Adding Identity Management and Access Control to your Application, Authorization Daniel Morán, Fernando López Telefónica I+D FIWARE [email protected] f [email protected] http://bit.ly/fiware-authorization
Adding Identity Management and Access Control to your Application, Authorization
Aug 12, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Adding Identity Management and Access Control to your Application, AuthorizationDaniel Morán, Fernando LópezTelefónica [email protected]@telefonica.com
http://bit.ly/fiware-authorization
Identity Manager
2
Identity Manager
3
Account
OAuth 2.0
4
OAuth 2.0
Login with
Oauth 2.0 Message Flow
6
Web App
Accountredi
rect
request access-token
access-token
Get access-code
OAu
th L
ibra
ry
Request user info using access-token
Browser
logi
n
Acce
ss co
de
RS + IDM
Oauth 2.0 Libraries
• http://oauth.net/2/– PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.
• Example using Node.js– https://github.com/ging/oauth2-example-client
7
Preliminary steps with IdM at FIWARE Account PortalAdd an application
8
Preliminary steps with IdM at FIWARE Account PortalSet/create roles and permissions for application
9
Preliminary steps with IdM at FIWARE Account PortalAdd new permissions if needed
10
Preliminary steps with IdM at FIWARE Account PortalResult: OAuth credentials for the application
First, we have to redirect user to the IdM web site in order to login and authorize
the access to the new application (identified by its client_id).
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9
OAuth 2.0 messages flow1) Redirect
12
OAuth 2.0 messages flow1) Redirect
13
After introducing user/password to login and clicking the “Accept” button (needed only
once), the browser redirect us back to the web page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-
N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
IdM uses the callback URL specified in the registration of the application (Cloud Portal,
in this example).
We get the “code” value, which will be used in order to authenticate user.
OAuth 2.0 messages flow2) Access code
14
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"
Where: Authorization is calculated asBase64(Client_ID:Client_Secret)
from application credentials (see slide 11)
code is the access-code obtained in
the former step and redirect_uri is the callback url the access-code was sent to (see previous slide)
OAuth 2.0 messages flow3) Request access token
15
The previous request will return the following information:
HTTP/1.1 200 OKContent-Type: application/json
{ "access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}
OAuth 2.0 messages flow4) Access token
16
Securing your backend
Web Applications and GEs
18
Generic Enabler
Account
Requ
est +
acce
ss-t
oken
Oauth2 flows
access-token
OK + user info (roles)
Web AppO
Auth
Lib
rary
access_token
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
19
Securing your back-end
20
Back-end Apps
AccountRequ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Securing your back-end: the XACML model
21
Policy Enforcement Point (PEP)
Policy DecisionPoint (PDP)
Policy Administration
Point (PAP)
Backend to secure
AdminUser
Access Control
Securing your back-end
• Level 1: Authentication– Check if a user has a FIWARE account
• Level 2: Basic Authorization– Checks if a user has permissions to access a
resource– HTTP verb + resource path
• Level 3: Advanced Authorization– Custom XACML policies
Level 1: Authentication
23
Back-end Apps
AccountRequ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Level 2: Basic Authorization
24
Back-end Apps
Account
Requ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info
Oauth2 flows
access_token
Access Control
roles + verb + path
OK
Policies creation in IdM1) Edit application properties
25
Policies creation in IdM2) Create a new role
26
27
Policies creation in IdM3) Add a new permission
Policies creation in IdM4) Edit permissions
28
Level 3: Advanced Authorization
29
Back-end Apps
Account
Requ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy extension
Oauth2 flows
access_token
AccessControl
access-token
OK + user info
roles + XACML <Request>
OK
30
Policies creation in IdM4) Change to advanced mode
31
Policies creation in IdM5) Fill in the rule field
Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit">
<Description>Rule: Permission example</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
…
32
Policies creation in IdMSample XACML rule content
…
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
33
Policies creation in IdMSample XACML rule content
<?xml version="1.0" encoding="UTF-8"?><Request><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#int”>
/test1/pruebas/create</AttributeValue>
</Attribute>[…]</Attributes>[..]<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute
IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
POST</AttributeValue>
</Attribute></Attributes></Request>
34
Policies creation in IdMSample XACML request content
Security GEs – IdM - KeyRock
• Keystone + Horizon +Extensions
• APIs– OAuth2– Keystone v3– SCIM 2.0
• Source Code– https://github.com/ging/fi-ware-idm
• Documentation– http://catalogue.fiware.org/enablers/identity-management-
keyrock
• FIWARE OAuth2 Demo:– https://github.com/ging/oauth2-example-client
35
Security GEs – Authorization PDP/PAP - AuthZForce
• Policy Decision Point
• Policy Administration Point
• XACML 3.0
• Documentation– http://catalogue.fi-ware.org/enablers/access-control-tha-
implementation/documentation
36
Security GEs – PEP Proxy - Wilma
• Policy Enforcement Point
• Compatible with OAuth2 and Keystone tokens
• Source code:– https://github.com/ging/fi-ware-pep-proxy
• Documentation– http://catalogue.fiware.org/enablers/pep-proxy-wilma
37
Security GEs
• Privacy GE
• Cyber Sec GE
• Trustworthy Factory GE
38
Adding Identity Management and Access Control to your Application, AuthorizationDaniel Morán, Fernando LópezTelefónica [email protected]@telefonica.com
Related Documents
