ueaWolfie

Introduction

Sadly the ueaWolfie project has come to an end. Over the past few months we have made considerable progress with a number of applications presenting the University of East Anglia’s data on different devices.

The greatest technical challenge we faced was in providing a secure method for authenticating staff and students to associate their accounts on 3rd party systems with their UEA account. We have developed an underlying model to address this problem.

As well as the security model and web service implementation, we have built applications on various platforms including Facebook, iGoogle, Google Desktop and mobile web.

Screenshots or diagram of prototype

The following screen shots are taken of working versions of our applications running on Facebook, iGoogle, Google Desktop and mobile web.

ueaWolfie Facebook Application

iGoogle Gadget

Google Desktop Gadget

UEA Library Loans Mobile Website

Technical architecture of the ueaWolfie framework

Description of Prototype

The ueaWolife web service and suite of widgets/applications allows UEA students to access their personal library data across multiple social websites and mobile devices.

At the core of ueaWolfie is a secure web service that allows different applications to request library loans data in a uniform way. This includes details of the items a user has currently borrowed, any fines, renew loans and to check the top 5 most popular items for a given course.

The project has build a number of different applications using this web service to deliver the data on Facebook, iGoogle, Google Desktop and the mobile web.

Security is a major concern for the project for a number of reasons. Essentially, if we have a web service for renew library loans, we need to be certain that the person renewing the item is who they claim. A security model has been implemented to allow users to associate their institutional user account with their user account on external systems (for example Facebook).

With the web service open for students to utilise, we are set to launch a university-wide competition to encourage students to develop with own applications using the service.

What’s the value of Wolfie?

Whilst the ueaWolfie project may have produced a few cool widgets, we feel the real value of this work lies in the framework.
Using simple techniques, standards and a collaborative approach, Wolfie has the power to significantly reduce the costs associated with delivering new e-services in higher education.

Here’s how Wolfie adds value:

In the Wolfie framework, web services are interfaces, which can be implemented against different back-end systems providing a similar service. In HEI’s, each of the main business functions (SIS, LMS, VLE, HR etc) are implemented by various combinations of a small number of products.

The implementation of a wolfie service against a specific system can be reused across any institutions using the same system (or at very least used as a basis for implementation). Development cost could be shared by user consortiums.

Plus, any Wolfie widgets – existing or future – using the implemented service will ‘just work’ avoiding widget development costs.
End User of Prototype

Our target audience is tech savvy students who make regular use of their mobile devices. At a recent meeting with library staff, they were saying how they noticed new students were already searching for book information from their mobile devices, so the demand is already there.

We are also having a trial of the system on users within the education department at UEA.

Link to working prototype

http://mobile.webapp4.uea.ac.uk/

username: jisc
password: jisc

This account will give you access to the test account used for the development purposes of the project.

Further Work

We plan to expand our work from this project by collaborating with other HE’s to: implement a backend plug-in for voyager, and reuse the widgets created.

We also are making initial progress to work with OIO (Danish) to advance the security model.

The project will be submitted to the Edunify directory (https://demo.edunify.pesc.org/) so hopefully it will find a wider audience who can benefit from the work of this project.

In the past week we have made contact with several US higher education institutions who are interested in using standardised approach to web service security model.

Finally, we are about to launch a competition within our university for students to submit apps created using our web service. With the cash prize of £1000 we are expecting quite a bit of interest.

Link to end user documentation

The applications are designed to be simple to use so no documentation is necessary.

Link to code repository or API

http://code.google.com/p/wolfie/

Link to technical documentation

Documents that:

Explain the architecture

Explain security, linking mechanism

How would you write a service that fits the architecture?

Date prototype was launched

6th June 2010

Project Team Names, Emails and Organisations

Robin Keith, r DOT keith AT SYMBOL uea DOT ac DOT uk – University of East Anglia
Ian Read, i DOT read AT SYMBOL uea DOT ac DOT uk – University of East Anglia

Project Website: http://ueawolfie.jiscinvolve.org/wp/

PIMS entry: https://pims.jisc.ac.uk/projects/view/1726

Table of Content for Project Posts

Project Introduction

Widgets for Open Library InfrastructurE (ueawolfie) project infrastructure-ueawolfie-project/

Project Plan

Aims, Objectives and Final Outputs

Wider Benefits to Sector & Achievements for Host Institution

Projected Timeline, Workplan & Overall Project Methodology

Risk Analysis and Success Plan

IPR (Creative Commons Use & Open Source Software License)

Project Team Relationships and End User Engagement

Budget

Project Initiation Meeting

Technical Architecture

Wolfie’s Framework in Pictures

Initial Web Service Implementation

Implementations

Initial Facebook Widget & Aleph Integration

Mobile Mock Up

Go Go Google Gadgets!

iGoogle Integration

Recent Progress (includes linking facebook accounts with local ones, a basic Secure Token Service for exchanging OAuth tokens for WS Trust tokens, updating the Facebook app to use OAuth.)

