IdM and AC

33 %
67 %
Information about IdM and AC
Technology

Published on October 16, 2014

Author: flopezaguilar

Source: slideshare.net

Description

Detailed flow description about the use of the IdM and AC in the FIWARE Lab.

1. Adding Identity Management and Access Control to your Application Fernando López, Pablo Rodríguez // Álvaro Alonso TID // UPM – DIT Security Chapter. FIWARE fernando.lopezaguilar@telefonica.com, @flopezaguilar pablo.rodriguezarchilla@telefonica.com aalonsog@dit.upm.es, @larsonalonso

2. Identity Management An example 2

3. Account Identity Management FIWARE 3

4. OAuth 2.0 for Identity Management Examples… 4

5. OAuth 2.0 for Identity Management … and FIWARE too!  IdM Login with 5

6. IP: e.f.g.h IP: a.b.c.d 2) access-code 6 Web App IdM 1) redirect 3) request access-token 4) access-token OAuth Library Request user info using access-token OAuth 2.0 Messages flow

7. OAuth 2.0 Client libraries for your application • http://oauth.net/2/ – PHP, Cocoa, iOS, Java, Ruby, JavaScript, Python • Example using Node.js – https://github.com/ging/oauth2-example-client 7

8. Preliminary steps with IdM at FIWARE Account Portal Add an application 8

9. Preliminary steps with IdM at FIWARE Account Portal Set/create roles and permissions for application 9

10. Preliminary steps with IdM at FIWARE Account Portal Add new permissions if needed 10

11. Preliminary steps with IdM at FIWARE Account Portal Result: OAuth credentials for the application

12. OAuth 2.0 messages flow 1) Redirect First, we have to redirect user to the IdM web site in order to login and authorize the access to the new application (identified by its client_id). https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9 12

13. OAuth 2.0 messages flow 1) Redirect 13

14. OAuth 2.0 messages flow 2) Access code After introducing user/password to login and clicking the “Accept” button (needed only once), the browser redirect us back to the web page of our application: http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9- N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg IdM uses the callback URL specified in the registration of the application (Cloud Portal, in this example). We get the “code” value, which will be used in order to authenticate user. 14

15. In order to request an access-token, without the knowledge of the credentials of the user: curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlN TA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2 Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" - d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9- N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg &redirect_uri=http://e.f.g.h/login" Where: Authorization is calculated as Base64(Client_ID:Client_Secret) from application credentials (see slide 11) code is the access-code obtained in the former step and redirect_uri is the callback url the access-code was sent to (see previous slide) OAuth 2.0 messages flow 3) Request access token 15

16. OAuth 2.0 messages flow 4) Access token The previous request will return the following information: HTTP/1.1 200 OK Content-Type: application/json { "access_token": "3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80 _XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_ D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer" } 16

17. Securing your backend • Level 1: Authentication – Check if a user has a FIWARE account • Level 2: Basic Authorization – Check if a user has permissions to access a resource – HTTP verb + resource path • Level 3: Advanced Authorization – Custom XACML policies 17

18. Level 1: Authentication Backend Apps IdM 5) Request + access-token OAuth2 flows 6) access-token 7) OK + user info (roles) Web App OAuth Library 4) access-token 18

19. Level 1: Authentication Web App Backend Apps IdM 5) Request + access-token OAuth Library Proxy OAuth2 flows 4) access-token 6) access-token 7) OK + user info (roles) 19

20. Level 1: Authentication Request + access token (step 5) • The request from web application to the backend and GEs would look like: GET https://{backend-apps-url} HTTP/1.1 Host: {backend-apps-hostname} X-Auth-Token: {access-token} Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 16): 3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80 _XLUziWOFdCs7qSHELlA 20

21. Level 1: Authentication Validate X-Auth-Token (step 6) As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token. curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained. 21

22. Level 1: Authentication Validate X-Auth-Token (step 6) Previous call will return the followingmessage: { "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } } } 22

