A Scalable and Flexible Web Services Authentication Model

The WS-* specification set defines a message authentication model for web services. This model targets the authentication of messages exchanges in large scale decentralized systems, composed by different authentication domains. However, it has scalability and flexibility limitations: the acquirement of identity claims requires online interactions with security token services, which introduces communication overhead and creates performance bottlenecks; the services' policies, containing its requirements, must directly point to the issuing security token services, limiting the flexibility of the trust relations. We present a new model, addressing these limitations, using two concepts from the trust management paradigm: credentials for claim inference and claim-based issuer references (attribute based delegation). We show how credentials are used both to increase the scalability, reducing the number of online token requests, and to increase the flexibility by allowing indirect trust relations, namely claim based delegation. We also show how the simultaneous usage of security tokens and credentials results in several advantages of our model, when compared to credential only trust management models. The proposed model fits nicely into the WS-* framework, namely into its message security model and policy language. We illustrate this with the implementation of an extension to the Windows Communication Foundation - a commercial grade web services platform - that provides support for this model.