Embed Size (px)
DESCRIPTION
Detailed flow description about the use of the IdM and AC in the FIWARE Lab.
Citation preview
Adding Identity Management and Access Control to your ApplicationFernando López, Pablo Rodríguez // Álvaro AlonsoTID // UPM – DITSecurity Chapter. [email protected], @[email protected]@dit.upm.es, @larsonalonso
Identity ManagementAn example
2
Account
Identity ManagementFIWARE
3
OAuth 2.0 for Identity ManagementExamples…
4
Login with
OAuth 2.0 for Identity Management… and FIWARE too! IdM
5
6
Web App IdM
1) redirect
3) request access-token
4) access-token
2) access-code
OAu
th L
ibra
ry
Request user info using access-token
IP: a.b.c.dIP: e.f.g.h
OAuth 2.0Messages flow
• http://oauth.net/2/– PHP, Cocoa, iOS, Java, Ruby, JavaScript, Python
• Example using Node.js– https://github.com/ging/oauth2-example-client
OAuth 2.0Client libraries for your application
7
Preliminary steps with IdM at FIWARE Account PortalAdd an application
8
Preliminary steps with IdM at FIWARE Account PortalSet/create roles and permissions for application
9
Preliminary steps with IdM at FIWARE Account PortalAdd new permissions if needed
10
Preliminary steps with IdM at FIWARE Account PortalResult: OAuth credentials for the application
First, we have to redirect user to the IdM web site in order to login and authorize
the access to the new application (identified by its client_id).
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9
OAuth 2.0 messages flow1) Redirect
12
OAuth 2.0 messages flow1) Redirect
13
After introducing user/password to login and clicking the “Accept” button (needed only
once), the browser redirect us back to the web page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-
N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
IdM uses the callback URL specified in the registration of the application (Cloud Portal,
in this example).
We get the “code” value, which will be used in order to authenticate user.
OAuth 2.0 messages flow2) Access code
14
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"
Where: Authorization is calculated asBase64(Client_ID:Client_Secret)
from application credentials (see slide 11)
code is the access-code obtained in
the former step and redirect_uri is the callback url the access-code was sent to (see previous slide)
OAuth 2.0 messages flow3) Request access token
15
The previous request will return the following information:
HTTP/1.1 200 OKContent-Type: application/json
{ "access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}
OAuth 2.0 messages flow4) Access token
16
• Level 1: Authentication– Check if a user has a FIWARE account
• Level 2: Basic Authorization– Check if a user has permissions to access a
resource– HTTP verb + resource path
• Level 3: Advanced Authorization– Custom XACML policies
Securing your backend
17
BackendApps
IdM
5) R
eque
st +
acce
ss-t
oken
OAuth2 flows
6) access-token
7) OK + user info (roles)
Web AppO
Auth
Lib
rary
4) access-token
Level 1: Authentication
18
BackendApps
IdM5) R
eque
st +
acce
ss-t
oken
Web AppO
Auth
Lib
rary
Proxy
6) access-token
7) OK + user info (roles)
OAuth2 flows
4) access-token
Level 1: Authentication
19
GET https://{backend-apps-url} HTTP/1.1Host: {backend-apps-hostname}
X-Auth-Token: {access-token}
Level 1: AuthenticationRequest + access token (step 5)
• The request from web application to the backend and GEs would look like:
Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 16):
3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
20
As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token.
curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens
KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
Level 1: AuthenticationValidate X-Auth-Token (step 6)
21
Previous call will return the following message:
{ "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } }}
Level 1: AuthenticationValidate X-Auth-Token (step 6)
22
Assuming that you have a valid admin token (see slides 21 & 22 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5):
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Please note X-Auth-Token header in this request is the admin token, while the access-token being validated is part of the resource path in URL.
This could return the following status codes if something is wrong:• 404 Access_token not valid • 401 X-Auth-Token not valid (unauthorized)• 403 X-Auth-Token not valid (expired)
Level 1: AuthenticationValidate X-Auth-Token (step 6)
23
If there is no error, it returns:
{ "actorId": 1, "displayName": "prueba", "email": "[email protected]", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member"…
Level 1: AuthenticationValidate X-Auth-Token (step 6)
24
… } ] } ], "roles": [ { "id": 5, "name": "Provider" } ]}
Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
Level 1: AuthenticationValidate X-Auth-Token (step 6)
25
BackendApps
IdM
Requ
est +
acce
ss-t
oken
Web AppO
Auth
Lib
rary
Proxy
6) access-token + verb + path
7) OK + user info
Oauth2 flows
access-token
AC GE
Level 2: Basic Authorization
26
Level 2: Basic AuthorizationAccess token + verb + path (step 6)
In this case you should call the API with the following information:
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content-Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Where:• path is the URL of the resource to be accessed, e.g.:
/resource1/item2
• verb is the HTTP verb associated to the request (GET, PUT, POST, DELETE)
• X-Auth-Token is the admin token from slides 21 & 22 (FIWARE Proxy token)
• As before, request URL includes the access-token being validated
27
Level 2: Basic AuthorizationOK + user info (step 7)It returns:
• 401 HTTP 401 Unauthorized.
• 200 Ok if all was OK, with the following user information:
{ "actorId": 1, "displayName": "prueba", "email": "[email protected]", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member"…
28
… } ] } ], "roles": [ { "id": 5, "name": "Provider" } ]}
Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
Level 2: Basic AuthorizationOK + user info (step 7)
29
BackendApps
IdM
Requ
est +
acce
ss-t
oken
Web AppO
Auth
Lib
rary
Proxy extension
XACML policy
OK + user info
Oauth2 flows
access-token
AC GE
Level 3: Advanced Authorization
30
Policies creation in IdM1) Edit application properties
31
Policies creation in IdM2) Create a new role
32
33
Policies creation in IdM3) Add a new permission
34
Policies creation in IdM4) Change to advanced mode
35
Policies creation in IdM5) Fill in the rule field
Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit">
<Description>Rule: Permission example</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
…
36
Policies creation in IdMSample XACML rule content
…
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
37
Policies creation in IdMSample XACML rule content
• FIWARE IdM:– Source Code: https://github.com/ging/fi-ware-idm– Documentation: https://github.com/ging/fi-ware-idm/wiki
• FIWARE Access Control:– http://catalogue.fi-ware.org/enablers/access-control-tha-
implementation/documentation
• FIWARE OAuth2 Demo:– https://github.com/ging/oauth2-example-client
• FIWARE Proxy:– https://github.com/ging/fi-ware-pep-proxy
Documentation
38
http://fiware.orghttp://lab.fiware.org
Follow @Fiware on Twitter !
Join us!
