L@S 2015 • Work-in-Progress

March 14–18, 2015, Vancouver, BC, Canada

Adding Third-Party Authentication to Open edX: A Case Study John Cox

Pavel Simakov

ACM Classification Keywords

Google, Inc.

Google, Inc.

1600 Amphitheatre Parkway

1600 Amphitheatre Parkway

D.2.13 [Reusable Software]: Reusable libraries; K.6.5 [Security and Protection]: Authentication.

Mountain View, CA 94043 USA Mountain View, CA 94043 USA [email protected]

[email protected]

Abstract In this document, we describe the third-party authentication system we added to Open edX. With this system, Open edX administrators can allow their users to sign in with a large array of external authentication providers. We outline the features and advantages of the system, describe how it can be extended and customized, and highlight reusable design principles that can be applied to other authentication implementations in online education.

Introduction User authentication is the process whereby a user of a computer system proves their identity to that computer system so they can then be granted the ability to make certain protected actions within that system. It is a difficult problem because maximizing the security an authentication system delivers in practical terms requires balancing two factors: first, the strength of the

Author Keywords API design; authentication; authorization; education; identity; privacy; security; testing. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author. Copyright is held by the owner/author(s). L@S 2015, Mar 14-18, 2015, Vancouver, BC, Canada ACM 978-1-4503-3411-2/15/03. http://dx.doi.org/10.1145/2724660.2728675

Figure 1. edx.org sign-in page with third-party authentication.

277

L@S 2015 • Work-in-Progress

March 14–18, 2015, Vancouver, BC, Canada

security provided by the system itself, often through strict adherence to ever-evolving cryptological standards; and second, user convenience. These factors are often in tension: user convenience is maximized by not having an authentication step at all, and security is maximized often by creating systems that are very difficult for users to satisfy. If a system is too hard for users to use, they will opt either not to use the system at all, or they will take steps that increase their convenience but decrease the effective security of the system, such as constructing weak passwords, reusing passwords between systems, and so on.

Background Open edX [1] is an open-source, freely-available platform for authoring and delivering educational content at scale. Until 2014, it provided only first-party authentication. “First-party authentication” means the system that requires user authentication is the same as the system that provides user authentication. Firstparty authentication systems are both common and simple:

Finding the balance between these factors, in addition to implementing authentication correctly in the first place, is very difficult. Many authors of computer systems lack the expertise or the time necessary to do this, so they may deliver authentication implementations in their products that are not secure. Authentication in the online education space is further complicated by the need to integrate with legacy authentication systems at educational institutions. Moving off these systems is impractical, so new online education tools must be able to interoperate with them. Below we outline an approach we took to creating a secure, configurable, extensible authentication solution for use in the online education space. We cover the features of our implementation, and explain the design principles that can be applied to implementations beyond our own.

Figure 2. In a first-party authentication system, when a user takes an action that requires authentication, they are first taken to the authentication system component. In this component they are challenged to provide their identity, and they provide a response to that challenge. If they fail the challenge, the system composes a response notifying them of failure. If they succeed, the system composes a success response, which is often the resource they requested with their initial action.

278

L@S 2015 • Work-in-Progress

March 14–18, 2015, Vancouver, BC, Canada

Users of a first-party authentication system will have a user account with that system. That account will store an identifier for that user, their credentials (such as a nonreversible hash of their password), and other user data. This is distinct from third-party authentication, where the system that requires user authentication (hereafter the “authentication consumer”) are different from the system that users authenticate with (hereafter the “authentication provider”). The steps the user goes through under third-party authentication are the same as in Figure 2 above, except they undergo challenge/response with the authentication provider. Consequently, the authentication consumer does not need to store or validate user credentials. This has two advantages. First, it is more convenient for the user because they do not have an additional set of credentials to manage. Second, the authentication implementation of the provider system is often more secure than authentication systems written by the authors of the consumer system, since authentication is the provider system authors' core competency.

Implementation details At the core of our implementation [2] is python-socialauth [3], an open-source library that supports thirdparty authentication, written in the Python programming language. We picked python-social-auth because it supports three open authentication protocols (OpenID, OAuth 1, and OAuth 2 [4]) and over 60 authentication providers [5], is also written in Python, and provides good abstractions for the two biggest extension points we identified when gathering requirements.

