adding identity management and access control to your application
TRANSCRIPT
Adding Identity Management and Access Control to your ApplicationÁlvaro AlonsoUPM – DITSecurity Chapter. [email protected], @larsonalonso
Agenda
• FIWARE Lab Accounts– Account types– Creating an account– Upgrading your account
• Using FIWARE Lab Cloud Infrastructure
• Registering an application– OAuth2 protocol– Application example
• Using FIWARE GEs from your application
• Securing your backend
• Security GEs
FIWARE Lab Accounts
• Basic
– Manage organizations
– Register applications
– Use Cloud if other users authorize him
• Trial
– Cloud 14 days Trial period
– Spain2 region
• Community
– Cloud during 9 months
– Assigned region
Using FIWARE Lab Cloud Infrastructure
• If you are a Trial or a Community user
– Your Cloud organization is “purchaser” of the Cloud application
– You can authorize other users in your organization
• If you are a Basic user
– Upgrade to Trial (if available)
– Apply for a Community account
– Ask a Trial or Community user to authorize you in his Cloud organization
• Developers week…
– Request a Trial account in
Using FIWARE Lab Cloud Infrastructure
• To authorize another user in your Cloud organization.
1. Access Account Portal and login
2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner
3. Go to "Members" in the left side panel
4. Add the user you want to authorize as a member of the org using the "Manage" button
5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button
Oauth 2.0 Message Flow
15
Web App Account
redirect
request access-token
access-token
access-code
OA
uth
Lib
rary
Request user info using access-token
Oauth 2.0 Libraries
• http://oauth.net/2/
– PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.
• Example using Node.js
– https://github.com/ging/oauth2-example-client
16
Web Applications and GEs
18
Generic Enabler
Account
Req
ues
t +
acce
ss-t
oke
n
Oauth2 flows
access-token
OK + user info (roles)
Web AppO
Au
thLi
bra
ryaccess_token
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
19
Securing your back-end
20
Back-end Apps
AccountReq
ues
t +
acce
ss-t
oke
n
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Securing your back-end
• Level 1: Authentication
– Check if a user has a FIWARE account
• Level 2: Basic Authorization
– Checks if a user has permissions to access a resource
– HTTP verb + resource path
• Level 3: Advanced Authorization
– Custom XACML policies
Level 1: Authentication
22
Back-end Apps
AccountReq
ues
t +
acce
ss-t
oke
n
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Level 2: Basic Authorization
23
Back-end Apps
Account
Req
ues
t +
acce
ss-t
oke
n
Web AppO
auth
Lib
rary
PEP Proxy
access-token
OK + user info
Oauth2 flows
access_token
Auth PDP GE
roles + verb + path
OK
Level 3: Advanced Authorization
24
Back-end Apps
Account
Req
ues
t +
acce
ss-t
oke
n
Web AppO
auth
Lib
rary
PEP Proxy extension
Oauth2 flows
access_token
Auth PDP GE
access-token
OK + user info
roles + XACML <Request>
OK
Security GEs – IdM - KeyRock
• Keystone + Horizon +Extensions
• APIs
– OAuth2
– Keystone v3
– SCIM 2.0
• Source Code– https://github.com/ging/fi-ware-idm
• Documentation– http://catalogue.fiware.org/enablers/identity-
management-keyrock
• FIWARE OAuth2 Demo:
– https://github.com/ging/oauth2-example-client
26
Security GEs – Authorization PDP - AuthZForce
• Policy Decision Point
• Polici Administration Point
• XACML 3.0
• Documentation
– http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/documentation
27
Security GEs – PEP Proxy - Wilma
• Policy Enforcement Point
• Compatible with OAuth2 and Keystone tokens
• Source code:
– https://github.com/ging/fi-ware-pep-proxy
• Documentation
– http://catalogue.fiware.org/enablers/pep-proxy-wilma
28
Adding Identity Management and Access Control to your ApplicationÁlvaro AlonsoUPM – DITSecurity Chapter. [email protected], @larsonalonso