SlideShare ist ein Scribd-Unternehmen logo

IdM and AC

Als PPTX, PDF herunterladen
Fernando Lopez Aguilar
Fernando Lopez Aguilar

Detailed flow description about the use of the IdM and AC in the FIWARE Lab.

Technologie
1 von 43
FIWARE Security Components (IdM & AC) Fernando López FIWARE Cloud and Platform Senior Expert fernando.lopez@fiware.org @flopezaguilar
Identity Manager 2
Identity Manager 3 Account
OAuth 2.0 4 Login with
OAuth 2.0 5
OAuth 2.0 Message Flow 6 Web App Account redirect request access-token access-token access-code OAuthLibrary Request user info using access-token IP: a.b.c.dIP: e.f.g.h
OAuth 2.0 libraries 7 • http://oauth.net/2/ – PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. • Example using Node.js – https://github.com/ging/oauth2-example-client
Previous steps with IdM portal 1) Create User 8
Previous steps with IdM portal 2) Add an application with roles 9
Previous steps with IdM portal 2) Add an application with roles 10
Previous steps with IdM portal 2) Add an application with roles 11
Previous steps with IdM portal 2) Add an application with roles 12
1) Redirect 13 First time, we have to redirect (go) to the IdM web site in order to authorize the access to the new application. https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
1) Redirect 14
2) Access code 15 After clicking the “Accept” button, the browser redirect us to a page of our application: http://e.f.g.h/login?code=gW6mpb4Ncfa22YHEf7g6RLqIUyWP_Xwl3IWmr2QgtXoPZm GDb_ZJud1qfoY2m1CCZAhndKtYpmZAKQAUBBZIdg This is the callback URL specified in the registry of the application. IdM uses the URL + Callback URL specified in the registration of the application (slide 12). We get the “code” value, which will be used in the authentication process.
3) Request Access token 16 In order to request an access-token, without the knowledge of the credentials of the user: curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4 OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFj ZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d grant_type=password&username=b.rcs@tid.es&password=supersecret Where Authorization is obtained from: Base64(Client_ID:Client_Secret) from application credentials (see slide 12).
4) Access token 17 The previous request will return the following information: HTTP/1.1 200 OK Content-Type: application/json { "access_token": "RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no- Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB- ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer" }
Securing your backend 18 • Level 1: Authentication – Check if a user has a FIWARE account • Level 2: Basic Authorization – Check if a user has permissions to access a resource – HTTP verb + resource path • Level 3: Advanced Authorization – Custom XACML policies
Level 1: Authentication 19 Backend Apps IdM 5)Request+ access-token OAuth2 flows 6) access-token 7) OK + user info (roles) Web App OAuthLibrary 4) access-token
Level 1: Authentication 20 Backend Apps IdM 5)Request+ access-token Web App OAuthLibrary Proxy 6) access-token 7) OK + user info (roles) OAuth2 flows 4) access-token
Level 1: Authentication Request + access token (step 5) 21 GET https://{backend-apps-url} HTTP/1.1 Host: {backend-apps-hostname} X-Auth-Token: {access-token} • The request from web application to the backend and GEs would look like: Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 17): 3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XL UziWOFdCs7qSHELlA
Level 1: Authentication Validate X-Auth-Token (step 6) 22 As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token. curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
Level 1: Authentication Validate X-Auth-Token (step 6) 23 Previous call will return the following message: { "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } } }
Level 1: Authentication Validate X-Auth-Token (step 6) 24 Assuming that you have a valid admin token (see slides 22 & 23 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5): curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Please note X-Auth-Token header in this request is the admin token, while the access- token being validated is part of the resource path in URL. This could return the following status codes if something is wrong: • 404  Access_token not valid • 401  X-Auth-Token not valid (unauthorized) • 403  X-Auth-Token not valid (expired)
Level 1: Authentication Validate X-Auth-Token (step 6) 25 If there is no error, it returns: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
Level 1: Authentication Validate X-Auth-Token (step 6) 26 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
Level 2: Basic Authorization 27 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy 6) access-token + verb + path 7) OK + user info Oauth2 flows access-token AC GE
Level 2: Basic Authorization Access token + verb + path (step 6) 28 In this case you should call the API with the following information: curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content- Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Where: • path, is the URL of the resource to be accessed, (e.g./resource1/item2) • verb, is the HTTP verb associated to the request (GET, PUT, POST, DELETE) • X-Auth-Token, is the admin token from slides 22 & 23 (FIWARE Proxy token) • As before, request URL includes the access-token being validated
Level 2: Basic Authorization OK + user info (step 7) 29 It returns: • 401 HTTP 401 Unauthorized. • 200 Ok if all was OK, with the following user information: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
Level 2: Basic Authorization OK + user info (step 7) 30 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
Level 3: Advanced Authorization 31 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy extension 6) access-token + verb + path OK + user info Oauth2 flows access-token AC GE
Policies creation in IdM 1) Edit application properties 32
Policies creation in IdM 2) Create a new role 33
Policies creation in IdM 3) Add a new permission 34
Policies creation in IdM 4) Change to advanced mode 35
Policies creation in IdM 5) Fill in the rule field 36
Policies creation in IdM Sample XACML rule content 37 Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.: <Rule RuleId="PR:Manage" Effect="Permit"> <Description>Rule: Permission example</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> …
Policies creation in IdM Sample XACML rule content 38 … <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule>
Documentation 39 • FIWARE IdM: – Source Code: https://github.com/ging/fi-ware-idm – Documentation: https://github.com/ging/fi-ware-idm/wiki • FIWARE Access Control: – http://catalogue.fi-ware.org/enablers/access-control-tha- implementation/documentation • FIWARE OAuth2 Demo: – https://github.com/ging/oauth2-example-client • FIWARE Proxy: – https://github.com/ging/fi-ware-pep-proxy
40 fiware-tech-help@lists.fiware.org fiware-lab-help@lists.fiware.org
42 http://fiware.org Follow @FIWARE on Twitter
Thank you! http://fiware.org Follow @FIWARE on Twitter

