization Server (AS) to return a unique “secret” assigned to that specific device. The precedent for using a scope to define specification behaviour is OpenID Connect itself, which defines the “openid” scope as the trigger for the OpenID Provider (an OAuth2 AS) to implement the OpenID Connect specification. The device_secret is returned to a mobile app when the OAuth2 code is exchanged for tokens and then stored by the mobile app in the device keychain and with the id_token identifying the user who signed in.
At this point, a second mobile app signed by the same vendor can look in the keychain and find the id_token, ask the user if they want to use that identity with the new app, and then use a profile of the token exchange spec to obtain tokens for the second mobile app based on the id_token and the device_secret. The full sequence of steps looks like this:
As a result of our identity consolidation work over the past year, we derived a set of principles identity architects should find useful for addressing use cases that don’t have a known specification or best practice. Moreover, these are applicable in many contexts outside of identity standards:
- Spend time researching the existing set of standards and draft standards. As the diagram shows, there are a lot of standards out there already, so understanding them is critical.
- Don’t invent something new if you can just profile or combine already existing specifications.
- Make sure you understand the spirit and intent of the existing specifications.
- For those cases where an extension is required, make sure to extend the specification based on its spirit and intent.
- Ask the community for clarity regarding any existing specification or draft.
- Contribute back to the community via blog posts, best practice documents, or a new specification.
As we learned during the consolidation of our Yahoo and AOL identity platforms, and as demonstrated in our examples, there is no need to resort to proprietary solutions for use cases that at first look do not appear to have a standards-based solution. Instead, it’s much better to follow these principles, avoid the NIH (not-invented-here) syndrome, and invest the time to build solutions on standards.
If you ask yourself “Would Gomez Addams treat me this way?” And the answer is no, move tf on from that situation.
My original Daddy crush.
Do you measure up big boy?
“This king,” said Mort, as a forest zipped beneath them, “is he good or bad?”
I NEVER CONCERN MYSELF WITH SUCH THINGS, said Death. HE’S NO WORSE THAN ANY OTHER KING, I IMAGINE.
“Does he have people put to death?” said Mort, and remembering who he was talking to added, “Saving y'honor’s presence, of course.”
SOMETIMES. THERE ARE SOME THINGS YOU HAVE TO DO, WHEN YOU’RE A KING.
Terry Pratchett, Mort
Like many people with no actual morals, Lord Downey didhave standards, and Teatime repelled him.
Terry Pratchett, Hogfather
Jeitun and the transition to agriculture in Central Asia
http://bit.ly/12o9Lsp
Patterns in Stone: Mobility and the Distribution of Locally Important Lithic Material
http://bit.ly/1abUEKo
From anarchy to good practice: the evolution of standards in archaeological computing
http://bit.ly/1FYqTbf
Reference Notes to Plan and Views of Ancient Remains on the Summit of the Laws, Forfarshire.
http://bit.ly/YTOw0V
Learn more about Open Access and Archaeology at: http://bit.ly/YHuyFK
I like how both of us are misfits who doesn’t need to conform on other people’s standard of love.
Mae, misfits
A friend of mine from work recently passed that invisible line after a divorce that says, “You are now back in circulation.” She resisted the idea, but the problem is she’s very attractive. Men keep asking her out. She’s the veritable forty-something head cheerleader in a world of football players and gawking admirers. She says she’s not ready to do something that really ought to be confined to teenagers. “It’s too time consuming to sort out the unsuitable candidates,” she whined. She’s got a point. At our age we’re busy with careers and children. We can’t waste time with potential relationships that are doomed to go nowhere. Although I’m not in circulation and hope I never will be, I’m a big believer in helping out the needy, so I offered to develop a dating questionnaire that would weed out the ones who had no hope of ever being the guy who flips the burgers at her next backyard cook-out.
Because my friend and I are both English teachers, I thought that requiring an essay would be appropriate. “Why I Want to Date You” would have to earn at least a C on a standard college level grading rubric in order for the candidate to move to the next phase. I wanted to declare that more than three comma errors would automatically knock the candidate out of the running, but my friend thought we should go easy on the punctuation. Go figure.
