[Dev] Extend Tizen account module to support SSO

Jae-Hwa Shin jaehwa.shin at samsung.com
Tue Dec 10 15:42:52 GMT 2013

Hello all,

In this mail, I want to give you a brief introduction of Tizen Account.
And discuss about extending it to support SSO(except plugin API). 
The design described in the latter half are an initial draft and can be changed during reviewing and pilot implementation.
(And the new APIs are used just to help understaning the work-flow more easily.)

1. Introduction of Tizen Account

1.1 Terminology

* Account
  a. A collection of the information representing the user of a specific service provider
  b. Properties
     1. Username
     2. Extended data
  c. Tizen::Social::Account

* Account Provider
  a. A collection of the information representing the specific service provider or protocol that provides the user accounts
  b. Properties
     1. Display name
     2. Icon path
     3. Multiplicity (whether there can be multiple account or not. Some account provider allows single account on the device)
     4. Capabilities (contact or calendar etc.)
  c. Tizen::Social::AccountProvider

* Account Manager
  a. Provides methods for managing accounts
     1. Add an account
     2. Update an account
     3. Delete an account
  b. Tizen::Social::AccountManager

*. Account Accessor
  a. Provides methods for accessing accounts and account providers
     1. Retrieve accounts
     2. Retrieve account providers
     3. Monitoring account db changes
  b. Tizen::Social::AccountAccessor

1.2 Account Provider
Account provider is a type of an account(google account, facebook account etc.) and each account has association with a specific account provider.
An application cannot specify the account provider when it creates a new account. Instead account manager
sets proper one according to the application instead which means that an application has association with an account provider
and can only create accounts of the account provider. If an application is not associated with an account provider, it cannot
create an account. Therefore if an application want to manage its own accounts, the application should have its own account provider on the device.

* Registering account provider
 There is no API for registering an account provider. An account provider needs to be defined in package manifest.xml file and is registered during installation
 by package installer. Here is an example.
	<AccountProvider MultipleAccountsSupport="False" >
			<Icon Section="Account">my_service_icon.png</Icon>
			<Icon Section="AccountSmall">my_service_icon_small.png</Icon>
			<DisplayName Locale="eng-GB">MyService</DisplayName>

 The applications in the same package package with the application declared its account provider in its manifest file have association with the account provider.
 And only the applications are allowed to manage(create/update/remove) accounts of the account provider.

1.3 Account Manager
Account manager provides essential methods for managing accounts - add/update/remove (retrieving accounts is provided by account accessor).
Account manager assigns the proper account provider to a new account and prevents the account of an account provider from being updated or removed by applications that are not
associated with the account provider.

* AccountManager class has the following methods
  a. result AddAccount(Account& account)
  b. result RemoveAccount(AccountId accountId)
  c. result UpdateAccount(const Account& account)

1.4 Account Provider UI
Setting application allows a user to add or update(change preference of) accounts in the device.
However, as mentioned above, setting application cannot add or update the accounts directly because only the applications contained in the same package with the application
declared its account provider can manage accounts of the account provider. When adding or updating an account of an account provider is requested by a user, setting application delegates it to the proper application which is associated with the account provider. The application will show 'adding account form' or 'account configuration form'  - account provider ui - according to the user's request.
If an application declares its own account provider, it must provide its account provider ui (two user interfaces for adding and updating account). There is no common UI component or guide line for account provider ui.

1.5 Adding accounts
There are two common scenarios about adding account

* From setting application
    Setting -> select an account provider(e.g google) -> setting application launches the application provides the account provider ui -> the application shows UI for adding an account
* From application
    User launches an application(e.g google mail client) -> the application shows UI for adding an account(if the application finds that there is no account)

2. Single Sign-On with Account
Several service provides support single sign-on(SSO) with their accounts. To do SSO it is necessary to share credentials associated with an account among applications.
Tizen account API will be extended to support SSO and use gSSO as the underlying SSO framework.

2.1 Terminology
* Access token
  a. A temporal key to access a service.
  b. Depends on each service's authentication SSO mechanism.
  c. A set of key(String)-value(key specific)

* Trusted applications (of an account)
  a. A group of applications that are granted to access the credentials of specific account.