Empfohlen

Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
FIWARE
 

Empfohlen

Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and Wilma
Dalton Valadares
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
FIWARE
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
FIWARE
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
Udaiappa Ramachandran
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
I got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't oneI got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't one
Adrian Cole
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
Azure App configuration
Azure App configurationAzure App configuration
Azure App configuration
Muhammad Sajid
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API Umbrella
FIWARE
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
FIWARE
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Kemp
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
FIWARE
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
Pedro Sousa
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
Miguel García González
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 

Weitere ähnliche Inhalte

Was ist angesagt?

FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API Umbrella
FIWARE
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Kemp
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
FIWARE
 

Was ist angesagt? (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
I got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't oneI got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't one
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Azure App configuration
Azure App configurationAzure App configuration
Azure App configuration
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API Umbrella
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft AzureAdvanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
Advanced Load Balancer/Traffic Manager and App Gateway for Microsoft Azure
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
 
Let's Talk About: Azure Networking
Let's Talk About: Azure NetworkingLet's Talk About: Azure Networking
Let's Talk About: Azure Networking
 

Ähnlich wie IdM and AC

Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Paul Osman
 

Ähnlich wie IdM and AC (20)

FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
 
FIware Identity Manager
FIware Identity ManagerFIware Identity Manager
FIware Identity Manager
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 

Mehr von Fernando Lopez Aguilar

Mehr von Fernando Lopez Aguilar (20)

Introduction to FIWARE technology
Introduction to FIWARE technologyIntroduction to FIWARE technology
Introduction to FIWARE technology
 
DW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE PlatformDW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE Platform
 
FIWARE and Smart Data Models
FIWARE and Smart Data ModelsFIWARE and Smart Data Models
FIWARE and Smart Data Models
 
How to deploy a smart city platform?
How to deploy a smart city platform?How to deploy a smart city platform?
How to deploy a smart city platform?
 
