adding identity management and access control to your application
DESCRIPTION
Adding Identity Management and Access Control to your Application in the FIWARE ecosystemTRANSCRIPT
![Page 1: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/1.jpg)
Adding Identity Management and Access Control to your ApplicationJoaquin Salvachua // Álvaro AlonsoUPM – DITSecurity Chapter. [email protected], @[email protected], @larsonalonso
![Page 2: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/2.jpg)
Identity Manager
2
![Page 3: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/3.jpg)
Identity Manager
3
Account
![Page 4: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/4.jpg)
Oauth 2.0
Login with
![Page 5: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/5.jpg)
FIWARE Account (Identity Manager) Demo
5
![Page 6: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/6.jpg)
OAuth 2.0
6
![Page 7: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/7.jpg)
Oauth 2.0 Message Flow
7
Web App Account
redirect
request access-token
access-token
access-code
OAu
th L
ibra
ry
Request user info using access-token
![Page 8: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/8.jpg)
Oauth 2.0 Libraries
• http://oauth.net/2/– PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.
• Example using Node.js– https://github.com/ging/oauth2-example-client
8
![Page 9: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/9.jpg)
Oauth 2.0 Demo
9
![Page 10: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/10.jpg)
Web Applications and GEs
10
Generic Enabler
Account
Requ
est +
acce
ss-t
oken
Oauth2 flows
access-token
OK + user info (roles)
Web AppO
Auth
Lib
rary
access_token
![Page 11: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/11.jpg)
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
11
![Page 12: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/12.jpg)
Securing your back-end
12
Back-end Apps
AccountRequ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
![Page 13: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/13.jpg)
Securing your back-end
• Level 1: Authentication– Check if a user has a FIWARE account
• Level 2: Basic Authorization– Checks if a user has permissions to access a
resource– HTTP verb + resource path
• Level 3: Advanced Authorization– Custom XACML policies
![Page 14: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/14.jpg)
Level 1: Authentication
14
Back-end Apps
AccountRequ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
![Page 15: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/15.jpg)
Level 2: Basic Authorization
15
Back-end Apps
Account
Requ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
Proxy
access-token + verb + path
OK + user info
Oauth2 flows
access_token
AC GE
![Page 16: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/16.jpg)
Level 3: Advanced Authorization
16
Back-end Apps
Account
Requ
est +
acce
ss-t
oken
Web AppO
auth
Lib
rary
Proxy extension
XACML policy
OK + user info
Oauth2 flows
access_token
AC GE
![Page 17: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/17.jpg)
FIWARE Proxy Demo
17
![Page 18: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/18.jpg)
Documentation
• FIWARE Account:– Source Code: https://github.com/ging/fi-ware-
idm– Documentation: https://github.com/ging/fi-
ware-idm/wiki
• FIWARE Access Control– http://catalogue.fi-ware.org/enablers/access-
control-tha-implementation/documentation
• FIWARE OAuth2 Demo:– https://github.com/ging/oauth2-example-
client
• FIWARE Proxy:– https://github.com/ging/fi-ware-pep-proxy
18
![Page 19: Adding Identity Management and Access Control to your Application](https://reader033.vdocuments.us/reader033/viewer/2022060118/5589e099d8b42a802c8b456a/html5/thumbnails/19.jpg)
Adding Identity Management and Access Control to your ApplicationÁlvaro AlonsoUPM – DITSecurity Chapter. [email protected], @larsonalonso