Implementing OAuth 2.0

One of the lasting outcomes of our Total Recal ‘rapid innovation’ project in 2010, was that Alex Bilbie wrote the first (and only) OAuth 2.0 server for the CodeIgniter PHP development framework that we use. Since then, he’s been refining it and with every new project, we’ve been using it as part of our API-driven approach to development. As far as we know, the use of the OAuth 2.0 specification, which should be finalised at a forthcoming IETF meeting, is not yet being used by any other university in the UK. There are a few examples of OAuth revision A in use, but OAuth 2.0 is a major revision currently in its 23rd draft.

As a result of his work, Alex was invited to talk about OAuth 2.0 at Eduserv’s Federated Access Management conference last year.

OAuth 2.0

View more presentations by Alex Bilbie

Nick Jackson gave the same presentation at the Dev8D conference a couple of weeks ago.

Since Total Recal, we’ve used OAuth 2.0 for Jerome, data.lincoln.ac.uk, Zendesk, Get Satisfaction, and more recently Orbital and now ON Course.  We’re at the stage where our ‘single sign on’ domain https://sso.lincoln.ac.uk is the gateway to our OAuth 2.0 implementation and it will soon be running on two servers for redundancy. In short, due to various JISC projects helping pave the way, it has been formally adopted by central ICT Services, and staff and students are gradually being given control over what services their identity is bound to and what permissions those services have.

Single Sign On at Lincoln
Single Sign On at Lincoln

The work Nick is doing on the Orbital project is extending Alex’s OAuth 2.0 server to include some of the optional parts of the specification which we’ve not been using at Lincoln, such as refresh tokens and using HTTP Authentication with the client credentials flow. This means that the server is able to drop straight in to a wider range of projects and services.

Recently, JISC published a call for project proposal around Access and Identity Management (AIM), which I am starting to write a bid for. Appendix E1 states:

JISC is particularly interested in seeing innovative and new uses for OAuth. Bids should show how this technology brings benefits to the community and can help address institutional requirements within research, teaching and learning, work based learning, administration and Business Community Engagement.

In Total Recal, we released version 1 of the server code but have learned a lot since that project through integrating OAuth with other services. Version 2 of our OAuth server is more representative of our current implementation and fully implements the latest draft (23) of the specification.

However, this is what access and identity management currently looks like:

SSO Current Situation
SSO Current Situation (click the image)

At the moment, the most widespread use of the OAuth server is Zendesk, our ICT and Estates online support service. Projects such as Jerome, Orbital, and ON Course, as well as three 3rd year Computer Science student dissertation projects are using it, too. The plan is to use OAuth alongside Microsoft’s Unified Access Gateway (UAG), which can talk SAML to OAuth via the OAuth SAML 2.0 specification. Here’s what we intend to do:

SSO Ideal Situation
SSO Ideal Situation (click image)

The primary driver for this is the ‘student experience’ and it cuts three ways:

  1. Richer sharing of data between applications: A student or lecturer should be able to identity themselves to multiple applications and approve access to the sharing of personal data between those applications.
  2. A consistent user experience: What we’re aiming for at first is not strictly ‘single sign on’, but rather ‘consistent sign on’, where the user is presented with a consistent UX when signing into disparate applications.
  3. Rapid deployment: New applications that we develop or purchase should be easier to implement, plugging into either OAuth or the UAG and immediately benefiting from 1) and 2).

Following a recent meeting between ICT and the Library, we agreed to take the following steps:

  1. All library (and ICT) applications that we operate internally must have Active Directory sign-in instead of local databases. Almost all of our applications achieve this already. This is the first step towards step (3).
  2. All web-based applications must offer a consistent looking sign-in screen based on the sso.lincoln.ac.uk design (which uses the Common Web Design). This is the second step towards (3).
  3. All systems must implement web-based single sign on via OAuth, SAML or ADFS and they will be sent to either UAG or the OAuth/SAML server.

