Some time ago we needed a solution for Single Sign On authentication between multiple web services. At least at that time we considered OpenID protocol too complicated and we were not convinced about the Ruby on Rails plugins for it. Therefore we designed a protocol of our own instead of implementing an OpenID provider and OpenID consumers.

I have two questions:

1. Was it a bad thing not to create
   our own OpenID provider and setup
   our OpenID consumers accept only it?
   Public login or registration are not
   allowed and we wanted to keep
   authentication simple.

2. Can you spot a crucial error or a vulnerability in the following design?

If you as a commune can approve this design, I will consider extracting this code into a Ruby on Rails plugin.

Please look at the flowchart and sequence diagram.

Details:

Authentication Provider (“AP”):

• Central service which holds all data
  about the users.
• Only one “AP” exists in this setup.
• It could be possible to have multiple “AP”s, but that should not be relevant in this context.
• “AP” knows each “S” beforehand.

Authentication Client (Service “S”):

• There exists several internal and external web services.
• Each service knows “AP” and its public key beforehand.

Actor (“A”):

• The end user who authenticates
  herself with AP by a username and password
• May request directly any URI of “S” or “AP” prior to her login

Connections between “A”, “S” and “AP” are secured by HTTPS.

Authentication logic described briefly:

These are a description for the graphical flowchart and sequence diagram which were linked at the top of this post.

1) Auth Provider “AP”

• “AP” makes a server-to-server HTTP POST request to “S” to get a nonce.
• “AP” generates an authentication token.
• Authentication token is an XML entity which includes:
  • an expiration date (2 minutes from now),
  • the previously requested nonce (to prevent replay),
  • identifying name of “S” (token for Service_1 is not good for Service_2),
  • information about the end user.
• Authentication token is encrypted with AES256 and the encryption key and initialization vector are signed by AP’s private RSA key.
• Resulting strings (“data”, “key” and “iv”) are first Base64 encoded and then URL encoded to allow them be delivered in the URL query string.
• End user “A” is HTTP-redirected to service “S” (HTTPS GET request).

2) Service “S”

• Receives authentication token in URL parameters from user agent.
• Decrypts authentication token with AP’s pre-shared public key.
• Accepts one authentication token only once (token includes a nonce which is valid only once).
• Checks that identifying name in authentication token corresponds to service’s name.
• Checks that authentication token is not expired.

Remarks:

It is not a problem if somebody else can also decrypt the authentication token, because it contains no confidential information about the user. However, it is crucial that nobody else than AP is able to generate a valid authentication token. Therefore the RSA key pair is involved.

RSA private key is used only for signing the token, because it cannot encrypt data which is longer than the actual key length. Therefore AES is used for encryption.

Since the authentication token is delivered as an HTTP GET request, it will be stored e.g. in Apache’s log file. Using a disposable nonce and an expiration date should minimize the possibility of a replay attack. POST request would need an HTML page with a form which is submitted automatically by Javascript, which is why GET is used.

Service “S” generates a nonce only in a server-to-server API request. Therefore unauthenticated generation requests should not pose a DoS-vulnerability.