[Dev] Extend Tizen account module to support SSO
jussi.laako at linux.intel.com
Tue Dec 10 17:03:35 GMT 2013
Overall, the proposal looks good.
I would like to ask clarification to one item that wasn't clear to me
from this documentation.
How is the implementation split into components and what type of
components those are? This is important from the access control point of
view (AccessControlManager in gSSO), because in order for it to do it's
work the request needs to come directly from the requesting process and
should not be forwarded between processes. So the authentication request
should come directly from the application process to the gsignond, thus
the RequestAuthData() should be implemented for example in a library
loaded to the application.
For WRT applications and such where the process may not be 1:1 with the
application there's additional field called "appctx" in the gSSO
SecurityContext to define a sub-context within "sysctx" (SMACK label in
Tizen). Bindings should fill in this item.
I understand that this just an example, but in slides 1 and 2 the gSSO
ACL is "*" which is not recommended for storing anything else than
public keys (X.509 or similar). It should be set to SMACK label on which
the application has "rx" permissons. (r = Identity access, x =
AuthSession access, w = IdentityInfo access)
Please also note that for OAuth, the gSSO IdentityInfo item called
"Realms" needs to be set to match domain name of the particular
Identity. For example "google.com" for Google accounts.
More information about the Dev