GSoC-08:Secure OAuth Services

This is a Google Summer of Code project proposal by Sumit Kataria.

Abstract

In today's web, people do not like to share or exchange all their stuff on one service. Today, we prefer to use Flickr for photos, YouTube for videos, Amazon for shopping, etc. In order to make integration of different web services (in order to satisfy all customer/user needs), APIs using Services API in a secure fashion are used. To provide a secure way of this type of communication, OAuth is a very good option. The current system of API keys used by Services API is a combination of user name and password, but this key is too unsafe to share around on web. Also this key cannot be unshared once it is shared or handed over to other web service. The token provided by OAuth system will will provide a much safer and risk free browsing experience to users.

Integration of OAuth 1.0 core to Drupal's Service API will provide users/administrators a pluggable authentication system such that they can choose between the current system of API keys, or OAuth token system to access desired web services. The method OAuth uses is to provide “tokens” to users instead of keys. Now for each kind of web service, OAuth issues a different kind of token to user. Also, these tokens are time bound an amount of access time to another service and then it expires automatically (could be a two hour access time).

Does this mean that OAuth is like OpenID?
The OAuth approach might be considered better than the OpenID approach as users don't have to do anything to undertstand it. They just browse normally with their existing methods but in a secure manner.

OAuth integration with Service API will rescue users, and developers, who put themselves at risk by sharing their private information.

Synopsis

By means of this project, I would like to contribute a module to the Drupal community which will make the existing Service API a pluggable authentication module such that users will be able to choose between existing API keys method or OAuth method to access other web services. Drupal's existing Services API implementation is pretty weak so integrating it with open protocol OAuth will enhance security features.

Plan

1. The main aim of project will be to put a layer of security on top of calls made Services API. Now this call from Service API will issue a token via OAuth 1.0 which will open up a separate session with remote services and then will make calls from there.
2. OAuth core 1.0 does not presently provide any support for formats like – XML-RPX, JSON, AMF, REST, SOAP, end point detection, etc. which are used by Services API. So my aim will be here to build extensions over this to provide support for these features.
3. Admin/users would be able to choose between existing API key methods or OAuth 1.0 token to access external web services.
4. Developers will be able to add services over Services API using pluggable “service” module like the way they do before, but now the way of interaction of services with Services API will be using OAuth to make it more secure over current api key method.
5. Second part of Services API the pluggable “server” module which allows support for other protocols like JSON, XML-RCP, SOAP, REST etc. will now send calls to security layer over Services API by OAuth instead of sending it directly to other web services.
6. Now here extensions made by the student (for JSON, XML-RCP, SOAP, REST, end detection, etc.) will receive these calls and will issue a specific api key (token) according to service being called by Service API.
7. The final api key or token issued will be using OAuth 1.0 core and will interact with requested web service without disclosing any potentially important information of user like passwords etc.
8. This method will be good to compatible with existing methods. Also we will try to reuse the web standards the best possible way.

Future Plans

1. Providing language support and automatically identifying this for user.
2. OpenID integration with this.
3. Make use of full range of available signing in algorithms.

Project Benefits To Drupal

1. Project completion will provide Drupal a module which will could be plugged in existing Services API such that it will make use of OAuth 1.0 core to issue tokens to access other web services over web.
2. Extensions will be build over OAuth 1.0 such that it will support features like support for XML-RCP, JSON, AMF, REST, SOAP, discovery of end point etc(calls from Services API).
3. Site users will be able to share their private resources like photos, videos, contact lists, bank account information, etc, stored on one site with another site without giving their user names and passwords to other site. So it will make our browsing secure and risk free over web.

Derivables

1. Investigation and learning : 1 weeks
2. Programming Time : 7 weeks
3. Bug Fixing and feature adding time : 3 weeks
4. Documentation : 4 Days

Project Motivation

Drupal is a widely used and highly adopted CMS with millions of users all around the globe. With completion of my project I would be able to reach those people and will be able to make their browsing experience on web secure and risk less.

Biography

Rest in my application at google ....