Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
13 likes5,123 views
The document discusses different authentication methods for serverless applications on AWS, including Amazon Cognito User Pools, IAM authentication, and custom authorizers. It provides diagrams and explanations of how each method works, with Amazon Cognito User Pools involving authenticating through Cognito and getting JSON Web Tokens to call APIs, IAM authentication using temporary security credentials to access AWS resources, and custom authorizers using a Lambda function to validate tokens and policies.
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
SAML 2.0 연동
janedoe@Ubuntu64:/tmp$ ./samlapi.py
Username: ADjanedoe
Password: ****************
Please choose the role you would like to assume:
[ 0 ]: arn:aws:iam::012345678987:role/ADFS-Administrators
[ 1 ]: arn:aws:iam::012345678987:role/ADFS-Operators
Selection: 1
---------------------------------------------------------------
Your new access key pair has been stored in the aws configuration
file /home/janedoe/.aws/credentials under the saml profile.
Note that it will expire at 2015-05-26T17:16:20Z.
---------------------------------------------------------------](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/85/Serverless-AWS-Summit-Seoul-2018-6-320.jpg)
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
IAM 정책 상세
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*”
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*"
}
]
}](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/85/Serverless-AWS-Summit-Seoul-2018-29-320.jpg)
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
SRP 처리과정
Client Server
임시 비밀값 ‘a’생성
공개 A 생성 : A = ( g ^ a ) % N
N = 아주 큰 소수값
g = 2
K = hash(N, g)
LoginRequest (Username, A)
1. 유저DB 로부터 salt ’s’ verifier ‘v’가져옴
2. 임시 비밀 값 ‘b’를 생성
3. 공개 임시값 ‘B’를 생성
B = [ k * v + ( (g ^ b ) %N)] % N
4. 스크램블 값 ’u’ 생성
u = hash (A, B)
5. 세션 키 K 생성
S = [ ( A * (( v ^ u) % N)) ^b] % N
K= hash(S)
6. 다음 사용을 위해 [ A, B, K, s] 저장
LoginResponse(s, B)](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/85/Serverless-AWS-Summit-Seoul-2018-58-320.jpg)
![© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
SRP 처리과정
Client Server
1. 스크램블 값 ’u’ 생성
u = hash (A, B)
2. 유저 개인 값 ‘x’생성
x= hash(s, password)
3. 세션 키 ‘K ‘계산
S = [ B - k * (g ^x % N)) ^ ( a + u * x)] % N
K = hash (S)
LoginResponse(s, B)
4. K 값 전달
M1 = hash (A, B, K)
1. M1 계산
M1 = hash(A, B, K)
2. 받은 M1과 계산한 M1이 같으면
유저는 인증
이후 통신은 암호화](https://image.slidesharecdn.com/completeguidetoauthenticationindevelopingserverlessseonyongpark-180418130348/85/Serverless-AWS-Summit-Seoul-2018-59-320.jpg)
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
- 1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Seon Yong Park Developer Specialist SA, APAC 서버리스 개발에서의 인증 완벽 가이드
- 2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 본 강연에서는 AWS 는 어플리케이션이 작동하는 시스템에 따라 다양한 형태의 인증 방식을 지원합니다. 여러분에 모바일이나 자신이 서버의 어플리케이션에서 서버리스 서비스를 호출하는 경우 어떤 방식의 인증 방식이 적용될 수 있는지 살펴보고, 패스워드 보안을 위한 Cognito의 SRP 지원을 자세히 살펴봅니다.
- 3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 인증의 형태 서버리스 API 에서 인증 제 3자 인증 제공자와의 연동 NSRP와 SRP 정리 데모
- 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 인증의 형태
- 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 인증을 받아서 AWS 서비스 기능을 실행해야 하는 주체 온프림 서버 EC2 on AWS 모바일 Role Configure credentials SAML 2.0 MS AD Role Configure credentials SAML 2.0 MS AD Amazon Cognito Amazon Cognito 어플리케이션
- 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SAML 2.0 연동 janedoe@Ubuntu64:/tmp$ ./samlapi.py Username: ADjanedoe Password: **************** Please choose the role you would like to assume: [ 0 ]: arn:aws:iam::012345678987:role/ADFS-Administrators [ 1 ]: arn:aws:iam::012345678987:role/ADFS-Operators Selection: 1 --------------------------------------------------------------- Your new access key pair has been stored in the aws configuration file /home/janedoe/.aws/credentials under the saml profile. Note that it will expire at 2015-05-26T17:16:20Z. ---------------------------------------------------------------
- 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 서버리스 API에서 인증
- 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Public API POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
- 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Public API Admin only Admin only Admin only Admin only POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
- 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이 : 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. API Gateway: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app Amazon API Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
- 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 1. Authenticate Amazon Cognito User Pools
- 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 2. JWT tokens Amazon API Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
- 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 3. Call API Gateway resource Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 4. Validate Identity token Mobile app Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 5. Invoke API Call Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저 풀 기반 인가 Mobile app 6. Access AWS Resources Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools
- 19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management 1. Authenticate
- 22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 2. JWT tokens Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 3. Request AWS credentials Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 4. Validate Id token Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 5. Temp AWS credentials Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 6. Call API Gateway resource Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 27. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 7. Check IAM policy Amazon DynamoDB Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
- 28. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 기반 인가 Mobile app 8. Invoke Lambda Lambda function Amazon API Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management Amazon DynamoDB