After the usual questions about where do you work and where do you live, the first question is one that is so obvious it should go without asking, but it’s shocking how many men seem to forget the answer to this one: Are you married? Then I moved to what I thought were more ordinary questions like: What are your hobbies? Do you have any pets? What types of chemicals do you keep in your garage? I figure most guys who are not wanted by any law enforcement organizations could easily get through these questions.
Oh, and that was the next question: Are you wanted by any law enforcement organizations? Followed by: Have you committed any felonies (that includes the ones you didn’t get caught doing)? If so, were you wearing any women’s garments at the time? If so, were those garments visible?
Have you ever made an illegal left turn? Eaten grapes straight out of the bin in the produce aisle? If so, did you give the cashier an extra quarter to cover the cost when you checked out? Does anyone in your family operate a meth lab? Are you straight? Have you lived with your mother at any point since the age of thirty?
How high is the grass in your yard? (That’s supposed to be actual lawn grass, not the other kind. If they indicate the latter, then they’re referred back to the question about crimes.)
Do you have anything in your sock drawer besides socks? Could you allow your preacher to look in your sock drawer without embarrassment? Do you have a preacher? Did he get his license from the back of a confessional magazine?
Do small children from the end of your street call you daddy and you can’t remember why? Do you know how to turn on a washing machine? When was the last time you did? How many pieces of petrified fruit are underneath your sofa? Do any of your videos or DVD’s have the words sassy, kinky, or Asian mamas in the title? Or Asian sassy boys? (If they say yes to this one, they’re instructed to go back to the earlier question about being straight.)
There are a few more questions, but you get the point. I showed this to my friend and she read it with alternating nods and confused looks. “So, how many yes’s are supposed to eliminate a man from the process?”
“It’s really up to you.” I said. “I would have knocked him out at the comma thing, but I suppose there are some women who’ll let any old riff raff sneak by.”
She gave me a dirty look as if I’d insulted her standards, which of course I had. “Oh, there’s one final assignment,” I said. “He has to write the names of all of his past sexual partners on this.” I handed her a white plastic bottle cap about the size of my eyeball. “If he can’t get them to fit then I’d call that a red flag.” She spun it on her index finger. “Clever,” she said. I think she was genuinely impressed at last.
I pointed at the cap. “And don’t let any of them cheat by trying to put initials,” I said. Boy, the things I do to look out for my friends.
When I lived in America I was a regular on Spindale public radio in North Carolina. These essays are from my collection that aired on WNCW.
Cathy Adams was recently nominated for a Pushcart Prize. Her first novel, This Is What It Smells Like, was published by New Libri Press, Washington. Her short stories have been published in Utne, A River and Sound Review, Upstreet, Portland Review, Steel Toe Review, and Cha: An Asian Literary Journal, among others. She earned her MFA in Creative Writing from Pacific Lutheran University’s Rainier Writing Workshop and now lives and writes in Xinzheng, China, with her husband, photographer, JJ Jackson.
Being Unique
This happened a while ago, but it shows how people view me in life sometimes. I went to Taco Bell to pick up something to eat and the minute I walked in this group of guys in the back started pointing at me, laughing, snickering and calling me a freak of nature for the way I looked. But the woman who served me my food pulled me off to the side and told me that was beautiful and unique and to not let assholes dictate me and label me for something I’m not. Sometimes people are shit, but sometimes there are those willing to stand up and support you even when people push you down. That woman at Taco Bell made my whole day, and I appreciate her for standing up for me. When you look as unique as me there will always be people to put you down, but the jokes on them, because the way I look makes me happy, it makes me feel beautiful and handsome and attractive. And isn’t that what life’s about, trying to find your own personal happiness? Sometimes I find it difficult to even leave the house, because those asshole people exist everywhere. I can’t even remember going out in public once in the last few years without someone putting me down and laughing at me. But I know there are also good people to stand up for me. So fuck society’s version of what attractive should be, I’m attractive in my own way, and I’m not going to let a few narrow minded people treat me like shit for it.
I’ll make my daughter watch kdramas so that she could know the true meaning of relationships and love and have high standards
Being impressed by scraps of text that he wrote and hated months ago, the grad student questions whether desperation is lowering his standards.
Sometimes even the villains have standards