Building the Smart City Platform on FIWARE Lab
Building the Smart City Platform on FIWARE LabBuilding the Smart City Platform on FIWARE Lab
Building the Smart City Platform on FIWARE Lab
 
Data Modeling with NGSI, NGSI-LD
Data Modeling with NGSI, NGSI-LDData Modeling with NGSI, NGSI-LD
Data Modeling with NGSI, NGSI-LD
 
FIWARE and Robotics
FIWARE and RoboticsFIWARE and Robotics
FIWARE and Robotics
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
 
Operational Dashboards with FIWARE WireCloud
Operational Dashboards with FIWARE WireCloudOperational Dashboards with FIWARE WireCloud
Operational Dashboards with FIWARE WireCloud
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
Data persistency (draco, cygnus, sth comet, quantum leap)
Data persistency (draco, cygnus, sth comet, quantum leap)Data persistency (draco, cygnus, sth comet, quantum leap)
Data persistency (draco, cygnus, sth comet, quantum leap)
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
Core Context Management
Core Context ManagementCore Context Management
Core Context Management
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT Agent
 
FIWARE Overview
FIWARE OverviewFIWARE Overview
FIWARE Overview
 
Overview of the FIWARE Ecosystem
Overview of the FIWARE EcosystemOverview of the FIWARE Ecosystem
Overview of the FIWARE Ecosystem
 
Cloud and Big Data in the agriculture sector
Cloud and Big Data in the agriculture sectorCloud and Big Data in the agriculture sector
Cloud and Big Data in the agriculture sector
 
Berlin OpenStack Summit'18
Berlin OpenStack Summit'18Berlin OpenStack Summit'18
Berlin OpenStack Summit'18
 
Context Information Management in IoT enabled smart systems - the basics
Context Information Management in IoT enabled smart systems - the basicsContext Information Management in IoT enabled smart systems - the basics
Context Information Management in IoT enabled smart systems - the basics
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

