[Dev] Extend Tizen account module to support SSO

Jussi Laako jussi.laako at linux.intel.com
Tue Dec 10 17:03:35 GMT 2013


Overall, the proposal looks good.

I would like to ask clarification to one item that wasn't clear to me 
from this documentation.

How is the implementation split into components and what type of 
components those are? This is important from the access control point of 
view (AccessControlManager in gSSO), because in order for it to do it's 
work the request needs to come directly from the requesting process and 
should not be forwarded between processes. So the authentication request 
should come directly from the application process to the gsignond, thus 
the RequestAuthData() should be implemented for example in a library 
loaded to the application.

For WRT applications and such where the process may not be 1:1 with the 
application there's additional field called "appctx" in the gSSO 
SecurityContext to define a sub-context within "sysctx" (SMACK label in 
Tizen). Bindings should fill in this item.

I understand that this just an example, but in slides 1 and 2 the gSSO 
ACL is "*" which is not recommended for storing anything else than 
public keys (X.509 or similar). It should be set to SMACK label on which 
the application has "rx" permissons. (r = Identity access, x = 
AuthSession access, w = IdentityInfo access)

Please also note that for OAuth, the gSSO IdentityInfo item called 
"Realms" needs to be set to match domain name of the particular 
Identity. For example "google.com" for Google accounts.

Best regards,

	- Jussi

More information about the Dev mailing list