Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization...
Transcript of Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization...
![Page 1: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/1.jpg)
Identity Management with Spring Security
Dave Syer, VMware, SpringOne 2011
![Page 2: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/2.jpg)
COPYRIGHT VMWARE, INC, 2011
Overview
● What is Identity Management?● Is it anything to do with Security?● Some existing and emerging standards● Relevant features of Spring Security and other Spring projects● Common use cases● Demo of prototype IDM system
![Page 3: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/3.jpg)
COPYRIGHT VMWARE, INC, 2011
Agenda
● Core domain:● Authentication, identity, trust, delegation, claim, authorization
● SSO● Identity Management● Standards:
● SAML● OpenID● OAuth, OAuth2● OpenID Connect● SCIM● JWT
● Spring Security and other projects● Use cases (Google, Facebook, CloudFoundry) and demos● IDM as a Service
![Page 4: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/4.jpg)
COPYRIGHT VMWARE, INC, 2011
Demo Code
$ git clone git://gist.github.com/1316904.git
![Page 5: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/5.jpg)
COPYRIGHT VMWARE, INC, 2011
Authentication
● You say you are Fred Bloggs? Can you prove it?● Human-human interactions
● Official document (passport, driving licence, etc.)● We actually call it “ID”● Letter of introduction● Word of mouth, friend of a friend
● Machine-human interactions● Something you know, hopefully unguessable, maybe random, e.g.
username/password● Something you have, e.g. one Time Password (OTP) from RSA
hard/soft token● Multifactor authentication
● Machine-machine interactions
![Page 6: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/6.jpg)
COPYRIGHT VMWARE, INC, 2011
Typical System Architecture
APP
DB
User
User details store
“I'm Fred, show me my photos”
![Page 7: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/7.jpg)
COPYRIGHT VMWARE, INC, 2011
Fred Accesses his Photos
![Page 8: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/8.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, No Shared Authentication
DB
User
User details store
APP2
DB
“I'm Fred, can I buy a book?”
APP1
“I'm Fred, show me my photos”
![Page 9: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/9.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, Shared User Details
DB
User
User details store
APP2
“I'm Fred, can I buy a book?”
APP1
“I'm Fred, show me my photos”
![Page 10: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/10.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, Single Sign On
DB
User
User details store
APP2
“I'm Fred, can I buy a book?”
SSO
APP1
“I'm Fred, show me my photos”
![Page 11: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/11.jpg)
COPYRIGHT VMWARE, INC, 2011
Single Sign On: Example Flow All Apps are the same
● Explicit authentication required on first visit
● Avoidable subsequently if App can store token – but then with multiple apps you have distributed state
This is unavoidable
![Page 12: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/12.jpg)
COPYRIGHT VMWARE, INC, 2011
Two Apps, Single Sign On with Separate Authentication
DB
User
User details store
APP2
“I'm Fred, can I buy a book?”
SSO
APP1
“I'm Fred, show me my photos”
AUTH
![Page 13: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/13.jpg)
COPYRIGHT VMWARE, INC, 2011
SSO With Spring Security
● Good support for CAS● Many custom implementations for commercial products like
SiteMinder● Field is fragmented● OpenID...
![Page 14: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/14.jpg)
COPYRIGHT VMWARE, INC, 2011
Trust
● You say you are Fred Bloggs? Can you prove it?● Oh, I remember, Martha said you're alright. Come in...● I trust Martha, USDOT, UKPA, etc, to verify Fred's identity● Why?● Because I know them, and they say they know Fred.
![Page 15: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/15.jpg)
COPYRIGHT VMWARE, INC, 2011
Consumer Trusts Provider
User
User details store
Consumer,Relying Party
Provider
APP
“I'm Fred, show me my photos”
DB
IDP
![Page 16: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/16.jpg)
COPYRIGHT VMWARE, INC, 2011
Simplified User-App-IDP Interaction
![Page 17: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/17.jpg)
COPYRIGHT VMWARE, INC, 2011
So What did we Gain with an Identity Provider?