The library are going to investigate to what extent we can do (2) with their applications such as Horizon and EPrints, and from then on, systems that are purchased or updated must do (3). It also makes sense to look at EPrints and WordPress in the short-term as applications that can use OAuth.

Two of the outputs we’ll propose to JISC are a case study of this work, as well as further development of the open source server Alex and Nick have been developing including an implementation of the OAuth SAML specification that we’ll share. Like our related work on staff profiles, the need to get access and identity right is becoming increasingly apparent as staff and students become accustomed to the way access and identity works elsewhere on the web. For Lincoln, a combination of OAuth and UAG is the preferred route to achieving consistent sign on across all applications, bridging both the internally facing business applications managed by ICT (e.g. Sharepoint, Exchange, Blackboard) and the more outward facing academic and social applications such as those developed and run by the Library and the Centre for Educational Research and Development.

Facebook glue

A press release from the University of Leicester last week, summarises the findings so far of a research project which “focuses on how pre-registration engagement with the University of Leicester Facebook network influences students’ post-registration social networks and their understanding of the University.” They’ve found that “a high proportion of freshers use the internet to smooth the settling-in process.” No real surprise there, but these kind of studies are important, not only to better understand the student experience, but also better understand how the Internet and social networking in particular, is affecting social relations in general.

A survey of 221 first year students conducted between April and June this year found that more than half (55 per cent) had joined Facebook to make new friends prior to entering university, while a further 43 per cent joined immediately after starting university. Nearly three quarters said Facebook had played an important part in helping them to settle in at university.

So within the first few weeks of joining university, 98% of students (who responded) were using Facebook to some extent. The way the quote above is worded doesn’t make it entirely clear whether 55% of students joined Facebook to make new university friends or socialise with existing friends and meet new friends in general. Later in the press release they say that “59% of respondents considered that the way that they used Facebook had changed since they came to University.” So we know that at least 59% of individuals were using Facebook prior to entering university. They quote some respondent’s motivations for joining Facebook:

  • To meet people before coming to university and because most of my friends at home used it.
  • Because my friends all had it and one of them told me that it was a good way to meet people going to the same uni as me.
  • To hopefully get into contact with people who were living in my building or were on my course through facebook groups. I hoped that knowing these people before I got there would give me a head start at uni.
  • To keep in touch with friends and for a bit of fun. Also to see if I could find anyone going to Leicester Uni living in my halls.

I suspect that the 55% is a mix of some people consciously joining with university in mind and others who were using Facebook regardless of entering university. Still, university life clearly accounts for a lot of Facebook registrations and an even greater amount of Facebook activity.

Over a third of respondents also said they used Facebook to discuss academic work with other students on a weekly basis, and more than half responded positively to the idea of using Facebook for more formal teaching and learning – although only 7 per cent had actually done so. Many suggested ways in which Facebook could be used, such as providing social support for students in departments and informing students about changing lecture times.

This is good to read and follows JISC’s In Their Own Words report about the move to increased learner autonomy.

But the survey also found that 41 per cent of students were against being contacted directly by tutors via Facebook. A report on the preliminary findings warns that the university will need to tread carefully if it wants to use Facebook to communicate with students for administrative or teaching and learning purposes.

So “more than half” of students welcome using Facebook for teaching and learning and 41% were against it? Or is that “more than half” of “over third of respondents” welcome the use of Facebook for teaching and learning? Again, not entirely clear to me, but I imagine it’s the former and that attitudes are going to shift even further in that direction over time.

My own experience is that the longer and more extensively I’ve used services like Facebook (in fact, the Internet in general), the fewer walls I construct to protect the normal divisions in my life. Not only is it too difficult to maintain separate identities on Facebook, but the boundaries between work, leisure, education and our private lives are far less distinct than they would otherwise be. You only have to look at the number of family photos on Flickr, the number of work related Facebook networks and the amount of discussion occuring online where people use their same identity for both work-related discussion and non-work-related discussion to see that walls are falling rather than being constructed through the use of the Internet.