About meJava developer since 2008

Works for Altoros Development

Love mountain biking and jogging

Agenda1. Authentication in monolithic applications vs microservices

2. Introduction to OAuth2.0

3. CloudFoundry User Account and Authentication (UAA) Server

4. How we use UAA in our project

5. Q&A

Base definition

● Authentication

● Authorization

● Session

● Token

A Traditional Service

With Traditional Subsystem

and traditional scalability

A microservice

Many microservices

Scaling microservices

So what’s the problem?

Securing a traditional service

So for microservice that would mean

How to solve?

● Basic authentication

● SAML

● OAuth

Lets talk about OAuth

It’s not for Authentication

…and not for Authorization

OAuth is a scalable delegation protocol

History

● OAuth started around November 2006, while Blaine Cook was working on the

Twitter OpenID implementation.

● In April 2007, a Google group was created with a small group of implementers

to write a proposal for an open protocol.

● In July 2007 the team drafted an initial specification and the group was

opened to anyone interested in contributing.

OAuth 2.0

+ Designed to simplify creation of client application

+ Token retrieval is simplified

+ Scalability is better

- Is not compatible with 1-st version

OAuth Roles

OAuth defines four roles:

● Resource Owner (User)

● Client

● Resource Server

● Authorization Server

OAuth2 workflow

OAuth2 grant type

● Authorization Code (web apps)

● Implicit (browser-based and mobile apps)

● Resource Owner Password Credentials (user / password)

● Client Credentials (application)

● Refresh Token

About UAA● User Account and Authorisation server● Secures all CF components● OAuth2 and OpenID connect● SCIM API for user management in internal user database● Integration with SAML and LDAP● OAuth2 client registration API

UAA for Cloud Native Security● In CF there is more to security then just UAA

○ Network security/ security group○ Cross container traffic / trusted workloads○ end to end TLS

● UAA is for application-level security

You want to secure your apps

Example:

You want to host your API application on Cloud Foundry

You want to secure your apps

Example

It will be accessed by a web app hosted on CF

You want to secure your apps

Example

It will be accessed through a mobile app as well

You want to secure your apps

Perfect! Use UAA

You want to secure your apps

Perfect! Use UAA

UAA

– Client for web app -> Authorization Code

– Client for mobile app -> Implicit

– API app token verification

UAA end user

● SpaceDevelopers, OrgManagers○ Platform users, no problem

● Sales guy○ Not a platform user, problem

The Principle of Least Privilege

● You (or the application, process, module, etc) should have the minimum level

of access required for performing their job

● Sales guy should not have been added to the platform UAA

Solutions

● Create your own authorization server

● Deploy your own UAA

Deploy your own UAA

● cf push cloudfoundry-identity-uaa.war

● Yaml config

● Bootstrap users

● Provision DB

● Do the above manually, or as part of a Bosh deployment

Running your own UAAPros:

● Principle of least privilege○ Systems secured by your UAA cannot affect systems secured by the platform UAA

● You can fork it

Cons:

● Overhead

● Manual upgrades

● “yak shaving” a bosh release

Solutions

● Create your own authorization server

● Deploy your own UAA

● Multitenant UAA

What is Multitenant UAA● CF v208+● The built-in UAA with subdomains● Subdomain maps to Identity Zone● Total segregation between Identity Zones● API for creating Identity Zones● Existing API stays the same

Multitenant UAA● Pros:

○ Principle of least privilege

○ API calls for creating a new tenant (aka Identity Zone)

○ Zone administrators instead of bootstrap users

● Cons: ○ Overhead

○ Manual upgrades

○ “yak shaving” a bosh release

○ You can’t fork it

How we use UAA in our project

How we use UAA in our project

Sample

One more thing...How to manage UAA:

● curl● UAAC (gem install cf-uaac)

Resourceshttps://github.com/cloudfoundry/uaa

https://docs.cloudfoundry.org/api/uaa/

https://github.com/cloudfoundry/cf-uaac

https://github.com/zeremit/uaa-samples

Q&A