IdM and AC

  • 1. FIWARE Security Components (IdM & AC) Fernando López FIWARE Cloud and Platform Senior Expert fernando.lopez@fiware.org @flopezaguilar
  • 6. OAuth 2.0 Message Flow 6 Web App Account redirect request access-token access-token access-code OAuthLibrary Request user info using access-token IP: a.b.c.dIP: e.f.g.h
  • 7. OAuth 2.0 libraries 7 • http://oauth.net/2/ – PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. • Example using Node.js – https://github.com/ging/oauth2-example-client
  • 8. Previous steps with IdM portal 1) Create User 8
  • 9. Previous steps with IdM portal 2) Add an application with roles 9
  • 10. Previous steps with IdM portal 2) Add an application with roles 10
  • 11. Previous steps with IdM portal 2) Add an application with roles 11
  • 12. Previous steps with IdM portal 2) Add an application with roles 12
  • 13. 1) Redirect 13 First time, we have to redirect (go) to the IdM web site in order to authorize the access to the new application. https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
  • 15. 2) Access code 15 After clicking the “Accept” button, the browser redirect us to a page of our application: http://e.f.g.h/login?code=gW6mpb4Ncfa22YHEf7g6RLqIUyWP_Xwl3IWmr2QgtXoPZm GDb_ZJud1qfoY2m1CCZAhndKtYpmZAKQAUBBZIdg This is the callback URL specified in the registry of the application. IdM uses the URL + Callback URL specified in the registration of the application (slide 12). We get the “code” value, which will be used in the authentication process.
  • 16. 3) Request Access token 16 In order to request an access-token, without the knowledge of the credentials of the user: curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4 OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFj ZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d grant_type=password&username=b.rcs@tid.es&password=supersecret Where Authorization is obtained from: Base64(Client_ID:Client_Secret) from application credentials (see slide 12).
  • 17. 4) Access token 17 The previous request will return the following information: HTTP/1.1 200 OK Content-Type: application/json { "access_token": "RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no- Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB- ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer" }
  • 18. Securing your backend 18 • Level 1: Authentication – Check if a user has a FIWARE account • Level 2: Basic Authorization – Check if a user has permissions to access a resource – HTTP verb + resource path • Level 3: Advanced Authorization – Custom XACML policies
  • 19. Level 1: Authentication 19 Backend Apps IdM 5)Request+ access-token OAuth2 flows 6) access-token 7) OK + user info (roles) Web App OAuthLibrary 4) access-token
  • 20. Level 1: Authentication 20 Backend Apps IdM 5)Request+ access-token Web App OAuthLibrary Proxy 6) access-token 7) OK + user info (roles) OAuth2 flows 4) access-token
  • 21. Level 1: Authentication Request + access token (step 5) 21 GET https://{backend-apps-url} HTTP/1.1 Host: {backend-apps-hostname} X-Auth-Token: {access-token} • The request from web application to the backend and GEs would look like: Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 17): 3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XL UziWOFdCs7qSHELlA
  • 22. Level 1: Authentication Validate X-Auth-Token (step 6) 22 As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token. curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
  • 23. Level 1: Authentication Validate X-Auth-Token (step 6) 23 Previous call will return the following message: { "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } } }
  • 24. Level 1: Authentication Validate X-Auth-Token (step 6) 24 Assuming that you have a valid admin token (see slides 22 & 23 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5): curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Please note X-Auth-Token header in this request is the admin token, while the access- token being validated is part of the resource path in URL. This could return the following status codes if something is wrong: • 404  Access_token not valid • 401  X-Auth-Token not valid (unauthorized) • 403  X-Auth-Token not valid (expired)
  • 25. Level 1: Authentication Validate X-Auth-Token (step 6) 25 If there is no error, it returns: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
  • 26. Level 1: Authentication Validate X-Auth-Token (step 6) 26 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
  • 27. Level 2: Basic Authorization 27 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy 6) access-token + verb + path 7) OK + user info Oauth2 flows access-token AC GE
  • 28. Level 2: Basic Authorization Access token + verb + path (step 6) 28 In this case you should call the API with the following information: curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content- Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Where: • path, is the URL of the resource to be accessed, (e.g./resource1/item2) • verb, is the HTTP verb associated to the request (GET, PUT, POST, DELETE) • X-Auth-Token, is the admin token from slides 22 & 23 (FIWARE Proxy token) • As before, request URL includes the access-token being validated
  • 29. Level 2: Basic Authorization OK + user info (step 7) 29 It returns: • 401 HTTP 401 Unauthorized. • 200 Ok if all was OK, with the following user information: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
  • 30. Level 2: Basic Authorization OK + user info (step 7) 30 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
  • 31. Level 3: Advanced Authorization 31 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy extension 6) access-token + verb + path OK + user info Oauth2 flows access-token AC GE
  • 32. Policies creation in IdM 1) Edit application properties 32
  • 33. Policies creation in IdM 2) Create a new role 33
  • 34. Policies creation in IdM 3) Add a new permission 34
  • 35. Policies creation in IdM 4) Change to advanced mode 35
  • 36. Policies creation in IdM 5) Fill in the rule field 36
  • 37. Policies creation in IdM Sample XACML rule content 37 Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.: <Rule RuleId="PR:Manage" Effect="Permit"> <Description>Rule: Permission example</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> …
  • 38. Policies creation in IdM Sample XACML rule content 38 … <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule>
  • 39. Documentation 39 • FIWARE IdM: – Source Code: https://github.com/ging/fi-ware-idm – Documentation: https://github.com/ging/fi-ware-idm/wiki • FIWARE Access Control: – http://catalogue.fi-ware.org/enablers/access-control-tha- implementation/documentation • FIWARE OAuth2 Demo: – https://github.com/ging/oauth2-example-client • FIWARE Proxy: – https://github.com/ging/fi-ware-pep-proxy
  • 41.