23. Level 1: Authentication Validate X-Auth-Token (step 6) Assuming that you have a valid admin token (see slides 21 & 22 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5): curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80 _XLUziWOFdCs7qSHELlA Please note X-Auth-Token header in this request is the admin token, while the access-token being validated is part of the resource path in URL. This could return the following status codes if something is wrong: • 404  Access_token not valid • 401  X-Auth-Token not valid (unauthorized) • 403  X-Auth-Token not valid (expired) 23

24. Level 1: Authentication Validate X-Auth-Token (step 6) If there is no error, it returns: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" … 24

25. Level 1: Authentication Validate X-Auth-Token (step 6) … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue). 25

26. Web App Backend Apps IdM Request + access-token OAuth Library Proxy Oauth2 flows access-token 6) access-token + verb + path 7) OK + user info AC GE Level 2: Basic Authorization 26

27. Level 2: Basic Authorization Access token + verb + path (step 6) In this case you should call the API with the following information: curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content- Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUzi WOFdCs7qSHELlA Where: • path is the URL of the resource to be accessed, e.g.: /resource1/item2 • verb is the HTTP verb associated to the request (GET, PUT, POST, DELETE) • X-Auth-Token is the admin token from slides 21 & 22 (FIWARE Proxy token) • As before, request URL includes the access-token being validated 27

28. Level 2: Basic Authorization OK + user info (step 7) It returns: • 401 HTTP 401 Unauthorized. • 200 Ok if all was OK, with the following user information: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" … 28

29. Level 2: Basic Authorization OK + user info (step 7) … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue). 29

30. Web App Backend Apps IdM Request + access-token OAuth Library Proxy extension Oauth2 flows access-token XACML policy OK + user info AC GE Level 3: Advanced Authorization 30

31. Policies creation in IdM 1) Edit application properties 31

32. Policies creation in IdM 2) Create a new role 32

33. 33 Policies creation in IdM 3) Add a new permission

34. Policies creation in IdM 4) Change to advanced mode 34

35. 35 Policies creation in IdM 5) Fill in the rule field

36. Policies creation in IdM Sample XACML rule content Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.: <Rule RuleId="PR:Manage" Effect="Permit"> <Description>Rule: Permission example</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> … 36

37. Policies creation in IdM Sample XACML rule content … <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule> 37

38. Documentation • FIWARE IdM: – Source Code: https://github.com/ging/fi-ware-idm – Documentation: https://github.com/ging/fi-ware-idm/wiki • FIWARE Access Control: – http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/ documentation • FIWARE OAuth2 Demo: – https://github.com/ging/oauth2-example-client • FIWARE Proxy: – https://github.com/ging/fi-ware-pep-proxy 38

39. fiware-lab-help@lists.fi-ware.org 39

40. Join us! http://fiware.org http://lab.fiware.org Follow @Fiware on Twitter !

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

IDM | Business School for African Leaders

IDM is a new African business school, designed to shape the next generation of leaders by equipping them to unlock the region’s enormous economic potential.
Read more

Institute of Development Management - Welcome To IDM

The Institute of Development Management (IDM) was established in 1974 as a regional organisation in Botswana, Lesotho and Swaziland (BLS) countries to help ...
Read more

Internet Download Manager Registration

Internet Download Manager increases download speed with built-in download logic accelerator, resume and schedule downloads
Read more

IDM Institute of Infectious Disease and Molecular Medicine ...

The Institute of Infectious Disease and Molecular Medicine was established in 2004 as a trans-faculty postgraduate research institute based within ...
Read more

Institut für den Donauraum und Mitteleuropa - Home

Das Institut für den Donauraum und Mitteleuropa (IDM) befasst sich mit aktuellen Fragen des Donauraums, Mittel- und Südosteuropas
Read more

IDM - Permanent Magnet Generators, DC Power Supplies and ...

IDM, established in 1978, is an independent Italian company well known for manufacturing ignition systems and voltage regulators for endothermic engines.
Read more

GRC AC and IDM integration | SCN

Hello community, Someone knows if web can configure the IDM role requests workflow (configured at the IDM side) to use Role Assigner and Role Content ...
Read more

IDM - GRC Integration | SCN

Hi All, My client is looking for IDM - GRC 10 integration. I have following workflows already setup in GRC 10 with proper approval stages and workflows are ...
Read more