First, by using an abstraction called the authentication pipeline, which comes from python-social-auth, future implementers can hook into the authentication flow at any point and insert custom code. This is done by exposing the behavior of the authentication code as a re-entrant stack of function calls via a Python API, each representing a conceptual step in the authentication process. This set of steps can be extended and reordered, and the pipeline as a whole can be paused and resumed on an ad-hoc basis by custom authentication code in the containing system. Second, python-social-auth provides abstractions for additional authentication protocols or providers, also via Python APIs. These are vital because many organizations in the educational space have vast preexisting computing infrastructure, including custom single-sign on (SSO) systems for user authentication. These systems may speak a host of different protocols, of which Central Authentication Service (CAS) [6] and Shibboleth [7] are the most common. Switching away from their legacy authentication systems is both impractical and undesirable for these organizations. We wrapped python-social-auth in a thin layer that manages configuration details for a given deployment. This is where, for example, any deployment of Open edX selects the set of providers it will use from the full set of available providers. We then refactored the Open edX codebase to optionally use python-social-auth for authentication actions alongside the existing first-party authentication implementation. We adapted the Open edX user interface to account for a small number of new user actions, like managing associations between an existing Open edX account and any number existing provider accounts. Once these associations are

279

L@S 2015 • Work-in-Progress

March 14–18, 2015, Vancouver, BC, Canada

established, users can sign in to their Open edX account with any of the associated provider accounts. Users may revoke an association at any time. Finally, we provided an extensive set of tests [8]. A major feature of our tests is a comprehensive suite that is executed once per known authentication provider. This makes it easier to test new providers against the system as a whole with a minimal investment of new code: provider developers extend one class with a few dozen lines of provider-specific detail, and the full suite is executed against that provider. This limits the knowledge of the underlying Open edX system that a provider author needs to have in order to write a new provider, and at the same minimizes the risk that they will miss important edge cases during development.

Conclusions The approach outlined above proved successful. This third-party authentication system has been live on edx.org, the largest deployment of Open edX, since September of 2014. Members of the Open edX community have used the abstractions detailed above to author and deploy customized versions of Open edX with additional authentication providers and customized user authentication flows. While the system has been extended beyond its initial implementation to account for new requirements, realworld use found no gaps in the overall design. We therefore consider this design approach successful and recommend it to other developers in the online education space who require integrations with thirdparty authentication providers.

Acknowledgements We are very grateful to our partners at edX who worked with us on the development of this feature. As well, we'd like to extend our thanks to the university and industry staff we interviewed while gathering requirements. Finally, we would like to thank Matías Aguirre and the other authors of python-social-auth. The library is excellent, and most of the ideas in this paper are very strongly influenced by the design choices and abstractions it established.

References [1]

Open edX. http://code.edx.org.

[2] Open edX third_party_auth module. https://github.com/edx/edxplatform/tree/master/common/djangoapps/third_party _auth. [3] Python Social Auth. https://github.com/omab/python-social-auth. [4] Python Social Auth documentation. http://psa.matiasaguirre.net/docs/backends/implement ation.html. [5] Python Social Auth documentation. http://psa.matiasaguirre.net/docs/backends/index.html #social-backends. [6] CAS Protocol 3.0 Specification. https://github.com/Jasig/cas/blob/master/cas-serverdocumentation/protocol/CAS-Protocol-Specification.md. [7]

Shibboleth. https://shibboleth.net/.

[8] Open edX third_party_auth module tests. https://github.com/edx/edxplatform/tree/master/common/djangoapps/third_party _auth/tests.

280

Adding Third-Party Authentication to Open edX ... - Research at Google

Mar 18, 2015 - D.2.13 [Reusable Software]: Reusable libraries; K.6.5. [Security and .... edX user interface to account for a small number of new user actions ...
Download PDF
4MB Sizes 5 Downloads 280 Views
Report