● App no longer has to do authentication or keep record of secure information about users
● User only has to type secrets into a known trusted site (e.g. Google)
● Separation of concerns● Abstraction always comes at a cost● Increased complexity – more to understand, more to maintain,
more to go wrong● Complexity and Security are uneasy bedfellows● Hence there are standards that cover this interaction
![Page 18: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/18.jpg)
COPYRIGHT VMWARE, INC, 2011
Complexity: Schematic Actual Conversation
![Page 19: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/19.jpg)
COPYRIGHT VMWARE, INC, 2011
Complexity: HTTP Protocol Actual Conversation
![Page 20: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/20.jpg)
COPYRIGHT VMWARE, INC, 2011
Compare: Native Authentication
![Page 21: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/21.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID
User
User details store
Relying Party
Provider
APP
“I'm Fred, show me my photos”
DB
OpenID
![Page 22: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/22.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID
● Protocol for attribute exchange● Sits on top of HTTP(S)● Form plus JSONish on back channel (attribute fetch)● Form data and redirects on front channel● Does not specify authentication (up to the Provider)● Does not require pre-registration of Relying Parties (Apps)● Implemented in various languages, e.g. Java->OpenID4J (Google
code)● Support in Spring Security for Relying Party
![Page 23: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/23.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OpenID RP
<http xmlns="http://www.springframework.org/schema/security"> ...
<openid-login login-page="/openid" user-service-ref="registeringUserService" authentication-failure-url="/login_error.jsp"> <attribute-exchange identifier-match=".*"> <openid-attribute name="email" Type="http://schema.openid.net/contact/email" required="true" /> <openid-attribute name="fullname" type="http://schema.openid.net/namePerson" required="true" /> </attribute-exchange> </openid-login>
</http>
![Page 24: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/24.jpg)
COPYRIGHT VMWARE, INC, 2011
SSO with OpenID
User
User details store
Relying Party
Provider
APP1
“I'm Fred, show me my photos”
DB
OpenID
APP2
“I'm Fred, can I buy a book?”
![Page 25: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/25.jpg)
COPYRIGHT VMWARE, INC, 2011
SSO with OpenID
No user input required here if IDP is stateful
![Page 26: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/26.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation and Client Authorization
● So Fred told you to come and pick up his order?● You say you're Martha? Show me some ID.● And what about some documentation about the order?
Resource Owner
Client(e.g. a service provider) Scope of
responsibility
![Page 27: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/27.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation and Client Authorization
● An App needs to access Fred's resources on his behalf● Resources live in a protected Resource Server (API)● Fred is the Resource Owner: he can read and write his resources
if he logs into the API himself● But App is the Client of the API service not Fred, and Fred
doesn't want to grant App write access● Resource Server can grant App access to a restricted Scope of
activity● Fred authorizes the App to read his Resources● App gets an Access Token that enables it to act on behalf of Fred● Where does it get the token from? An Authorization Server
![Page 28: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/28.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation
API
AUTH
APP
“I'm Fred, show me my photos”
Token
Resource Owner
Resource Server
Client
Authorization Server
Token Services
![Page 29: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/29.jpg)
COPYRIGHT VMWARE, INC, 2011
Example Token Services using Shared Storage
DB
Token Store
API
AUTH
APP
“I'm Fred, show me my photos”
Token
Resource Owner
Resource Server
Client
Authorization Server
![Page 30: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/30.jpg)
COPYRIGHT VMWARE, INC, 2011
Delegation Standards
● SAML 1.0, 2.0● XML● back channel● cryptography● Spring Security SAML, Service Provider = Resource Server only
● OAuth 1.0a● plain text● back channel● cryptography● Spring Security OAuth (consumer and provider)
● OAuth 2● JSON (plus optional custom formats)● no back channel in spec (but need token services in practice)● clear text (need SSL), plus extensions● Spring Security OAuth (consumer and provider)
Need key exchange
Nonce and request token
![Page 31: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/31.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2
● Client /app
● Resource Server /apiauthenticated:
unauthenticated:
