MITREid Connect

From IIW

Session Topic:MITREid Connect

Tuesday 1A

Convener: Justin Richer

Notes-taker(s): Amanda Anganes

Tags for the session - technology discussed/ideas considered: open source, OpenID Connect, MTIRE, MIT, MIT-KIT

Summary: The MITREid Connect project is an open-source reference implementation server & client library for OpenID Connect. We just released the 1.0 version and it is available on Maven under the “org.mitre” group ID, and on GitHub at https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server.

MITRE has been working on this library for about 1.5 years, and it has been open source from the start under an Apache license, so we have had lots of external users and participation from the start.

The code is deployed internally at MITRE at id.mitre.org/connect (but only MITRE employees can log in there).

Several other projects in the healthcare space (RHEx, Blue Button, etc) are using this code.

MITRE doesn’t do long-term maintenance (we are a research company), so the MIT-KIT (MIT Kerberos & Internet Trust Consortium) is taking over the project for future maintenance.

The project is built using Java, Spring, Spring Security, and Twitter Bootstrap. The client code is a Spring Security filter, so it is easy to slide in to existing Spring applications.

We support a few advanced features:

  • Token chaining – trade an Access Token for another Access Token
  • Dynamic Registration
  • Signed Request Objects
  • Token Introspection
  • All tokens are signed JWTs

We have some other tools available at https://github.com/mitreid-connect/.

  • Simple-web-app: simple application that shows how to configure filters and

settings for our library

  • Example Maven Overlay: Maven Overlay example, how to extend server code

very simply by overriding specific classes & config files. We use Maven Overlays internally for our MITRE-deployed version.

  • Account Chooser: not related to Google’s Account Chooser, this is just a

simple JS app that allows users to choose their IDP.

It is possible (and usually easy) to slot in any kind of primary authentication method to the OIDC server. At MITRE< we are connected to Oracle SSO. Outside the firewall, you go through 2-factor authentication; inside you get an SSO experience.

Demo

Questions:

Cross site scripting?

  • Not turned on (yet), Justin thinks there is a Spring filter for it

Who else is using this?

  • Several organizations we can’t talk about
  • Maine Health Information Network, RHEx
  • State of Utah
  • Clipper (cross-lingual web browsing), another MITRE project, is using this

library with Token Chaining

  • We have PHP client libraries, have hooked up to Wordpress, Elgg, Drupal.

What about the “kitties are fluffy” phenomenon? (ie, MITRE employee uses MITRE OIDC credential to post a random blog comment, is it official policy now? Etc)

  • It’s working so far!
  • Educate and trust
  • Same risk as giving employees corporate phone and email accounts
  • No special disclaimers
  • But, we are working on a future Trust Framework for the company

The UI is backed up by a RESTful API, OAuth2 protected. MIT will be using the admin API through external web calls (authenticated with an OAuth2 token).

What about collaboration?

  • The issue tracker is available on GitHub
  • We do not have a mailing list (yet, MIT-KIT will set one up eventually), but

Justin and Amanda’s emails are listed on the page – feel free to contact us directly for now.

What about speed? Lots of redirects.

  • In practice our code seems to operate pretty quickly, haven’t had any speed

issues.

  • What about in a constrained environment, can we avoid some of these

redirects?

    • Yes, can use Client Credentials or Username/Password flows.