Service chaining is – in my mind – somewhat underappreciated as use case is identity management. It is being paid some lip service, but often put off as too hard to solve. Yet, many of the issues I face in the mapping of complex business processes to a set of decomposed services involves service chaining. For the purpose of this article, here is a simplistic definition (made up by myself):
“Service chaining occurs when a service must invoke another service to complete a transaction.”
In other words, a user invokes a service A. That starts working on the problem, but figures that it needs information from service B. Now, service B is being invoked, but there needs to be good understanding on who is invoking service B to perform a satisfying access control decision. Service B should ideally know the identity of the user and the invocation path (in this case just service A) to perform an access control decision.
Interestingly enough, this process can be decomposed into two important steps: the final access control decision by service B, and a reverse authorization decision by the user. For the following steps, strong cryptographic identification through public/private key pairs is assumed:
Step 1: The user invokes service A (authentication and authorization occurs somehow).
Step 2: Service A decides that it needs to invoke service B for completing the operation and tries to access.
Step 3: Service B challenges the access request with a signed statement (access request statement – ARS) that documents:
- Its identity by including an identifier (such as e.g. a URI) and its public key
- The operation service A is trying to perform
- The identity of service A, again through e.g. a URI and public key.
Step 4: Service A receives the ARS and forwards it to the user. The user evaluates the request, andauthorizes the ASR by signing it.
Step 5: Service A forwards the signed ARS to service B. Service B verifies the signature and returns service A the required information.
It is obvious that this process it WAY to expensive to implement in large systems, but these are the steps that are – explicitly or implicitly – taking place in any service chaining scenario. It gets a little more complicated once you allow delegation of authorization, i.e. service A might have permission to authorize access on behalf of the user for service B trying to access yet another service C.
The two major performance impacts in this model are: (i) signature creation and verification, especially over XML constructs, and (ii) ASR parsing and policy evaluation.