- 29. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. IAM 정책 상세 { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*” }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] }
- 30. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 31. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Lambda function Amazon API Gateway Amazon DynamoDB
- 32. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Lambda function Amazon DynamoDB 1. Authenticate
- 33. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 2. Custom IdP Token(s) Lambda function Amazon DynamoDB
- 34. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 3. Call API Gateway resource Lambda function Amazon DynamoDB
- 35. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Mobile app Amazon API Gateway 4. Check policy cache Custom Authorizer Lambda function Lambda function Amazon DynamoDB
- 36. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Mobile app Amazon API Gateway 5.Validatetoken AWS Identity & Access Management Custom Authorizer Lambda function Lambda function Amazon DynamoDB
- 37. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 6.Generateandreturn userIAMpolicy Lambda function Amazon DynamoDB
- 38. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 7. Validate IAM permissions AWS Identity & Access Management Lambda function Amazon DynamoDB
- 39. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 Custom Authorizer Lambda function Mobile app Amazon API Gateway 8. Invoke Lambda function Amazon DynamoDB
- 40. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 커스텀 인가 람다 함수 예제 코드 var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy());
- 41. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. API 게이트웨이: 3가지 인증 형태 Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
- 42. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 제 3자 인증제공자와의 연동
- 43. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 어플리케이션 제3자 인증제공자 연동 Built-in, Customizable User Interface for Sign up / Sign in OAuth 2.0 SupportFederation with Facebook, Login with Amazon, Google, and SAML2 providers 1 2 3
- 44. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 소셜 인증제공자와의 연동 1. Initiate sign-in
- 45. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 소셜 인증제공자와의 연동 1. Initiate sign-in 2. Sign-in with 3rd party IdP
- 46. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 소셜 인증제공자와의 연동 1. Initiate sign-in Amazon Cognito User Pools 2. Sign-in with 3rd party IdP 3. Get user tokens
- 47. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동 1. Initiate sign-in
- 48. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동 1. Initiate sign-in 2. Sign-in with 3rd party IdP SAML Endpoint e.g. ADFS or Shibboleth Corporate Directory e.g. Active Directory or OpenLDAP
- 49. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동 1. Initiate sign-in Amazon Cognito User Pools 2. Sign-in with 3rd party IdP 3. Get user tokens SAML Endpoint e.g. ADFS or Shibboleth Corporate Directory e.g. Active Directory or OpenLDAP
- 50. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 기업의 인증제공자와의 연동
- 51. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. NSRP 와 SRP
- 52. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a 2. Sign-in 1. Sign-up 평범한 문자로 패스워드 저장하기
- 53. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 • Never store passwords in plaintext! • Vulnerable to rogue employees • A hacked DB results in all passwords being compromised Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a 2. Sign-in 1. Sign-up
- 54. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d 2. Sign-in 1. Sign-up 패스워드 해쉬 값으로 저장하기
- 55. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 • MD5/SHA1 collisions • Reverse Lookup Tables • Rainbow Tables • Dictionary attacks, brute-force (GPUs can compute billions of hashes/sec) Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d 2. Sign-in 1. Sign-up
- 56. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email Salted Hash beverly123 beverly123@example.com 1e66f9358530620b2bcae79dada717c… pilotjane pilotjane@example.com 88fccd9cf82377d11d2fede177457d47… sudhir1977 sudhir197@example.com 08a5981de4fecf04b1359a179962a48... 2. Sign-in 1. Sign-up • Incorporate app-specific salt + random user-specific salt • Use algorithm with configurable # of iterations (e.g. bcrypt, PBKDF2), to slow down brute force attacks
- 57. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP가 요구되는 이유 Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up • Secure Remote Password (SRP) Protocol • Verifier-based protocol • Passwords never travel over the wire • Resistant to several attack vectors • Perfect Forward Secrecy
- 58. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP 처리과정 Client Server 임시 비밀값 ‘a’생성 공개 A 생성 : A = ( g ^ a ) % N N = 아주 큰 소수값 g = 2 K = hash(N, g) LoginRequest (Username, A) 1. 유저DB 로부터 salt ’s’ verifier ‘v’가져옴 2. 임시 비밀 값 ‘b’를 생성 3. 공개 임시값 ‘B’를 생성 B = [ k * v + ( (g ^ b ) %N)] % N 4. 스크램블 값 ’u’ 생성 u = hash (A, B) 5. 세션 키 K 생성 S = [ ( A * (( v ^ u) % N)) ^b] % N K= hash(S) 6. 다음 사용을 위해 [ A, B, K, s] 저장 LoginResponse(s, B)
- 59. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. SRP 처리과정 Client Server 1. 스크램블 값 ’u’ 생성 u = hash (A, B) 2. 유저 개인 값 ‘x’생성 x= hash(s, password) 3. 세션 키 ‘K ‘계산 S = [ B - k * (g ^x % N)) ^ ( a + u * x)] % N K = hash (S) LoginResponse(s, B) 4. K 값 전달 M1 = hash (A, B, K) 1. M1 계산 M1 = hash(A, B, K) 2. 받은 M1과 계산한 M1이 같으면 유저는 인증 이후 통신은 암호화
- 60. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 유저 풀 NoSRP client SRP client
- 61. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Cognito 유저풀 인가 Mobile app Amazon Cognito User Pools server app SRP
- 62. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 정리
- 63. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. 인증/인가 • 인증이 필요한 어플리케이션이 동작하는 기기에 따라 인증 방식 구분 • Role for EC2 • Cognito 를 사용할 것 - UserPools - OpenidConnect - Synchronize - Federated Identity
- 64. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Summit 모바일 앱과 QR코드를 통해 강연 평가 및 설문 조사에 참여해 주시기 바랍니다. 내년 Summit을 만들 여러분의 소중한 의견 부탁 드립니다. #AWSSummit 해시태그로 소셜 미디어에 여러분의 행사 소감을 올려주세요. 발표 자료 및 녹화 동영상은 AWS Korea 공식 소셜 채널로 공유될 예정입니다. 여러분의 피드백을 기다립니다!