how to authenticate users in your apps using fi-ware account - introduction
DESCRIPTION
In this course you will learn to: Use FI-WARE Account to create users, organizations and register your Applications. Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0. They’ll securely access resources thanks to authorization in FI-WARE Account.TRANSCRIPT
How to authenticate users in your apps using FI-WARE Account
In this course you will learn to:
§ Use FI-WARE Account to create users, organizations and register your Applications.
§ Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0.
They’ll securely access resources thanks to authorization in FI-WARE Account.
1
Content
1. Introduction. Introduction to FI-WARE Account and OAuth 2.0. We’ll see key concepts and topics.
2. First steps in FI-WARE Account. Register on FI-WARE Account, create organizations and manage roles of users in your organizations.
3. Secure your web applications using OAuth 2.0. Secure your own web applications to authenticate your users with their username and password in FI-WARE Account.
4. Authenticate your users from native applications using OAuth 2.0. Adapt your native applications to authenticate your users with their username and password in FI-WARE Account.
5. Developing secured APIs using OAuth 2.0. Deploy a FI-WARE PEP Security Proxy in front of your backend to secure requests to your APIs.
6. Authorizing access to protected resources. Create roles in your applications to allow or deny access of users to protected resources.
2
Identity Management
3
Identity Management in FI-WARE
4
Identity Management in FI-WARE
§ Management of users, their authentication and authorization, and privileges within organizations.
§ Resources used: • Users • Organizations • Roles • Applications
§ Users register themselves, create organizations, and assign roles into these organizations.
§ It enables applications to access user’s protected information. • Trusted environment • OAuth 2.0 standard
§ http://oauth.net/2/ • PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.
5
OAuth 2.0
6
OAuth 2.0
7
OAuth 2.0
§ Mechanism to provide applications access to restricted resources without sharing credentials.
§ Applications use access tokens, issued by OAuth providers (e.g. FI-WARE), to access resources.
§ OAuth 2.0 specification is designed for use with HTTP.
§ Roles: • Resource Owner: Entity capable of granting access to a protected resource (e.g. end-user) • Resource Server: Server hosting protected resources. • Client: Application making protected resource requests on behalf of the resource owner. • Authorization Server: The server issuing access tokens to the client.
8
OAuth 2.0 Architecture
9
OAuth 2.0 Architecture Authorization Code Grant
10
OAuth provider account.lab.fi-ware.org
OAuth consumer myservice.com
6. Response code + myservice.com credentials
7. Ok, this is the Access Token
8. Access user’s resources with Access Token
OAuth 2.0 Architecture Implicit Grant
11
OAuth provider account.lab.fi-ware.org
OAuth consumer myservice.com
6. Access user’s resources with Access Token
OAuth 2.0 Arch. Resource Owner Password Credentials Grant
12
OAuth provider account.lab.fi-ware.org
OAuth consumer myservice.com
2. Give access with myservice.com credentials and
user’s password credentials
3. OK, this is the access token
4. Access user’s resources with Access Token
OAuth 2.0 Architecture Client Credentials Grant
13
OAuth provider account.lab.fi-ware.org
OAuth consumer myservice.com
1. Client authentication with myservice.com credentials
2. OK, this is the access token
3. Access myservice.com resources with Access Token
Using the Access Token
14
Using the Access Token FI-WARE Resource Providers
15
OAuth provider account.lab.fi-ware.org
OAuth consumer myservice.com
Access protected user info with Access Token
Generic Enablers *.fi-ware.org
Access protected resources with Access Token GET https://ge_url HTTP/1.1 Host: GE_hostname Authorization: Bearer access_token
GET /user?access_token=access_token
Using the Access Token Third-Party Resource Providers
16
PEP Proxy OAuth consumer myservice.com
Access protected user info with Access Token
Unsecured Resource Provider
GET https://protected_url HTTP/1.1 Host: GE_hostname Authorization: Bearer access_token
Using the Access Token Cloud Hosting I
17
OAuth provider account.lab.fi-ware.org
OAuth consumer myservice.com
Retrieve list of organizations
Retrieve Scoped Token in organization ORG_ID
POST http://cloud.lab.fi-ware.eu:4730/v2.0/tokens { "auth":{ "tenantID":”ORG_ID", "token":{ "id":"access_token" } } }
GET /user?access_token=access_token
Keystone Proxy cloud.lab.fi-ware.org
Using the Access Token Cloud Hosting II
18
OAuth consumer myservice.com
PaaS GE pegasus.lab.fi-ware.org
Access using Scoped Token DCRM GE
cloud.lab.fi-ware.org
SDC GE saggita.lab.fi-ware.org
Object Storage GE 130.206.82.9
Access using Scoped Token
Access using Scoped Token
Access using Scoped Token
More Info
§ FI-WARE Account’s OAuth 2.0 API: • Documentation: https://github.com/ging/fi-ware-idm/wiki/ • OAuth 2.0 API: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance
§ OAuth 2.0 Specification: • http://tools.ietf.org/html/rfc6749
§ FI-WARE PEP Proxy: • https://github.com/ging/fi-ware-pep-proxy
19
Demo
20
Geek Blog blog.com
Demo
21
Geek Blog blog.com
OAuth provider account.lab.fi-ware.org
PEP Proxy
Demo
22
Geek Blog blog.com
OAuth provider account.lab.fi-ware.org
PEP Proxy
Demo
23
Geek Blog blog.com
OAuth provider account.lab.fi-ware.org
PEP Proxy
Demo
24
Geek Blog blog.com
OAuth provider account.lab.fi-ware.org
PEP Proxy