Upload File

pre-con ed: workshop on policy creation, management and support for oauth and oidc

  • Home
  • Technology
  • Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC
23
World ® ’1 6 Workshop on Policy Creation and Management Ola Mogstad Director, Software Engineering CA Technologies DO3X51E DEVOPS

Upload: ca-technologies

Post on 15-Apr-2017

132 views

Category:

Technology


1 download

Report

TRANSCRIPT

Page 1: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

World®’16

WorkshoponPolicyCreationandManagementOlaMogstadDirector,SoftwareEngineeringCATechnologies

DO3X51E

DEVOPS

Page 2: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation

Page 3: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Abstract

ThisworkshopwilldiveintosomeofthemanycapabilitiesoftheCAAPIGatewayandintroducetheaudiencetotheGateway’sownconfigurationpolicylanguage.

Thespeakerswillwalkyouthroughsomefundamentaltopicssuchasthebasicsofpolicy,policycreation,andpolicymanagement– butwillalsotransitionintomoreadvancedusecasessuchasleveragingexternalAPIsandexistingauthorizationstandardslikeOAuth andOpenIDConnect.

OlaMogstad

Director,SoftwareEngineeringCATechnologies

Page 4: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Sascha PreibischPrincipalSoftwareArchitect

DeveloperProductsVancouver,BC@nascarlogin

OlaMogstadDirector,SoftwareEngineering

DeveloperProductsVancouver,BC@OlaMogstad

AboutUs

Page 5: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

RecommendedSessions

SESSION# TITLE DATE/TIME

DO3X50ECAMobileAPIGateway(MAG):HowtoProvideYourMobileUserWithaConvenient,YetSecure,OnboardingExperienceThroughOAuth andSAML

11/14/2016at4:00pm

DO3X40ECAAPIDeveloperPortal:PolicyWritingforthePortalusingthenewContextVariablesandAPIKeyCustomFields

11/15/2016at9:00am

Page 6: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Agenda

WHATISTHECAAPIGATEWAY?

INTRODUCTIONTOPOLICY

CREATINGANDMANAGINGPOLICY

SOMESIMPLEEXAMPLES

INTEGRATINGAPISWITHOAUTH

1

2

3

4

5

BONUSMATERIAL6

Page 7: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TheCAAPIGateway

CorporateNetwork

Servers

Data

Identities

Page 8: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TheCAAPIGateway

CorporateNetwork

Servers

Data

Identities

APIGateway

DMZ

Page 9: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TheCAAPIGateway

CorporateNetwork

Servers

Data

Identities

APIGateway

DMZ

Message TransformationThreatProtection

PolicyEnforcement

ServiceOrchestration

Encryption&Decryption

Page 10: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TheCAAPIGateway

Page 11: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TheCAAPIGateway

Page 12: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

WhatisPolicy?

§ TheGatewayishighlyconfigurable

§ Policy“tellsitwhattodo”

§ Assertionsarecodemodulesthatdospecificthings

§ Request->Response

Page 13: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

PolicyisactuallyXML

Page 14: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Assertionsarethebuildingblocksofpolicies

§ Everythinginapolicyisanassertion

§ Someincludedoutofthebox

§ CustomassertionSDK

§ Powerfulassertionscanbeverysimple

Page 15: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Policiescangetprettysophisticated

§ Conditionallogicthatmimicif/elsebehavior

§ Reusablesnippetscalledfragments

§ Policy-backedassertionscalledencapsulatedassertions

Page 16: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Whathappenshere?

Page 17: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Performanceiscritical

§ Withpowercomesresponsibility

§ A“perrequest”mindset

§ Doingversuswaiting– Policyexecution– Networklatency– Backendlatency

§ Caching

Page 18: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Policylife-cyclebecomesimportant

§ “Treatpolicylikecode”

§ Migrationandenvironment-specificconfiguration– ToolinglikeRESTMANandGMU/CMT

§ Engineeringbestpractices– Modularity,separationofconcerns– Comments

§ RBACandSecurityZones

Page 19: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

OAuthandOIDC

§ Authorization

§ “Canyoudothis?”

§ Delegatelimitedaccesstothirdparties

§ Usesredirection

§ Pre-definedproviders

§ Authentication

§ “Whoareyou?”

§ Leveragingexistinguseraccountswiththirdparties

§ Usesredirection

§ Autodiscovery

OAuth2.0 OpenIDConnect

Page 20: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAAPIGatewayOAuthToolkit

§ GatewayextensiontosupportOAuth1.0,OAuth2.0,andOIDC

§ Implementedlargelyinpolicy

§ Highlycustomizableandmodular

Page 21: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Questions?

Page 22: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Stayconnectedatcommunities.ca.com

Thankyou.

Page 23: Pre-Con Ed: Workshop on Policy Creation, Management and Support for OAuth and OIDC

@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.23 @CAWORLD#CAWORLD

DevOps– APIManagementandApplicationDevelopment

FormoreinformationonDevOps– APIManagementandApplicationDevelopment,pleasevisit:http://cainc.to/DL8ozQ


Painless OAuth

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

Financial-grade API (FAPI) and CIBA · 2019-09-19 · OAuth 2.0 API authorization OpenID Connect (OIDC) verifiable user identity Financial-grade API (FAPI) higher security The Financial-grade

Implementing OAuth

Oauth Tutorial

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Identity and Access Management with the INDIGO IAM service · Token-based AuthN/AuthZ with OAuth/OIDC In order to acces resources, a client needs an access token The token is obtained

Entendiendo oAuth

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Oidc fed in [email protected]

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

Twitter oauth

UNICORE in the - COnnecting REpositories · UNICORE in the Human Brain Project Bernd Schuller ([email protected]) ... pass OIDC token OIDC server 1. authenticate returns OIDC

cover Front cover · V11.0 cover Front cover Course Exercises Guide AAA, OAuth, and OIDC in IBM DataPower V7.5 Course code WE753 / ZE753 ERC 1.0

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

OAuth Tokens

oAuth test

Twitter4R OAuth

Delivery instructions OIDC - EN

160212 Globus Auth XSEDE Science Gateways · 2016-02-12 · • OAuth 2.0 Authorization Framework – aka OAuth2 • OpenID Connect Core 1.0 – aka OIDC • Allows use of standard

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

OAuth based AuthN/ AuthZ in DIRAC€¦ · OAuth/OIDC/SSO 7 } OAuth 2.0 is the industry-standard delegation protocol for conveying authorization decisions across a network of web-enabled

mozilla-django-oidc Documentation

H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

WordPress + OAuth

OIDC Design Patterns Presentation

Everything OAuth

Demystifying OAuth

CIS14: Developing with OAuth and OIDC Connect

Configuration of SAML 1.1 Between OIPA and OIDC

OAuth Passport

Incorporating OAuth: How to integrate OAuth into your mobile app

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012