Adding Identity Management and Access Control to your Application, Authorization
-
Upload
fernando-lopez-aguilar -
Category
Technology
-
view
255 -
download
0
Transcript of Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationDaniel Morán, Fernando LópezTelefónica [email protected]@telefonica.com
http://bit.ly/fiware-authorization
Oauth 2.0 Message Flow
6
Web App
Accountredi
rect
request access-token
access-token
Get access-code
OAu
th L
ibra
ry
Request user info using access-token
Browser
logi
n
Acce
ss co
de
RS + IDM
Oauth 2.0 Libraries
• http://oauth.net/2/– PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.
• Example using Node.js– https://github.com/ging/oauth2-example-client
7
Preliminary steps with IdM at FIWARE Account PortalSet/create roles and permissions for application
9
First, we have to redirect user to the IdM web site in order to login and authorize
the access to the new application (identified by its client_id).
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9
OAuth 2.0 messages flow1) Redirect
12
After introducing user/password to login and clicking the “Accept” button (needed only
once), the browser redirect us back to the web page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-
N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
IdM uses the callback URL specified in the registration of the application (Cloud Portal,
in this example).
We get the “code” value, which will be used in order to authenticate user.
OAuth 2.0 messages flow2) Access code
14
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"
Where: Authorization is calculated asBase64(Client_ID:Client_Secret)
from application credentials (see slide 11)
code is the access-code obtained in
the former step and redirect_uri is the callback url the access-code was sent to (see previous slide)
OAuth 2.0 messages flow3) Request access token
15
The previous request will return the following information:
HTTP/1.1 200 OKContent-Type: application/json
{ "access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}
OAuth 2.0 messages flow4) Access token
16
Web Applications and GEs
18
Generic Enabler
Account
Requ
est +
acce
ss-t
oken
Oauth2 flows
access-token
OK + user info (roles)
Web AppO
Auth
Lib
rary
access_token
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
19
Securing your back-end
20
Back-end Apps
AccountRequ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Securing your back-end: the XACML model
21
Policy Enforcement Point (PEP)
Policy DecisionPoint (PDP)
Policy Administration
Point (PAP)
Backend to secure
AdminUser
Access Control
Securing your back-end
• Level 1: Authentication– Check if a user has a FIWARE account
• Level 2: Basic Authorization– Checks if a user has permissions to access a
resource– HTTP verb + resource path
• Level 3: Advanced Authorization– Custom XACML policies
Level 1: Authentication
23
Back-end Apps
AccountRequ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Level 2: Basic Authorization
24
Back-end Apps
Account
Requ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info
Oauth2 flows
access_token
Access Control
roles + verb + path
OK
Level 3: Advanced Authorization
29
Back-end Apps
Account
Requ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
PEP Proxy extension
Oauth2 flows
access_token
AccessControl
access-token
OK + user info
roles + XACML <Request>
OK
Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit">
<Description>Rule: Permission example</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
…
32
Policies creation in IdMSample XACML rule content
…
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
33
Policies creation in IdMSample XACML rule content
<?xml version="1.0" encoding="UTF-8"?><Request><Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#int”>
/test1/pruebas/create</AttributeValue>
</Attribute>[…]</Attributes>[..]<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute
IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
POST</AttributeValue>
</Attribute></Attributes></Request>
34
Policies creation in IdMSample XACML request content
Security GEs – IdM - KeyRock
• Keystone + Horizon +Extensions
• APIs– OAuth2– Keystone v3– SCIM 2.0
• Source Code– https://github.com/ging/fi-ware-idm
• Documentation– http://catalogue.fiware.org/enablers/identity-management-
keyrock
• FIWARE OAuth2 Demo:– https://github.com/ging/oauth2-example-client
35
Security GEs – Authorization PDP/PAP - AuthZForce
• Policy Decision Point
• Policy Administration Point
• XACML 3.0
• Documentation– http://catalogue.fi-ware.org/enablers/access-control-tha-
implementation/documentation
36
Security GEs – PEP Proxy - Wilma
• Policy Enforcement Point
• Compatible with OAuth2 and Keystone tokens
• Source code:– https://github.com/ging/fi-ware-pep-proxy
• Documentation– http://catalogue.fiware.org/enablers/pep-proxy-wilma
37
Adding Identity Management and Access Control to your Application, AuthorizationDaniel Morán, Fernando LópezTelefónica [email protected]@telefonica.com