The Design And Research Of Authentication And Authorization System Based On OpenID

Before the third party login appeared,web applications only supported login with its own server on which the users can access whatever they want.With the fast development of the.Internet,different Web applications simplify users’ operation and improve users’ experience by sharing their identities and resources.Under this situation,the number of identity providers is also growing.Among the features of identity providers,identity authentication and personal information resource authorization are prominent,which can provide a strong mechanism to protect users’ information on identity providers’ Web servers.The work of this paper is called Authentication and Authorization System(AA System)that can provide identities for other Web applications.The authentication mechanism is based on OpenID2.0,which is a standard authentication protocol.Compared with other authentication protocol,OpenID2.0 has a simple authentication process.It makes possible for users to login different applications by one identity,which is based on pre-register on the identity provider’s server.The OpenID provider allows users to enter their usernames and passwords to authenticate the Relying Party(RP),and also verify the requests from RP by themselves.In this way,resources can be shared via a safer way.There is no authorization in OpenID2.0,and we propose using the famous authorization protocol named OAuth2.0 for authorization of the AA System.A detailed analysis of OAuth2.0 is made in this paper.The AA System includes a full authorization process based on OAuth2.0,but users must finish authentication before authorization in this paper,which is different from OAuth2.0.Users can provide relying parties with their custom information,then they will not allow relying parties to access the information they want to protect.OAuth2.0 includes four ways to authorize.The authorization code mode is used for implementation of OAuth2.0 process which contains authentication,authorization code,access token and resources.Besides authentication and authorization,the AA System also supports role management,relying party management and request management.This paper defines a one-to-many mapping between the role and the relying party.Users can create more than one role that will be assigned when authenticated.Also users can check the information of relying parties associated with them.In this paper,users can postpone the authentication and authorization requests,and the request management module will handle them as a batch when needed.In this paper,a method of vertical stratification and horizontal modules division is applied to the architecture design of AA System.With this design,AA System may implement loose coupling between layers and modules,also it can be easier to design and implement.