Adding Identity Management and Access Control to your ApplicationÁlvaro AlonsoUPM – DITSecurity Chapter. FIWAREaalonsog@dit.upm.es, @larsonalonso

Identity Manager

2

Identity Manager

3

Account

Agenda

• FIWARE Lab Accounts– Account types– Creating an account– Upgrading your account

• Using FIWARE Lab Cloud Infrastructure

• Registering an application– OAuth2 protocol– Application example

• Using FIWARE GEs from your application

• Securing your backend

• Security GEs

FIWARE Lab Accounts

• Basic

– Manage organizations

– Register applications

– Use Cloud if other users authorize him

• Trial

– Cloud 14 days Trial period

– Spain2 region

• Community

– Cloud during 9 months

– Assigned region

FIWARE Lab Accounts

Basic

Trial

Community

1

2

4

3

5

6

7

FIWARE Account (Identity Manager) Demo

7

Using FIWARE Lab Cloud Infrastructure

• If you are a Trial or a Community user

– Your Cloud organization is “purchaser” of the Cloud application

– You can authorize other users in your organization

• If you are a Basic user

– Upgrade to Trial (if available)

– Apply for a Community account

– Ask a Trial or Community user to authorize you in his Cloud organization

• Developers week…

– Request a Trial account in

fiware-developers-week@lists.fiware.org

Using FIWARE Lab Cloud Infrastructure

• To authorize another user in your Cloud organization.

1. Access Account Portal and login

2. Switch to your Cloud organization using the "Switch session" option in the dropdown in the left upper corner

3. Go to "Members" in the left side panel

4. Add the user you want to authorize as a member of the org using the "Manage" button

5. Authorize the user inside Cloud Application giving him the role "Member" using the "Authorize" button

Using FIWARE Lab Cloud Infrastructure Demo

11

Account

OAuth 2.0

13

OAuth 2.0

Login with

Oauth 2.0 Message Flow

15

Web App Account

redirect

request access-token

access-token

access-code

OA

uth

Lib

rary

Request user info using access-token

Oauth 2.0 Libraries

• http://oauth.net/2/

– PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.

• Example using Node.js

– https://github.com/ging/oauth2-example-client

16

Oauth 2.0 Demo

17

Web Applications and GEs

18

Generic Enabler

Account

Req

ues

t +

acce

ss-t

oke

n

Oauth2 flows

access-token

OK + user info (roles)

Web AppO

Au

thLi

bra

ryaccess_token

Web Applications and GEs

GET https://GE_URL HTTP/1.1

Host: GE_hostname

X-Auth-Token: access_token

19

Securing your back-end

20

Back-end Apps

AccountReq

ues

t +

acce

ss-t

oke

n

Web AppO

auth

Lib

rary

PEP Proxy

access-token

OK + user info (roles)

Oauth2 flows

access_token

Securing your back-end

• Level 1: Authentication

– Check if a user has a FIWARE account

• Level 2: Basic Authorization

– Checks if a user has permissions to access a resource

– HTTP verb + resource path

• Level 3: Advanced Authorization

– Custom XACML policies

Level 1: Authentication

22

Back-end Apps

AccountReq

ues

t +

acce

ss-t

oke

n

Web AppO

auth

Lib

rary

PEP Proxy

access-token

OK + user info (roles)

Oauth2 flows

access_token

Level 2: Basic Authorization

23

Back-end Apps

Account

Req

ues

t +

acce

ss-t

oke

n

Web AppO

auth

Lib

rary

PEP Proxy

access-token

OK + user info

Oauth2 flows

access_token

Auth PDP GE

roles + verb + path

OK

Level 3: Advanced Authorization

24

Back-end Apps

Account

Req

ues

t +

acce

ss-t

oke

n

Web AppO

auth

Lib

rary

PEP Proxy extension

Oauth2 flows

access_token

Auth PDP GE

access-token

OK + user info

roles + XACML <Request>

OK

FIWARE PEP Proxy Demo

25

Security GEs – IdM - KeyRock

• Keystone + Horizon +Extensions

• APIs

– OAuth2

– Keystone v3

– SCIM 2.0

• Source Code– https://github.com/ging/fi-ware-idm

• Documentation– http://catalogue.fiware.org/enablers/identity-

management-keyrock

• FIWARE OAuth2 Demo:

– https://github.com/ging/oauth2-example-client

26

Security GEs – Authorization PDP - AuthZForce

• Policy Decision Point

• Polici Administration Point

• XACML 3.0

• Documentation

– http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/documentation

27

Security GEs – PEP Proxy - Wilma

• Policy Enforcement Point

• Compatible with OAuth2 and Keystone tokens

• Source code:

– https://github.com/ging/fi-ware-pep-proxy

• Documentation

– http://catalogue.fiware.org/enablers/pep-proxy-wilma

28

Security GEs

• Privacy GE

• Cyber Sec GE

• Trustworthy Factory GE

29

Adding Identity Management and Access Control to your ApplicationÁlvaro AlonsoUPM – DITSecurity Chapter. FIWAREaalonsog@dit.upm.es, @larsonalonso