[OpenID] jaas and openid, web services world

[Peter Williams]

im about to get back with Andrew's OpenID/OAUTH hybrid demo for .NET, but just before I leave the world of java, I'm started to wonder about RP(x)/RP like interactions (much as we were discussing OP(x)/OP type interactions in the Google "secure signed and delivered" discovery world).

Has any one made the openid4j RP module a JAAS authentication module?

I can see two styles of integration:

1 java web services framework has the RP's handler chain for a given endpoint pass local control to JAAS, which talks to the authentication module REMOTELY. That is the underlying callbackhandler and callback interfaces are re-implemented not to be as traditionally a local call but as a RPC call (which can pass full object references for callback classes instantiated in the remote auth module). The cloud hoster of "RP(x)" is obviously hosting the auth module. The RP really knows NOTHING about openid.

2 Alternatively, several local JAAS auth modules are implemented locally within the RP process farm using the openid4j library, where different auth modules => different bundles of openid extensions (both endorsed, and vendor-specific). The sequence of auth modules would execute the likes of google discovery, and/or YADIS, and/or a particular myspace association handler, or a particular SSL ciphersuite, or particular PKI trust point, or run a custom transaction over a identity-less transaction for an existing and current association, etc. The particular profile of openid core and extension services to be used would be configured by the RP, "per application" using JAAS per-application specifications- and would aim to retain a measure of non-tying to the cloud-service provider. Similarly, particular call back classes would be used betwee nRp(x) and RP to learn per-RP discovery information - its realm, endpoints, (signed) XRD file, etc

I just went through the exercise of having a java webservice delegate to several JAAS auth modules, which took apart an username token, with nonces, timestamps, control signals, and credential values and delegated to auth modules responsibility for enforcement, and maintaining once caches, interacting with network servers (for the kerberos "password"), etc. Dont see why would cannot "offload" responsiblity for performing the RP-side of the openid auth protocol and extension protocols to a sequence of JAAS auth modules, similarly.