Where we are going….

Top 5 Library Loans

ueaWolfie Security Model

Linking a Facebook Account with a UEA Account

The mechanism for linking a UEA user account with a Facebook account is performed by the following tasks:

1. The user “adds” the application on facebook.

2. Goto the UEA external account authorization system : http://wolfieauth.webapp3.uea.ac.uk/ and sign in using your UEA account details.

3. If Facebook is not authenticated for the particular user, it will display a link to authenticate with Facebook.

4. Clicking the link sends the user off to Facebook. If they are not currently logged into Facebook they will be prompted for their Facebook login credentials. Next they will be asked to authorize Facebook to share their details with UEA (example dialog below).

5. Assuming authentication is given, the Facebook application has a configuration value for a page to redirect to after authentication, “Post-Authorise Redirect URL”.

6. The page at Post-Authorise Redirect URL is passed a code containingcalled with a verification string in the argument code.

7. The Facebook Graph API is then used to exchange the code for an OAuth access token.

8. Finally, the user’s Facebook account details are accessed by passing the OAuth token to the Graph API.

9. The user’s UEA username and their Facebook ID is then stored in a database.

(Click diagram to enlarge)

This is quite a clinical description of how the ueaWolfie security model works with respect to authenticating Facebook requests.

1. Facebook embeds the UEA Facebook app in an iframe and passes an OAuth token as a parameter.

2. The UEA Facebook app passes a set of parameters to the ueaWolfie service asking for data, accompanied by the OAuth token.

3. ueaWolfie then authenticates the OAuth token using the STS.

4. The Security Token Server (STS) essentially provides a way of converting an OAuth token into a UEA username.

5. The first stage of the STS is to send the OAuth token back to Facebook and get the associated Facebook user ID. If no Facebook ID is returned, the token is assumed to be invalid. Assuming a valid set of data is returned, this is then passed back to the next stage of the STS.

6. The Facebook ID is extracted from the data.

7. Next, the Facebook ID is used to search our database for a link to a UEA user account. If not matching user account is found, the OAuth token is rejected.

8. At this stage the UEA username is returned. In practice, we would prefer to return a valid WS Trust token. Sadly, this technology is in its infancy so we held off integrating it just yet.

9. The username is then passed back to the main ueaWolfie application to do the necessary lookups relative to that user, and the resultant data is pumped back to the Facebook app.

We have expanded our web service to list the top 5 library loans for a given course. Using the course code for the respective degree programme, the web service communicates with the UEA’s data mining system to reveal the top 5 most popular books for students of that course.

Over the next few weeks, the wolfie projects will be doing the following tasks:

1. A use case of converting the “old” FBML Facebook Canvas Application over to the “new” IFrame-based Facebook Canvas Application. This will be a useful guide to anyone who also needs to do the changes before Facebook disable their FBML apps.

2. Update the UEA’s Blackboard widget to use the new API and featuring borrowed items, fines, renew item and top 5 books for course.

3. Documenting the code from the ueaWolfie project

4. Devise a competition for the UEA’s school of computing sciences to submit entries making make use of the ueaWolfie API.

5. Start work on the final project report!

1. Authenticating Facebook accounts against local accounts.

We created a simple authentication system that has a database table of “local” system user accounts (i.e. simulating the active directory database). We then added functionality to authenticate and associate these user accounts with accounts on Facebook.

2. Built a basic Secure Token Service for exchanging OAuth tokens for WS Trust tokens.

3. Integrated (in an almost fudgy way) the STS with the existing web service

Added parameters to the web service so that it is passed the OAuth token and a unique system ID. The web service then authenticates this token against the respective system.

4. Updated Facebook app to use the OAuth token

As the title suggests, we integrated the STS with the Facebook app so that it authenticates using the OAuth tokens.

We have implemented a gadget for iGoogle the uses the ueaWolfie web service. The architecture of the application is shown below.

As this is initially just a proof of concept for the iGoogle application, we implemented it using an iframe. This allowed us to reuse a lot of the code the mobile application, with just a few tweaks to the CSS. By splitting a lot of the functionality from the mobile app into library files, much of the communication with the web service can be handled. This allows for rapid application development. Future apps on different platforms will be able to utilize this.

We have now developed a Google Desktop Gadget to deliver content from the existing UEA Wolfie web service. After struggling with the Google Gadget API, getting SOAP to work across Javascript, then persuading Javascript to process XML, the gadget now works!

The code is available from our Google Code account.

We have re-engineered the code from the facebook application to form a simple mobile app for library information. The site is accessible via http://mobile.webapp4.uea.ac.uk

ueaWolfie Library Data displayed on an HTC mobile

We have had two significant achievements with the development this week.

The first is that we have built our first facebook application that connects to the webservice and lists all the items the user currently has on loan + any fines. For the time being, the user id has been hardcoded until we have the authentication components in place.

Our second achievement was connecting the web service to Aleph so live library data can be displayed. The next step is to look into  authentication.