idm and ac

Adding Identity Management and Access Control to your ApplicationFernando López, Pablo Rodríguez // Álvaro AlonsoTID // UPM – DITSecurity Chapter. FIWAREfernando.lopezaguilar@telefonica.com, @flopezaguilarpablo.rodriguezarchilla@telefonica.comaalonsog@dit.upm.es, @larsonalonso

Identity ManagementAn example

2

Account

Identity ManagementFIWARE

3

OAuth 2.0 for Identity ManagementExamples…

4

Login with

OAuth 2.0 for Identity Management… and FIWARE too! IdM

5

6

Web App IdM

1) redirect

3) request access-token

4) access-token

2) access-code

OAu

th L

ibra

ry

Request user info using access-token

IP: a.b.c.dIP: e.f.g.h

OAuth 2.0Messages flow

• http://oauth.net/2/– PHP, Cocoa, iOS, Java, Ruby, JavaScript, Python

• Example using Node.js– https://github.com/ging/oauth2-example-client

OAuth 2.0Client libraries for your application

7

Preliminary steps with IdM at FIWARE Account PortalAdd an application

8

Preliminary steps with IdM at FIWARE Account PortalSet/create roles and permissions for application

9

Preliminary steps with IdM at FIWARE Account PortalAdd new permissions if needed

10

Preliminary steps with IdM at FIWARE Account PortalResult: OAuth credentials for the application

First, we have to redirect user to the IdM web site in order to login and authorize

the access to the new application (identified by its client_id).

https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9

OAuth 2.0 messages flow1) Redirect

12

OAuth 2.0 messages flow1) Redirect

13

After introducing user/password to login and clicking the “Accept” button (needed only

once), the browser redirect us back to the web page of our application:

http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-

N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg

IdM uses the callback URL specified in the registration of the application (Cloud Portal,

in this example).

We get the “code” value, which will be used in order to authenticate user.

OAuth 2.0 messages flow2) Access code

14

In order to request an access-token, without the knowledge of the credentials of the user:

curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"

Where: Authorization is calculated asBase64(Client_ID:Client_Secret)

from application credentials (see slide 11)

code is the access-code obtained in

the former step and redirect_uri is the callback url the access-code was sent to (see previous slide)

OAuth 2.0 messages flow3) Request access token

15

The previous request will return the following information:

HTTP/1.1 200 OKContent-Type: application/json

{ "access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}

OAuth 2.0 messages flow4) Access token

16

• Level 1: Authentication– Check if a user has a FIWARE account

• Level 2: Basic Authorization– Check if a user has permissions to access a

resource– HTTP verb + resource path

• Level 3: Advanced Authorization– Custom XACML policies

Securing your backend

17

BackendApps

IdM

5) R

eque

st +

acce

ss-t

oken

OAuth2 flows

6) access-token

7) OK + user info (roles)

Web AppO

Auth

Lib

rary

4) access-token

Level 1: Authentication

18

BackendApps

IdM5) R

eque

st +

acce

ss-t

oken

Web AppO

Auth

Lib

rary

Proxy

6) access-token

7) OK + user info (roles)

OAuth2 flows

4) access-token

Level 1: Authentication

19

GET https://{backend-apps-url} HTTP/1.1Host: {backend-apps-hostname}

X-Auth-Token: {access-token}

Level 1: AuthenticationRequest + access token (step 5)

• The request from web application to the backend and GEs would look like:

Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 16):

3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA

20

As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token.

curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens

KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.

Level 1: AuthenticationValidate X-Auth-Token (step 6)

21

Previous call will return the following message:

{ "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } }}

Level 1: AuthenticationValidate X-Auth-Token (step 6)

22

Assuming that you have a valid admin token (see slides 21 & 22 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5):

curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA

Please note X-Auth-Token header in this request is the admin token, while the access-token being validated is part of the resource path in URL.

This could return the following status codes if something is wrong:• 404 Access_token not valid • 401 X-Auth-Token not valid (unauthorized)• 403 X-Auth-Token not valid (expired)

Level 1: AuthenticationValidate X-Auth-Token (step 6)

23

If there is no error, it returns:

{ "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member"…

Level 1: AuthenticationValidate X-Auth-Token (step 6)

24

… } ] } ], "roles": [ { "id": 5, "name": "Provider" } ]}

Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).

Level 1: AuthenticationValidate X-Auth-Token (step 6)

25

BackendApps

IdM

Requ

est +

acce

ss-t

oken

Web AppO

Auth

Lib

rary

Proxy

6) access-token + verb + path

7) OK + user info

Oauth2 flows

access-token

AC GE

Level 2: Basic Authorization

26

Level 2: Basic AuthorizationAccess token + verb + path (step 6)

In this case you should call the API with the following information:

curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content-Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA

Where:• path is the URL of the resource to be accessed, e.g.:

/resource1/item2

• verb is the HTTP verb associated to the request (GET, PUT, POST, DELETE)

• X-Auth-Token is the admin token from slides 21 & 22 (FIWARE Proxy token)

• As before, request URL includes the access-token being validated

27

Level 2: Basic AuthorizationOK + user info (step 7)It returns:

• 401 HTTP 401 Unauthorized.

• 200 Ok if all was OK, with the following user information:

{ "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member"…

28

… } ] } ], "roles": [ { "id": 5, "name": "Provider" } ]}

Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).

Level 2: Basic AuthorizationOK + user info (step 7)

29

BackendApps

IdM

Requ

est +

acce

ss-t

oken

Web AppO

Auth

Lib

rary

Proxy extension

XACML policy

OK + user info

Oauth2 flows

access-token

AC GE

Level 3: Advanced Authorization

30

Policies creation in IdM1) Edit application properties

31

Policies creation in IdM2) Create a new role

32

33

Policies creation in IdM3) Add a new permission

34

Policies creation in IdM4) Change to advanced mode

35

Policies creation in IdM5) Fill in the rule field

Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:

<Rule RuleId="PR:Manage" Effect="Permit">

<Description>Rule: Permission example</Description>

<Target>

<Resources>

<Resource>

<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>

<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />

</ResourceMatch>

</Resource>

</Resources>

…

36

Policies creation in IdMSample XACML rule content

…

<Actions>

<Action>

<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue>

<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />

</ActionMatch>

</Action>

</Actions>

</Target>

</Rule>

37

Policies creation in IdMSample XACML rule content

• FIWARE IdM:– Source Code: https://github.com/ging/fi-ware-idm– Documentation: https://github.com/ging/fi-ware-idm/wiki

• FIWARE Access Control:– http://catalogue.fi-ware.org/enablers/access-control-tha-

implementation/documentation

• FIWARE OAuth2 Demo:– https://github.com/ging/oauth2-example-client

• FIWARE Proxy:– https://github.com/ging/fi-ware-pep-proxy

Documentation

38

fiware-lab-help@lists.fi-ware.org 

39

http://fiware.orghttp://lab.fiware.org

Follow @Fiware on Twitter !

Join us!