Ignite Talk: I AM a robot, how do I log in?
Download as PPTX, PDF1 like271 views
This document discusses how robots can log in and be authenticated using JSON Web Tokens (JWTs) and OAuth2. It explains that robots can be issued JWT bearer tokens containing identifying information to authenticate with a User Account and Authentication (UAA) server and be granted access tokens, similar to how single sign-on works for human users. Sensitive robot data and hardware would be protected during this process.
Ignite Talk: I AM a robot, how do I log in?
- 2. Jayson Delancey I am a robot, how do I login
- 5. UAA User Account and Authentication Server
- 6. SSO OAuth2
- 9. • Headless • Exposed • Accessible • Sensitive data • Sensitive Hardware
- 10. draft-ietf-oauth-jwt-bearer This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication.
- 12. Header { "alg":"RS256" } Payload { "iss": <clientID> "sub": <device ID> "aud": <uaa> "exp": <expiration time of this token> "tenant_id": <tenant_id> } Signature SHA256withRSA( <base64(Header)>.<base64(Payload)>, <private key> )
- 13. • Certificate-Signing Request • Certificate Authority • Signature
- 14. • Device name • Device serial no. • Shared secret
- 15. Hardware Security Module (HSM)
- 16. • MAC address • Device UUID • Tenant ID
- 18. Bearer Token Access Token
- 19. 401 Unauthorized
- 20. UAA + JWT
- 21. Sense, Plan, Act
- 22. Robots are users too. https://github.com/GESoftware-CF/uaa jwt_grant_3.4.0 branch
Editor's Notes
- #4: If you’ve used reCAPTCHA you’ve had to check “I’m not a robot”, but what if you were a robot or other industrial machine how would you log in?
- #5: Authentication is the effort of proving you are who you say you are. For most users this works by providing an email address and a password. It is a combination that only you should know. For robots however, this isn’t as straightforward.
- #6: Multi-tenant identity management that is part of the Cloud Foundry multi-cloud platform
- #7: Stop the flow of unwanted users but more importantly for oauth2, issues tokens for client applications to act on behalf of users, and authenticate using credentials, etc.
- #8: Private Key Infrastructure -- Private key is kept secret, public key is shared with everybody
- #9: That’s all well and good for human users, but a different story for devices Devices have data recovery which makes it hard to guess or hard to recover
- #10: Additionally, trouble in industrial cases is that devices are headless, exposed, accessible, control sensitive data and hardware
- #11: Implementation and Architecture Details OAuth2 JWT Bearer Tokens - This specification proposes a way to pass the certificate and identity by constructing a JWT token. It will carry the client information.
- #12: Authorization header bearer
- #13: It’s hard to be hardware, so what’s a good robot to do. Alg = algorithm for digital signature Iss = client issuer Subject = device key Aud = audience, in our case uaa expiration
- #14: Certificate-based Enrollment also important as providing a signature or proof of trust by an authority
- #15: Step 1: Adding devices… Embedded software tied to a cloud environment can use device name, serial number, and a shared secret key that is cryptographically random and of sufficient strength
- #16: Device requirements for managing digital keys, strong authentication, cryptoprocessing, and contacting CA
- #17: CSR; tenantID; device UUID; MAC address
- #20: A number of things can go wrong resulting in Unauthorized access
- #21: UAA and JWT can work together to help robots; of course, robots are stand-ins for devices
- #22: Definition of robot I like is a goal oriented machine that can sense, plan, and act
- #23: Thanks: Dario, Jiaqi, Sanjeev, Calvin, Sam, Owen