2006년 07월 05일
On the whole, the most big problem is the same as that of a next.
1. As to the authentication request message the other messages, a user cannot control.
2. It has the session token (the token which it freely can use) and single-use token (the token which it once can use). It does not have the effective time with (presently).
As to the technology, there is 4 operations.
1. The task that issues the AuthSubRequest - token. A user has to perform the authentication process. The session token or the Single-use token can be selected. Except the secure mode is selective.
2. The single-use token was issued with AuthSubSessionToken -. In case of using as long as it gets wider it can exchange with the session token.
3. It uselesses, the AuthSubRevokeToken - token is made.
4. It checks whether the AuthSubTokenInfo - token is effective or not. The effective result is delivered if it is the single-use token. The corresponding token is useless.
It will look into about each operation in detail. In a description: it will go over because of will being in the http://code.google.com/apis/accounts/AuthForWebApps.html. The part which becomes a problem be concentratedly looked at.
- If the specific site joins Google, Google a site can be trusted a user as the trustworthy thing.
- But the fundamental operation is possible even if it stubbornly does not join Google. The warning message floats. As if it has a restriction, the specific Google service shows to use the total service because of operating in the secure mode. As to a teeth, it is necessary to have the real test.
- A kneader this sooner or later has a test the self signed certificate is made and is registered.
- The xml file has to be made when registering. In case the next which is the parameter of AuthSubRequest and the TargetURLpath which at this time, is clarified is different, it turns out somehow or other, it is not mentioned in this document.
- If the session token is used, by using the authentication information of a user, Google services can be provided without the separate Google login procedure. Moreover, a session is terminated and the session token does not disappear. But a session continuously seems to exist if the session token does not delete to AuthSubRevokeToken. In the convenience side, it is good. However, it has a problem to security. A responsibility is handed over the keeping of the session token in a user or a site saying that it makes safe. In case of this information being taken in an in-between or being changed a problem is likely to occur. It has to have a test.
- If the secure mode is chosen rather than, it is even so little more safe, the task that relates to the token can be performed. It added the timestamp field in order to prevent the replay attack.
- A document is read. Then, the token is 256byte string made as the random. The parameter of a require-message was done about to the key and was made. .The certificate server of Google it does not have that content:request parameter (the return page, the Google service url, to use the secure mode whether or not, and the token kind) are mapped.
- The Google Authentication is unable to manage many token of a number. It is set up so that the token more than 10 can be issued to one user per one service to the real. The keeping of these tokens, and the omission become a problem between Google and site. A user is the structure of engaging. A site misuses, or if the token is snatched in a hacker or an in-between and is used, it turns out somehow or other, the effective time (expiration) has to be reflected this problem to the session token. Moreover, a user directly can manage the token which a self issues. It looks at that the related function has to be added to the Google Authentication service.
- In case a require-message is sent to the secure mode, a difference as to the response message, is not seen at all. Of course, in the screen which a user sees, the warning message will notfloat. It will show the evidence called the trustworthy sites. However, it is likely to be better if it has the signature or the cryptographic task of the token in the response message.
- The token is changed into the session token but as to data parameter, the address is written. It is regarded as the content corresponding to the scope of AuthSubRequest. The point it turns out somehow or other if it is different from the information in which the transfer token maintains this information, it sets up, it is likely to be blocked to the thinking, and however, that the one's original purpose that it demands the stubbornly same information is suspicious. A test is requisite.
- The sig parameter is the signed information about the secure token. The data part can be without limit concocted. Still, an interrogation goes about the reason for needing data part.
- The session token and effective time (expiration) are transmitted to the response message. However, presently a meaning does not have the effective time. Why, it is not not to use a teeth, be depended on the effective time of a session. It becomes the reason for being freely abused it does not have the connection of a user.
- The session token is not deleted. Therefore it certainly compulsorily has to terminate. This pretty can see to be nonefficient. The Google certificate server has to maintain the token information a lifetime. And the digitus in which the session token is abused remains.
- In case of failing it confronts with part and conveys the HTTP 200 message the case of the delete request succeeding is not mentioned.
- The target which is the new parameter appears in the response message. It is the same as that of the thing which is the next parameter of AuthSubRequest to the thinking.
7. SSO(Single Sign-On)
The part which I most expected gets winnowed with SSO. In the halfway reading, a thinking called 'it is not in the object that this thing provides the single sign-on' arose. However, the scenario which expanded the logic in one's own way and provides the sso service was drawn.
The web application A obtains the token of a user the step of figure if it passes. An attestation is received a user in the Google account. The authentication information will remain in the session cookie.
The case of a user moving to the other web application B is considered and then, is seen. Because of being rightly unfamiliar with a user, B desires through Google to be authenticated. A user becomes once again to the Google account with redirect. At this time, a user confirms that Google looks at the session cookie of a user and a user is already authenticated. If it is the case, the typical single sign-on becomes as to a this. A user selects the information offer or no than.
But, the single sign-on which Google refers to is looked at.
If your web application supports users with multiple Google services accessed through Google Accounts, you may be looking to get a single authentication token good for all of the user's Google services. This is called 'single sign-on". Currently, Google AuthSub does not support a single-sign-on feature for third-party web applications.Why, one authentication token is published and tries to be used in all Google services, the ability of technique does not have this method. It burns, it is the bread sso. It guesses if it is not in a because not to tolerate the part in which I *** in Google.
It very much took the time. So, it critically read. Because of actually noted looking into the operation process through a test, it has the part in which I misunderstand. A test be performed within the fast time and a content be renewed. It requests.
tag; google, identity+management, sso