* gSSO
  a. GLib-based SSO framework(https://01.org/gsso)

2.2 Features
* Creating an account with SSO information
* Getting an access token for an account

2.3 Extending Account Provider
An account provider represent general characteristic of the accounts of a service provide like service provider's name and icon.
We will add some properties related with SSO to account manager.
 * Properties for SSO
   a. whether the service supports SSO or not(SsoSupport).
   b. what authentication mechanism does the service provider use(SsoAuthMethod).

E.g) If a service provider supports SSO its manifest.xml could be

	<AccountProvider MultipleAccountsSupport="False" SsoSupport="true">
			<Icon Section="Account">my_service_icon.png</Icon>
			<Icon Section="AccountSmall">my_service_icon_small.png</Icon>
			<DisplayName Locale="eng-GB">MyService</DisplayName>

tells that 'my service' supports SSO and uses oauth1 as its authentication mechanism.

2.4 Extending Account Manager
To do SSO with an account of a service using gSSO, there should be a gSSO identity for the account. But native application developer cannot create an identity for an account
directly since we do not provide the native gSSO client library wrapper. Instead account manager creates an identity on behalf of applications during creating new account if the account provider of the account
support SSO. There are several information needed to create an identity. some of it is taken from account provider's properties(such as auth method) but some of it(such as trusted application list) is given by application and 

The following AccountManger API to create an account with SSO information is added:
   a. result AddAccountWithSsoInfo(Account& account, const HashMap* pSsoInfo)
      1. predefined key

   When AddAccountWithSsoInfo() is called, account manager creates gSSO identity with the information given by caller and account provider.
   If the identity is created successfully, account manager sets the identity ID to the account. Finally, account manager stores the account to account db.
   The identity ID set to account is opaque to application developers. There is not public API to retrieve identity ID from an account. Only account manager can
   access it (using internal method).
Once an account which supports SSO is created, it is possible to do SSO with the account.
The trusted applications can get an access token for the account and use it to access the account's service provider.

The following AccountManger APIs to get access token for an account is added:
   a. RequestAuthData(const Account& account, RequestId& reqId, HashMap* pSessionData = null)
     1. pSessionData is authentication mechanism specific.
     2. reqId: A unique request ID is assigned by account manager for each request.
               The result - access token - is delivered to the callback with the request ID.
     3. Asynchronous
   b. result CancelAuthDataRequest(RequestId& reqId)
     1. cancels a request

   c. SetSsoAuthEventListener(ISsoListener* pListener)
     1.  Sets the callback
ISsoListener interface has the following methods to override
   a. virtual void OnAuthDataReceived(RequestId& reqId, HashMap* pAuthData) = 0

When RequestAuthData() is called, account manager acquires identity ID of given account. And then gets identity from identity db and session.
And performs authentication process with the data(pSsoInfo) given by application. When account manager get the reply from gsso daemon, account manager builds
access token using the reply and passes it to the listener.

2.5 Summary
* Tizen account modules will use gSSO as below.

  a. Creation of gSSO identity
    1. No public native API to create an identity
    2. Identity is ceated by account manager when creating an account
    3. The authentication method is determined by the account provider of the account
     3.1 Only one authentiation method is available per an account provider (account provider's property)

    b. Performing gSSO authentication
      1. No public native API to use gSSO authentication(session).
      2. Account manager does all necessary tasks for gSSO authentication
        3.1 Get identity from db. create session. performing authentication. handling the reply
        3.2 Only one authentication mechanism is available (account provider's property)

* If an account provider supports SSO, the following information needs to be specified in manifest.xml file
    - whether it supports SSO or not
    - authentication method

* The alication that provides account provider UI needs to create an account as SSO enabled if it want the account to be used for SSO.

Thanks in advance for your feedback.


Jaehwa Shin(jaehwa.shin AT samsung.com)
Senior Engineer
Mobile R&D Office
Samsung Electronics Co., Ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Tizen APIs for SSO.pdf
Type: application/octet-stream
Size: 203686 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131210/95012527/attachment-0001.obj>

More information about the Dev mailing list