FIWARE Global Summit - Adding Identity Management, Access Control and API Management in Your System
1 like297 views
The document discusses a comprehensive framework for identity management, access control, and API management, focusing on OAuth 2.0 for secure resource access. It outlines different grant types, authorization levels, and key components such as the identity manager, authorization server, and policy enforcement point within the FIWARE ecosystem. Additionally, it highlights enhancements in Keyrock and other security infrastructures, stressing the future adoption of Attribute-Based Access Control (ABAC) in enterprise environments.
FIWARE Global Summit - Adding Identity Management, Access Control and API Management in Your System
- 1. Adding Identity Management, Access Control and API Management in your system A complete framework for Identity, Access Control and API Management Álvaro Alonso FIWARE Security Chapter
- 4. OAuth 2.0 4
- 6. OAuth 2.0 ▪ Mechanism to provide applications access to restricted resources without sharing credentials. • Applications use access tokens, issued by OAuth providers (e.g. FIWARE), to access resources. • OAuth 2.0 specification is designed for use with HTTP. ▪ Roles: • Resource Owner: Entity capable of granting access to a protected resource (e.g. end-user) • Resource Server: Server hosting protected resources. • Client: Application making protected resource requests on behalf of the resource owner. • Authorization Server: The server issuing access tokens to the client.
- 7. OAuth 2.0 ▪ Authorization Code Grant ▪ Implicit Grant ▪ Resource Owner Password Credentials Grant ▪ Client Credentials Grant
- 8. OAuth 2.0 Architecture Authorization Code Grant OAuth Provider account.lab.fiware.org
- 9. OAuth 2.0 Architecture Implicit Grant OAuth Provider account.lab.fiware.org
- 10. OAuth 2.0 Architecture Resource Owner Password Credentials Grant OAuth Provider account.lab.fiware.org
- 11. OAuth 2.0 Architecture Client Credentials Grant OAuth Provider account.lab.fiware.org
- 12. OAuth 2.0 Libraries ▪ http://oauth.net/2/ • PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. ▪ Example using Node.js • https://github.com/ging/oauth2-example-client 12
- 13. OAuth2 credentials in FIWARE Account
- 14. Getting protected user info 14 Web App Account OAuth2 requests flow access-token OAuthLibrary Request user info using access-token GET /user?access_token={token}
- 15. Web Applications and GEs 15 Generic Enabler Account Request + access-token Oauth2 flows access-token OK + user info (roles) Web App OAuth Library access_token GET https://GE_URL HTTP/1.1 Host: GE_hostname X-Auth-Token: access_token
- 16. Securing your back-end 16 Back-end Apps Account Request + access-token Web App Oauth Library PEP Proxy access-token OK + user info (roles) Oauth2 flows access_token GET https://PEP_PROXY HTTP/1.1 Host: PEP_PROXY_hostname X-Auth-Token: access_token
- 17. PEP Proxy in FIWARE Lab Account
- 18. Securing your back-end ▪ Level 1: Authentication • Check if a user has a FIWARE account ▪ Level 2: Basic Authorization • Checks if a user has permissions to access a resource • HTTP verb + resource path ▪ Level 3: Advanced Authorization • Custom XACML policies
- 20. Level 2: Basic Authorization 20 Back-end Apps Account Request + access-token Web App Oauth Library PEP Proxy access-token OK + user info Oauth2 flows access_token Authz PDP GE XACML <Request>: roles + verb + path OK Basic RBAC policies in XACML (simple role permissions)
- 21. Level 2: Basic Authorization
- 22. Level 3: Advanced Authorization 22 Back-end Apps Account Request + access-token Web App Oauth Library PEP Proxy extension Oauth2 flows access_token Auth PDP GE access-token OK + user info XACML <Request>: roles + verb + path OK More generic ABAC policies in XACML (custom XACML Rules)
- 23. Level 3: Advanced Authorization
- 24. APInf & PEP Proxy Back-end Request + API Key Web App Back-end Back-end Back-end
- 25. APInf & PEP Proxy Back end App Account Request + access-token Web App Oauth Library PEP Proxy access-token OK + user info (roles) Oauth2 flows access_token Back end App Back end App Back end App
- 26. IoT Authentication ▪ Context Broker • IoT Management • Publish / subscribe model □ Context producers □ Context consumers ▪ Sensors Authentication • Sensor registration in IdM applications • Each sensor has its own account □ Token creation and validation
- 28. IoT Sensors in FIWARE Account
- 29. Industrial Data Space FIWARE Security ready Industrial Data Space Infrastructure IdP PAP Policies DB PDP Industrial Data Space Context Consumer Connector Industrial Data Space Context Producer Connector PEP
- 30. Security GEs ▪ Identity Management – Keyrock ▪ Authorization PDP – AuthZForce ▪ PEP Proxy – Wilma ▪ Get your own infrastructure!!! • Follow Security GEs Installation and Configuration Guides
- 31. Security GEs – IdM - KeyRock ▪ APIs • OAuth2 • Resources management • SCIM 2.0 ▪ Source Code • https://github.com/ging/fi-ware-idm ▪ Documentation • http://catalogue.fiware.org/enablers/identity-management-keyrock ▪ FIWARE OAuth2 Demo: • https://github.com/ging/oauth2-example-client 31
- 32. New Keyrock release ▪ Support for custom themes. ▪ Improved OAuth 2.0 refresh tokens support. ▪ Application permissions can be now edited and removed. ▪ Driver for external database authentication. ▪ Support for configuring available Grant Types in registered applications. ▪ Improved organizations management. ▪ Clean up with regard Cloud dependencies. ▪ Support to PostgreSQL. 32
- 33. Security GEs – PEP Proxy - Wilma ▪ Policy Enforcement Point ▪ Compatible with OAuth2 and Keystone tokens ▪ Source code: • https://github.com/ging/fi-ware-pep-proxy ▪ Documentation • http://catalogue.fiware.org/enablers/pep-proxy-wilma ▪ Global instance 33
- 34. Security GEs – Authorization PDP – AuthZForce (1/2) ▪ Single Open Spec (Authorization PDP GE) & Open Source implementation (GEri Authzforce) of 100% XACML-3.0 standard- compliant and cloud-ready RESTful ABAC framework with XML optimization ▪ Multi-tenant REST API for PDP(s)/PAP(s) ▪ Standards: • OASIS: XACML 3.0 + Profiles (REST, RBAC, Multiple Decision) • ISO: Fast Infoset ▪ Extensible: attribute providers (PIP), functions, etc. ▪ PDP clustering 34 By 2020, the majority of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than five percent today. (Gartner, 2013) IBAC ABAC RBAC
- 35. Security GEs – Authorization PDP – AuthZForce (2/2) ▪ FIWARE catalogue: https://catalogue.fiware.org/enablers/authorization-pdp-authzforce ▪ FIWARE Lab image: authzforce-5.4.1 ▪ Authorization PDP GE’s APIary: http://docs.authorizationpdp.apiary.io/# ▪ AuthzForce (GEri) source code: • API spec in WADL: https://github.com/authzforce/rest-api-model • Implementation: https://github.com/authzforce/server/ ▪ AuthzForce distribution • Ubuntu/Debian-like: .deb / others: .tar.gz on Maven Central: http://central.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/ • Docker: https://hub.docker.com/r/fiware/authzforce-ce-server/ ▪ Global instance for testing: https://az.lab.fiware.org/authzforce-ce/ ▪ Documentation: http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/documentation 35
- 37. Thank you! http://fiware.org Follow @FIWARE on Twitter