Are there any standards for Claims-Based security over HTTP?
https://stackoverflow.com/questions/4488458
-
11-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've been looking into Federated Security and Claims-Based authentication/authorization and really like what I'm seeing.
I'm also a big fan of RESTful services and prefer to avoid using SOAP and the WS-* specifications unless it's necessary.
Are there any standards for handling claims-based authentication over basic HTTP?
Solution
OpenID. The Attribute Exchange specification allows the transmission of arbitrary attributes of the subject. It uses only HTTP, and works with any browser. In a similar fashion, OAuth allows users to delegate access rights to selected services. OAuth2 extends the set of use cases even further.
OTHER TIPS
SAML. This is the OASIS standard and here is the presentation that talks about Claims Based Security with SAML.
Here you find open source implementations to get you started.
Over HTTP: I have done only limited research on this topic sometime back but check out the SAML 1.1 Profiles
I know you are not specifically interested in WS-* standards related to CBS but to provide completeness to the answer, below are the three standards that are related to CBS. More info can be found here.
If you're on the net you might want to take a peek at Windows Azure ACS, it's a relatively easy way to implement claims based auth, I'm pretty sure you don't need to be running on Azure to use it. It wraps OAuth, SAML etc quite nicely.
http://www.microsoft.com/en-us/appfabric/azure/middleware-services.aspx#AccessControl