GET /api/photosAuthorization: Bearer FDSHGK78JH356G
200 OK...
401 UnauthorizedWWW-Authenticate: Bearer realm=”/auth”
![Page 32: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/32.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Acquiring an Access Token
● Grant Types● Password● Authorization Code● Refresh Token● Implicit● Client Credentials
● Others allowed as extensions, e.g. SAML assertion
![Page 33: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/33.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Password
● Resource Server /api
● Authorization Server /auth● Token Endpoint
GET /auth/token?response_type=password&username=......&...Authorization: Basic asdsdfggghf=
200 OK{ “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”}
Client credentials
![Page 34: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/34.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2: Grant Type Password
![Page 35: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/35.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code
● Client /app
● Authorization Server /auth● Authorization Endpoint
GET /auth/authorize?response_type=authorization_code&...Authorization: Basic asdsdfggghf=
302 FoundLocation: /app/photos?code=dfjhg
![Page 36: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/36.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code
● Resource Server /api
● Authorization Server /auth● Token Endpoint
GET /auth/token?grant_type=authorization_code&code=......&...Authorization: Basic asdsdfggghf=
200 OK{ “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”}
![Page 37: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/37.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code
????
![Page 38: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/38.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code, Explicit Authorization
The spec doesn't say how this happens, just that it does, e.g:
????
![Page 39: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/39.jpg)
COPYRIGHT VMWARE, INC, 2011
OAuth2: More Detail and Options
● Grant type● Password – native apps, fixed authentication● Authorization Code – webapps with browser redirects● Refresh Token – optional for tokens issued with Auth Code● Implicit – script clients in webapps, native apps● Client Credentials – service peers● Other, e.g. SAML
● Token type● Bearer● Other, e.g. MAC
● Scope● Arbitrary string. Signifies something to Resource Server about which
resources are available. C.f. “audience” in SAML.● State
![Page 40: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/40.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OAuth: Resource Server /api
<sec:http ...> ... <sec:custom-filter ref="oauth2ServiceFilter" before="EXCEPTION_TRANSLATION_FILTER" /></sec:http>
<oauth:provider id="oauth2ServiceFilter" token-services-ref="tokenServices"> <oauth:resource-server resource-id="api" /></oauth:provider>
![Page 41: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/41.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OAuth: Authorization Server /auth
<sec:http> ...
<sec:custom-filter ref="oauth2ServiceFilter" after="EXCEPTION_TRANSLATION_FILTER" /></sec:http>
<oauth:provider id="oauth2ServiceFilter" token-services-ref="tokenServices"> <oauth:authorization-server client-details-service-ref="clientDetails"> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server></oauth:provider>
<oauth:client-details-service id="clientDetails"> <oauth:client clientId="app" authorizedGrantTypes="password,authorization_code,refresh_token" scope="read_photos" authorities="ROLE_GUEST" /></oauth:client-details-service>
![Page 42: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/42.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security OAuth: Client /app
<sec:http> ... <sec:custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/></sec:http>
<oauth:client id="oauth2ClientFilter" token-services-ref="oauth2TokenServices" />
<bean class="apiRestTemplate" class="org...oauth2.client.OAuth2RestTemplate"> <constructor-arg ref="api" /></bean>
<oauth:resource id="api" type="authorization_code" clientId="app" accessTokenUri="${accessTokenUri}" userAuthorizationUri="${userAuthorizationUri}" scope="read_photos" />
