[Dev] Extend Tizen account module to support SSO
jaehwa.shin at gmail.com
Tue Dec 10 18:44:44 GMT 2013
On Wed, Dec 11, 2013 at 2:03 AM, Jussi Laako <jussi.laako at linux.intel.com>wrote:
> Overall, the proposal looks good.
> I would like to ask clarification to one item that wasn't clear to me from
> this documentation.
> How is the implementation split into components and what type of
> components those are? This is important from the access control point of
> view (AccessControlManager in gSSO), because in order for it to do it's
> work the request needs to come directly from the requesting process and
> should not be forwarded between processes. So the authentication request
> should come directly from the application process to the gsignond, thus the
> RequestAuthData() should be implemented for example in a library loaded to
> the application.
Tizen Account is a client-side library and there is no daemon. All account
manager codes are executed in the caller application's context. So the
authentication request come directly from the application as required.
> For WRT applications and such where the process may not be 1:1 with the
> application there's additional field called "appctx" in the gSSO
> SecurityContext to define a sub-context within "sysctx" (SMACK label in
> Tizen). Bindings should fill in this item.
> I understand that this just an example, but in slides 1 and 2 the gSSO ACL
> is "*" which is not recommended for storing anything else than public keys
> (X.509 or similar). It should be set to SMACK label on which the
> application has "rx" permissons. (r = Identity access, x = AuthSession
> access, w = IdentityInfo access)
That's a good point. I made the slides to show interactions between account
manager and gSSO. I used '*' just to avoid the slides being complicated. :)
I'm going to deal with this topic more deeply in another mail.
> Please also note that for OAuth, the gSSO IdentityInfo item called
> "Realms" needs to be set to match domain name of the particular Identity.
> For example "google.com" for Google accounts.
> Best regards,
> - Jussi
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev