Adding Identity Management and Access Control to your Application, AuthorizationDaniel Morán, Fernando LópezTelefónica I+DFIWAREdaniel.moranjimenez@telefonica.comfernando.lopezaguilar@telefonica.com

http://bit.ly/fiware-authorization

Identity Manager

2

Identity Manager

3

Account

OAuth 2.0

4

OAuth 2.0

Login with

Oauth 2.0 Message Flow

6

Web App

Accountredi

rect

request access-token

access-token

Get access-code

OAu

th L

ibra

ry

Request user info using access-token

Browser

logi

n

Acce

ss co

de

RS + IDM

Oauth 2.0 Libraries

• http://oauth.net/2/– PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.

• Example using Node.js– https://github.com/ging/oauth2-example-client

7

Preliminary steps with IdM at FIWARE Account PortalAdd an application

8

Preliminary steps with IdM at FIWARE Account PortalSet/create roles and permissions for application

9

Preliminary steps with IdM at FIWARE Account PortalAdd new permissions if needed

10

Preliminary steps with IdM at FIWARE Account PortalResult: OAuth credentials for the application

First, we have to redirect user to the IdM web site in order to login and authorize

the access to the new application (identified by its client_id).

https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9

OAuth 2.0 messages flow1) Redirect

12

OAuth 2.0 messages flow1) Redirect

13

After introducing user/password to login and clicking the “Accept” button (needed only

once), the browser redirect us back to the web page of our application:

http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-

N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg

IdM uses the callback URL specified in the registration of the application (Cloud Portal,

in this example).

We get the “code” value, which will be used in order to authenticate user.

OAuth 2.0 messages flow2) Access code

14

In order to request an access-token, without the knowledge of the credentials of the user:

curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"

Where: Authorization is calculated asBase64(Client_ID:Client_Secret)

from application credentials (see slide 11)

code is the access-code obtained in

the former step and redirect_uri is the callback url the access-code was sent to (see previous slide)

OAuth 2.0 messages flow3) Request access token

15

The previous request will return the following information:

HTTP/1.1 200 OKContent-Type: application/json

{ "access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}

OAuth 2.0 messages flow4) Access token

16

Securing your backend

Web Applications and GEs

18

Generic Enabler

Account

Requ

est +

acce

ss-t

oken

Oauth2 flows

access-token

OK + user info (roles)

Web AppO

Auth

Lib

rary

access_token

Web Applications and GEs

GET https://GE_URL HTTP/1.1

Host: GE_hostname

X-Auth-Token: access_token

19

Securing your back-end

20

Back-end Apps

AccountRequ

est +

acce

ss-t

oken

Web AppO

auth

Lib

rary

PEP Proxy

access-token

OK + user info (roles)

Oauth2 flows

access_token

Securing your back-end: the XACML model

21

Policy Enforcement Point (PEP)

Policy DecisionPoint (PDP)

Policy Administration

Point (PAP)

Backend to secure

AdminUser

Access Control

Securing your back-end

• Level 1: Authentication– Check if a user has a FIWARE account

• Level 2: Basic Authorization– Checks if a user has permissions to access a

resource– HTTP verb + resource path

• Level 3: Advanced Authorization– Custom XACML policies

Level 1: Authentication

23

Back-end Apps

AccountRequ

est +

acce

ss-t

oken

Web AppO

auth

Lib

rary

PEP Proxy

access-token

OK + user info (roles)

Oauth2 flows

access_token

Level 2: Basic Authorization

24

Back-end Apps

Account

Requ

est +

acce

ss-t

oken

Web AppO

auth

Lib

rary

PEP Proxy

access-token

OK + user info

Oauth2 flows

access_token

Access Control

roles + verb + path

OK

Policies creation in IdM1) Edit application properties

25

Policies creation in IdM2) Create a new role

26

27

Policies creation in IdM3) Add a new permission

Policies creation in IdM4) Edit permissions

28

Level 3: Advanced Authorization

29

Back-end Apps

Account

Requ

est +

acce

ss-t

oken

Web AppO

auth

Lib

rary

PEP Proxy extension

Oauth2 flows

access_token

AccessControl

access-token

OK + user info

roles + XACML <Request>

OK

30

Policies creation in IdM4) Change to advanced mode

31

Policies creation in IdM5) Fill in the rule field

Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:

<Rule RuleId="PR:Manage" Effect="Permit">

<Description>Rule: Permission example</Description>

<Target>

<Resources>

<Resource>

<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>

<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />

</ResourceMatch>

</Resource>

</Resources>

…

32

Policies creation in IdMSample XACML rule content

…

<Actions>

<Action>

<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue>

<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />

</ActionMatch>

</Action>

</Actions>

</Target>

</Rule>

33

Policies creation in IdMSample XACML rule content

<?xml version="1.0" encoding="UTF-8"?><Request><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#int”>

/test1/pruebas/create</AttributeValue>

</Attribute>[…]</Attributes>[..]<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute

IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">

POST</AttributeValue>

</Attribute></Attributes></Request>

34

Policies creation in IdMSample XACML request content

Security GEs – IdM - KeyRock

• Keystone + Horizon +Extensions

• APIs– OAuth2– Keystone v3– SCIM 2.0

• Source Code– https://github.com/ging/fi-ware-idm

• Documentation– http://catalogue.fiware.org/enablers/identity-management-

keyrock

• FIWARE OAuth2 Demo:– https://github.com/ging/oauth2-example-client

35

Security GEs – Authorization PDP/PAP - AuthZForce

• Policy Decision Point

• Policy Administration Point

• XACML 3.0

• Documentation– http://catalogue.fi-ware.org/enablers/access-control-tha-

implementation/documentation

36

Security GEs – PEP Proxy - Wilma

• Policy Enforcement Point

• Compatible with OAuth2 and Keystone tokens

• Source code:– https://github.com/ging/fi-ware-pep-proxy

• Documentation– http://catalogue.fiware.org/enablers/pep-proxy-wilma

37

Security GEs

• Privacy GE

• Cyber Sec GE

• Trustworthy Factory GE

38

Adding Identity Management and Access Control to your Application, AuthorizationDaniel Morán, Fernando LópezTelefónica I+DFIWAREdaniel.moranjimenez@telefonica.comfernando.lopezaguilar@telefonica.com