id fiware upm-dit
TRANSCRIPT
Securing Access with Oauth2 in KeyRock
Javier CerviñoÁlvaro Alonso
Joaquin Salvachua
(DIT-UPM)
How to authenticate users in your apps using FI-WARE Account
In this course you will learn to:
Use FI-WARE Account to create users, organizations and register your Applications.
Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0.
They’ll securely access resources thanks to authorization in FI-WARE Account.
2
Content
1. Introduction.Introduction to FI-WARE Account and OAuth 2.0. We’ll see key concepts and topics.
2. First steps in FI-WARE Account.Register on FI-WARE Account, create organizations and manage roles of users in your organizations.
3. Secure your web applications using OAuth 2.0.Secure your own web applications to authenticate your users with their username and password in FI-WARE Account.
4. Authenticate your users from native applications using OAuth 2.0.Adapt your native applications to authenticate your users with their username and password in FI-WARE Account.
5. Developing secured APIs using OAuth 2.0.Deploy a FI-WARE PEP Security Proxy in front of your backend to secure requests to your APIs.
6. Authorizing access to protected resources.Create roles in your applications to allow or deny access of users to protected resources.
3
Identity Management
4
Identity Management in FI-WARE
5
Identity Management in FI-WARE
Management of users, their authentication and authorization, and privileges within organizations.
Resources used:
• Users
• Organizations
• Roles
• Applications
Users register themselves, create organizations, and assign roles into these organizations.
It enables applications to access user’s protected information.
• Trusted environment
• OAuth 2.0 standard
http://oauth.net/2/
• PHP, Cocoa, iOS, Java, Ruby, Javascript, Python.
6
OAuth 2.0
(RFC 6749)
7
OAuth 2.0
8
OAuth 2.0
Mechanism to provide applications access to restricted resources without sharing credentials.
Applications use access tokens, issued by OAuth providers (e.g. FI-WARE), to access resources.
OAuth 2.0 specification is designed for use with HTTP.
Roles:
• Resource Owner: Entity capable of granting access to a protected resource (e.g. end-user)
• Resource Server: Server hosting protected resources.
• Client: Application making protected resource requests on behalf of the resource owner.
• Authorization Server: The server issuing access tokens to the client.
9
OAuth Message Flow
10
Web App Account
redirect
request access-token
access-token
access-code
OA
uth
Lib
rary
Request user info using access-token
Web Applications and GEs
11
Generic Enabler
Account
Request
+acc
ess
-toke
n
redirect
access-code
request access-token
access-token
access-token + path
OK + user info
Web AppO
Auth
Lib
rary
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
12
AA for free!
13
Back-end Apps
Account
Request
+acc
ess
-toke
n
Web App
Oauth
Lib
rary
Proxy
redirect
access-code
request access-token
access-token
access-token + path
OK + user info
OAuth 2.0 Architecture
14
OAuth 2.0 Architecture Authorization Code Grant
15
OAuth provideraccount.lab.fi-ware.org
OAuth consumermyservice.com
2. R
edire
ct to
FI-W
ARE
1. A
cces
s us
er’s
reso
urce
s in
FI-W
ARE
3. Give access to myservice.com
4. OK, this is the response code
5. R
espo
nde
code
6. Response code + myservice.com credentials
7. Ok, this is the Access Token
8. Access user’s resources with Access Token
OAuth 2.0 Architecture Implicit Grant
16
OAuth provideraccount.lab.fi-ware.org
OAuth consumermyservice.com
2. R
edire
ct to
FI-W
ARE
1. A
cces
s us
er’s
reso
urce
s in
FI-W
ARE
3. Give access with
myservice.com
identifier
4. OK, this is the access token
5. A
cces
s to
ken
6. Access user’s resources with Access Token
OAuth 2.0 Arch. Resource Owner Password Credentials Grant
17
OAuth provideraccount.lab.fi-ware.org
OAuth consumermyservice.com
1.Acc
ess
user
’s re
sour
ces
in F
I-WARE
with p
assw
ord
cred
entia
ls
2. Give access with myservice.com credentials and
user’s password credentials
3. OK, this is the access token
4. Access user’s resources with Access Token
OAuth 2.0 Architecture Client Credentials Grant
18
OAuth provideraccount.lab.fi-ware.org
OAuth consumermyservice.com
1. Client authentication withmyservice.com credentials
2. OK, this is the access token
3. Access myservice.com resources with Access Token
Using the Access Token
19
Using the Access Token FI-WARE Resource Providers
20
OAuth provideraccount.lab.fi-ware.org
OAuth consumermyservice.com
Access protected user info with Access Token
Generic Enablers*.fi-ware.org
Access protected resources with Access TokenGET https://ge_url HTTP/1.1Host: GE_hostnameAuthorization: Bearer access_token
GET /user?access_token=access_token
Using the Access Token Third-Party Resource Providers
21
PEP ProxyOAuth consumermyservice.com
Access protected user info with Access Token
Unsecured Resource Provider
Access resource if A
ccess Token is valid
GET https://protected_url HTTP/1.1Host: GE_hostnameAuthorization: Bearer access_token
Using the Access Token Cloud Hosting I
22
OAuth provideraccount.lab.fi-ware.org
OAuth consumermyservice.com
Retrieve list of organizations
Retrieve Scoped Token in organization ORG_ID
POST http://cloud.lab.fi-ware.eu:4730/v2.0/tokens{ "auth":{ "tenantID":”ORG_ID", "token":{ "id":"access_token" } }}
GET /user?access_token=access_token
Keystone Proxycloud.lab.fi-ware.org
Using the Access Token Cloud Hosting II
23
OAuth consumermyservice.com
PaaS GEpegasus.lab.fi-ware.org
Access using Scoped TokenDCRM GE
cloud.lab.fi-ware.org
SDC GEsaggita.lab.fi-ware.org
Object Storage GE130.206.82.9
Access using Scoped Token
Access using Scoped Token
Access using Scoped Token
Links
FI-LAB Account:
• Source Code: https://github.com/ging/fi-ware-idm
• Documentation: https://github.com/ging/fi-ware-idm/wiki
FI-LAB OAuth Demo using node.js:
• https://github.com/ging/oauth2-example-client
FI-LAB Proxy:
• https://github.com/ging/fi-ware-pep-proxy
24