N.B. Spring Social has client support as well (similar approach, convergence will come later)
![Page 43: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/43.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID Connect
● Similar to OpenID in the role that it plays, but not in any other way related
● Uses OAuth2 as a protocol for attribute exchange● Google, Salesforce, etc. behind spec● OAuth2 endpoints:
● /authorize● /token
● OpenID endpoints are OAuth2 protected resources:● /userinfo● /check_id
● Clients obtain access token with scope=openid● OAuth /token endpoint includes id token in response as well as
access token● Responses in JSON or JWT (=encrypted JSON)● Not implemented in Spring project (yet), SECOAUTH or SEC
![Page 44: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/44.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID Connect: Token Acquisition
● Resource Server /api
● Authorization Server /auth● Token Endpoint
GET /auth/token?grant_type=authorization_code&code=......&...Authorization: Basic asdsdfggghf=
200 OK{ “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”, “scope” : “openid”, “id_token” : “LKJADSFKHJG8723E”}
![Page 45: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/45.jpg)
COPYRIGHT VMWARE, INC, 2011
OpenID Connect: User Info
● Resource Server /api
● Authorization Server /auth● User Info Endpoint
GET /auth/userinfoAuthorization: Bearer JAHDGFJH78IOUY
200 OK{ “user_id” : “dsyer”, “name” : “Dave Syer”, “email” : “[email protected]”, ...}
![Page 46: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/46.jpg)
COPYRIGHT VMWARE, INC, 2011
SCIM
● Simple Cloud Identity Management● Plain test / JSON standard for provisioning identity systems● Standard endpoints
● /Users – query user accounts● /User – CRUD operations on users● /Groups – CRUD operations on groups
● An OAuth2 authorization service might implement SCIM● Not implemented (yet) in Spring
![Page 47: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/47.jpg)
COPYRIGHT VMWARE, INC, 2011
Spring Security: Project Organization
Spring SecurityWeb
Core
LDAP OpenID ...
Spring Extensions: Security
SAML Kerberos
Spring Security OAuth
OAuth1a OAuth2
● Oauth2 spec not yet final● External lead● 1.0.0.M5 release in pipeline
● 3.1.0 just released● Stable, mature
● 1.0.0 not yet released● Partly external, low-activity
Luke Taylor (VMW), Robert Winch
Ryan Heaton,Dave Syer (VMW),
Vladimir Schaefer,Mike Wiesner (VMW)
Spring Social
Keith Donald (VMW), Craig Walls (VMW)
● 1.0.0 just released● Consumer for well-
known providers
![Page 48: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/48.jpg)
COPYRIGHT VMWARE, INC, 2011
CloudFoundry IDM
CloudController
UAA
Admin Console
“I'm Fred, show me my apps”
Token
Resource Owner
Resource Server
Client
Authorization Server:
OAuth2, OpenID Connect, SCIM
Token Services
Collab Spaces
Access Decision
![Page 49: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/49.jpg)
COPYRIGHT VMWARE, INC, 2011
CloudFoundry IDM
CloudController
UAA
VMC
“I'm Fred, show me my apps”
Token
Resource Owner
Resource Server
Client
Authorization Server:
OAuth2, OpenID Connect, SCIM
Token Services
Collab Spaces
Access Decision
![Page 50: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/50.jpg)
COPYRIGHT VMWARE, INC, 2011
Links
● SECOAUTH: https://github.com/SpringSource/spring-security-oauth
● OpenId4J: http://code.google.com/p/openid4java/● OpenID Connect: http://openid.net/developers/specs/● OAuth2: http://tools.ietf.org/html/draft-ietf-oauth-v2● SCIM: http://www.simplecloud.info● SES (SAML and Kerberos):
http://static.springsource.org/spring-security/site/extensions.html● Demos: http://gist.github.com/1316904
![Page 51: Identity Management with Spring Security · 2011-11-02 · Spring Security: Project Organization Spring Security Web Core LDAP OpenID ... Spring Extensions: Security SAML Kerberos](https://reader034.fdocuments.us/reader034/viewer/2022042310/5ed8c8806714ca7f47688f03/html5/thumbnails/51.jpg)
COPYRIGHT VMWARE, INC, 2011
Overview
● What is Identity Management?● Is it anything to do with Security?● Some existing and emerging standards● Relevant features of Spring Security and other Spring projects● Common use cases● Demo of prototype IDM system