New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Id fiware upm-dit
1. Securing Access with Oauth2 in
KeyRock
Javier Cerviño
Álvaro Alonso
Joaquin Salvachua
(DIT-UPM)
2. How to authenticate users in your apps using FI-WARE Account
In this course you will learn to:
Use FI-WARE Account to create users, organizations and register your Applications.
Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0.
They’ll securely access resources thanks to authorization in FI-WARE Account.
1
3. Content
1. Introduction.
Introduction to FI-WARE Account and OAuth 2.0. We’ll see key concepts and topics.
2. First steps in FI-WARE Account.
Register on FI-WARE Account, create organizations and manage roles of users in your organizations.
3. Secure your web applications using OAuth 2.0.
Secure your own web applications to authenticate your users with their username and password in FI-WARE Account.
4. Authenticate your users from native applications using OAuth 2.0.
Adapt your native applications to authenticate your users with their username and password in FI-WARE Account.
5. Developing secured APIs using OAuth 2.0.
Deploy a FI-WARE PEP Security Proxy in front of your backend to secure requests to your APIs.
6. Authorizing access to protected resources.
Create roles in your applications to allow or deny access of users to protected resources.
2
9. OAuth 2.0
Mechanism to provide applications access to restricted resources without sharing credentials.
Applications use access tokens, issued by OAuth providers (e.g. FI-WARE), to access resources.
OAuth 2.0 specification is designed for use with HTTP.
Roles:
• Resource Owner: Entity capable of granting access to a protected resource (e.g. end-user)
• Resource Server: Server hosting protected resources.
• Client: Application making protected resource requests on behalf of the resource owner.
• Authorization Server: The server issuing access tokens to the client.
8
10. OAuth Message Flow
9
Web App Account
redirect
request access-token
access-token
access-code
OAuthLibrary
Request user info using access-token
11. Web Applications and GEs
10
Generic Enabler
Account
Request+
access-token
redirect
access-code
request access-token
access-token
access-token + path
OK + user info
Web App
OAuthLibrary
12. Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
11
13. AA for free!
12
Back-end Apps
Account
Request+
access-token
Web App
OauthLibrary
Proxy
redirect
access-code
request access-token
access-token
access-token + path
OK + user info
15. OAuth 2.0 Architecture Authorization Code Grant
14
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
6. Response code + myservice.com credentials
7. Ok, this is the Access Token
8. Access user’s resources with Access Token
16. OAuth 2.0 Architecture Implicit Grant
15
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
6. Access user’s resources with Access Token
17. OAuth 2.0 Arch. Resource Owner Password Credentials Grant
16
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
2. Give access with
myservice.com credentials and
user’s password credentials
3. OK, this is the access token
4. Access user’s resources with Access Token
18. OAuth 2.0 Architecture Client Credentials Grant
17
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
1. Client authentication with
myservice.com credentials
2. OK, this is the access token
3. Access myservice.com resources with Access Token
20. Using the Access Token FI-WARE Resource Providers
19
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
Access protected user info with Access Token
Generic Enablers
*.fi-ware.org
GET https://ge_url HTTP/1.1
Host: GE_hostname
Authorization: Bearer access_token
GET /user?access_token=access_token
21. Using the Access Token Third-Party Resource Providers
20
PEP ProxyOAuth consumer
myservice.com
Access protected user info with Access Token
Unsecured Resource Provider
GET https://protected_url HTTP/1.1
Host: GE_hostname
Authorization: Bearer access_token
22. Using the Access Token Cloud Hosting I
21
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
Retrieve list of organizations
POST http://cloud.lab.fi-ware.eu:4730/v2.0/tokens
{
"auth":{
"tenantID":”ORG_ID",
"token":{
"id":"access_token"
}
}
}
GET /user?access_token=access_token
Keystone Proxy
cloud.lab.fi-ware.org
23. Using the Access Token Cloud Hosting II
22
OAuth consumer
myservice.com
PaaS GE
pegasus.lab.fi-ware.org
Access using Scoped Token
DCRM GE
cloud.lab.fi-ware.org
SDC GE
saggita.lab.fi-ware.org
Object Storage GE
130.206.82.9
Access using Scoped Token
Access using Scoped Token
Access using Scoped Token