FIWARE ID Management
-
Upload
miguel-garcia-gonzalez -
Category
Technology
-
view
968 -
download
0
Transcript of FIWARE ID Management
![Page 1: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/1.jpg)
Pasquale VitaleEngineering Ingegneria Informatica
FIWARE Identity Management
![Page 2: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/2.jpg)
Identity Management
An example
![Page 3: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/3.jpg)
Account
Identity Management
In FIWARE
GE
GE
GE
GE
GE
GE
![Page 4: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/4.jpg)
OAuth 2.0 for Identity Management
Examples …
![Page 5: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/5.jpg)
OAuth 2.0 for Identity Management
… and FIWARE too! With Identity Management
Login with
![Page 6: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/6.jpg)
OAuth 2.0
Messages flow
Web App IdM
1) redirect
3) request access‐token
4) access‐token
2) access‐codeO
Aut
h Li
brar
y
Request user info using access‐token
IP: a.b.c.dIP: e.f.g.h
![Page 7: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/7.jpg)
OAuth 2.0
Client libraries for your application
http://oauth.net/2/
PHP, Cocoa, iOS, Java, Ruby, JavaScript, Python
Example using Node.js
https://github.com/ging/oauth2-example-client
![Page 8: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/8.jpg)
Preliminary steps with IdM at FIWARE Account Portal
Add an application
![Page 9: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/9.jpg)
Preliminary steps with IdM at FIWARE Account Portal
Set/create roles and permissions for application
![Page 10: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/10.jpg)
Add new permissions if needed
Preliminary steps with IdM at FIWARE Account Portal
![Page 11: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/11.jpg)
Result: OAuth credentials for the application
Preliminary steps with IdM at FIWARE Account Portal
![Page 12: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/12.jpg)
OAuth 2.0 messages flow
1) RedirectFirst, we have to redirect user to the IdM web site in order to login and authorize the access to the new application (identified
by its client_id).
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2322
![Page 13: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/13.jpg)
OAuth 2.0 messages flow
1) RedirectAuthorize
![Page 14: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/14.jpg)
OAuth 2.0 messages flow
2) Access code
After introducing user/password to login and clicking the “Accept” button (needed only once), the browser redirect us back to the web page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
IdM uses the callback URL specified in the registration of the application.
We get the “code” value, which will be used in order to authenticate user.
![Page 15: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/15.jpg)
OAuth 2.0 messages flow
3) Request access token
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"
Authorization is calculated as Base64(Client_ID:Client_Secret)
![Page 16: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/16.jpg)
OAuth 2.0 messages flow
4) Access token
The previous request will return the following information:
HTTP/1.1 200 OKContent-Type: application/json
{"access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA","expires_in": 2591999,"refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg","token_type": "bearer"
}
![Page 17: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/17.jpg)
Securing your backend
Level 1: Authentication
Check if a user has a FIWARE account
Level 2: Basic Authorization
Check if a user has permissions to access a resource
HTTP verb + resource path
Level 3: Advanced Authorization
Custom XACML policies
![Page 18: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/18.jpg)
Level 1: Authentication
BackendApps
IdM
5) Req
uest +
access‐token
OAuth2 flows
6) access‐token
7) OK + user info (roles)
Web App
OA
uth
Libr
ary
4) access‐token
![Page 19: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/19.jpg)
Level 1: Authentication
BackendApps
IdM5) Req
uest +
access‐token
Web App
OA
uth
Libr
ary
Proxy
6) access‐token
7) OK + user info (roles)
OAuth2 flows
4) access‐token
![Page 20: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/20.jpg)
Level 1: Authentication
Request + access token (step 5)
The request from web application to the backend and GEs would look like:
GET https://{backend-apps-url} HTTP/1.1Host: {backend-apps-hostname}
X-Auth-Token: {access-token}
Request should include the X-Auth-Token header with the exact access token received at previous step 4:
3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
![Page 21: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/21.jpg)
Level 1: Authentication
Validate X-Auth-Token (step 6)
As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token.
curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens
KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
![Page 22: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/22.jpg)
Level 1: Authentication
Validate X-Auth-Token (step 6)
Previous call will return the following message:
{"access": {
"token": {"expires": "2015-07-09T15:16:07Z","id": "5b2177e7e1e6592cb7ea168ce9c0e87f"
},"user": {
"id": "pepProxy","name": "pepProxy","roles_links": [],"username": "pepProxy"
}}
}
![Page 23: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/23.jpg)
Level 1: Authentication
Validate X-Auth-Token (step 6)
Assuming that you have a valid admin token (24 hours valid only), we can validate the access token included in the request (step 5):
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Please note X-Auth-Token header in this request is the admin token, while the access-token being validated is part of the resource path in URL.
This could return the following status codes if something is wrong:404 Access_token not valid 401 X-Auth-Token not valid (unauthorized)403 X-Auth-Token not valid (expired)
![Page 24: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/24.jpg)
Level 2: Basic Authorization
BackendApps
IdM
Requ
est +
access‐token
Web App
OA
uth
Libr
ary
Proxy
6) access‐token + verb + path
7) OK + user info
Oauth2 flows
access‐token
AC GE
![Page 25: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/25.jpg)
Access token + verb + path (step 6)
In this case you should call the API with the following information:
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content-Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Where:- path is the URL of the resource to be accessed, e.g.:
/resource1/item2- verb is the HTTP verb associated to the request (GET, PUT, POST, DELETE)- X-Auth-Token is the admin token (FIWARE Proxy token)
As before, request URL includes the access-token being validated
Level 2: Basic Authorization
![Page 26: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/26.jpg)
OK + user info (step 7)
200 Ok if all was OK, with the following user information:{
"actorId": 1,…"organizations": [
{"id": 1,"name": "prueba","roles": [
{"id": "8db87ccbca3b4d1ba4814c3bb0d63aab","name": "Member"
…"roles": [
{"id": 5,"name": "Provider"
}
Level 2: Basic Authorization
401 HTTP Unauthorized
Where you can see: • the roles associated to the organization (in red) • and the roles associated to the application (in blue).
![Page 27: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/27.jpg)
BackendApps
IdM
Requ
est +
access‐token
Web App
OA
uth
Libr
ary
Proxy extension
XACML policy
OK + user info
Oauth2 flows
access‐token
AC GE
Level 3: Advanced Authorization
![Page 28: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/28.jpg)
1) Edit application properties
Policies creation in IdM
![Page 29: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/29.jpg)
2) Create new role
Policies creation in IdM
![Page 30: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/30.jpg)
3) Add a new permission
Policies creation in IdM
![Page 31: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/31.jpg)
4) Change to advanced mode
Policies creation in IdM
![Page 32: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/32.jpg)
5) Fill in the rule field
Policies creation in IdM
![Page 33: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/33.jpg)
Sample XACML rule contentPermissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit"><Description>Rule: Permission example</Description><Target>
<Resources><Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" /></ResourceMatch>
</Resource></Resources>
…
Policies creation in IdM
![Page 34: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/34.jpg)
Sample XACML rule content…
<Actions><Action><ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue><ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" /></ActionMatch>
</Action></Actions>
</Target></Rule>
Policies creation in IdM
![Page 35: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/35.jpg)
FIWARE IdM:
Source Code: https://github.com/ging/fi-ware-idm
Documentation: https://github.com/ging/fi-ware-idm/wiki
FIWARE Access Control:
http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/documentation
FIWARE OAuth2 Demo:
https://github.com/ging/oauth2-example-client
FIWARE Proxy:
https://github.com/ging/fi-ware-pep-proxy
Documentation
![Page 36: FIWARE ID Management](https://reader034.fdocuments.in/reader034/viewer/2022042716/55beb20dbb61eb8f6c8b473c/html5/thumbnails/36.jpg)
Thanks!Thanks!