Recommend Documents

Group Message Authentication - Research at Google
let a smartcard digitally authenticate each purchase transaction on behalf of the card holder. Message authentication can be achieved using a digital signature.
Adding Meaning to Facebook Microposts via a ... - Research at Google
sends the results to a central data processing point. Given a broad enough .... its relatively broad implementation in several projects, such as Pubby6, Triplify7 ...
Biometric Person Authentication IS A Multiple ... - Research at Google
time, etc) most (if not all) of the state-of-the-art approaches in biometric au- thentication try to make use .... After this step is performed, a standard linear support.
TCP Fast Open - Research at Google
ABSTRACT. Today's web services are dominated by TCP flows so short .... 1. 10. Network Transaction Latency [s]. Cold Req. Cold Req no Hsk (sim). All Req.
Plan 9 Authentication in Linux - Research at Google
Applications simply call the functions de- fined in the module ... file system calls (read, write etc.) ... work service which is similar to the Key Distribution Center.
FAKULT¨AT F¨UR INFORMATIK Adding C++ Support to ... - GitHub
Sep 16, 2013 - of the language are taken into account in an attempt to build a better C++ language flavor. Several analyses are ... 3.1.10 OtherMPSInstruments . ..... In this work we describe a C++ programming language implementation6 on top of mbedd
Adapting the Tesseract Open Source OCR ... - Research at Google
Jul 25, 2009 - Tesseract Open Source OCR Engine [8, 9] to many languages. This paper .... horizontal. The data structure for a text block records the rotations.
Multilingual Open Relation Extraction Using ... - Research at Google
lations (§2) followed by the relation annotation pro- ... cally extracted relations in 61 languages are avail- able at: http://cs.cmu.edu/˜mfaruqui/ soft.html.
Modelling Events through Memory-based, Open ... - Research at Google
this end, we introduce a data structure and a search method that ... tation we consider in this paper is a large collec- ... Our analy- sis highlights advantages and disadvantages of the ..... For an empirical analysis of lookup complexity,. Figure 5
gpucc: An Open-Source GPGPU Compiler - Research at Google
mean of 22.9%. Categories and Subject Descriptors D.3.4 [Programming ... personal identifiable information. ... 2. Overview. In this section, we will provide an overview of the system ...... Computer Science, 9:1910–1919, 2012. [11] S. Che, M. Boye
RFC 7413 - TCP Fast Open - Research at Google
compared to the standard TCP, which requires a three-way handshake. (3WHS) to ... include Simplified BSD License text as described in Section 4.e of the Trust Legal ...... in Proceedings of Internet Measurement Conference,. November 2011. .... call,
RFC 7413 - TCP Fast Open - Research at Google
TFO is motivated by the performance needs of today's Web applications. Current ... a) the receiver host receives data in a duplicate SYN after it has forgotten it received .... and the server can regenerate the cookie independently, the best validati
ReFr: An Open-Source Reranker Framework - Research at Google
a lattice or hypergraph or (b) simply use a strict reranking ap- proach applied to n-best ... tations for any developer converting from their own, proprietary format.
4. OpenFst: An Open-Source, Weighted Finite ... - Research at Google
and its Applications to Speech and Language. Michael ... APIs that make it easy to embed and extend; and (d) is a platform for active research and use among.
Reputation Systems for Open Collaboration - Research at Google
Even for successful sites, establishing a community of dedicated users ... play user reputations, out of a desire not to alter the social experience of contributing to ...
Improving Access to Web Content at Google - Research at Google
Mar 12, 2008 - No Javascript. • Supports older and newer browsers alike. Lynx anyone? • Access keys; section headers. • Labels, filters, multi-account support ... my screen- reading application, this site is completely accessible for people wit
Mathematics at - Research at Google
Index. 1. How Google started. 2. PageRank. 3. Gallery of Mathematics. 4. Questions ... http://www.google.es/intl/es/about/corporate/company/history.html. ○.
Migrating to BeyondCorp - Research at Google
involved, from the teams that own individual services, to management, to support teams, to ... a new network design, one that removes the privilege of direct.
GRAPHEME-TO-PHONEME CONVERSION ... - Research at Google
model and the performance of the overall system relies on the coverage and quality of .... knowledge is the first such application of LSTMs. 4. LSTM-BASED G2P ...
Google's Hybrid Approach to Research - Research at Google
To compare our approach to research with that of other companies is beyond the scope of this paper. ... plores fundamental research ideas, develops and maintains the software, and helps .... [8], Google File System [9] and BigTable [10]. 2.
Adding variation to path planning
Aug 11, 2008 - KEY WORDS: path planning; Corridor Map Method; variation; Perlin noise. Introduction ... players to feel as if they are present in the game world and live an experience in ... As a result, little effort has been put to create similar,
Adding variation to path planning
Aug 11, 2008 - Path planning in computer games, whether these are serious or ... and Computing Sciences, Center for Games and Virtual Worlds, ... Over the past years, path finding has been studied ..... Figure 2. The frequency of the Perlin noise fun