Identity Management with Spring Security         Dave Syer, VMware, SpringOne 2011
Overview●    What is Identity Management?●    Is it anything to do with Security?●    Some existing and emerging standards...
Agenda●   Core domain:     ● Authentication, identity, trust, delegation, claim, authorization●   SSO●   Identity Manageme...
Demo Code $ git clone git://gist.github.com/1316904.git                 COPYRIGHT VMWARE, INC, 2011
Authentication●   You say you are Fred Bloggs? Can you prove it?●   Human-human interactions     ● Official document (pass...
Typical System Architecture                                                 “Im Fred,                                     ...
Fred Accesses his Photos                     COPYRIGHT VMWARE, INC, 2011
Two Apps, No Shared Authentication                                              “Im Fred,                                 ...
Two Apps, Shared User Details                                               “Im Fred,                                     ...
Two Apps, Single Sign On                                               “Im Fred,                                          ...
All Apps areSingle Sign On: Example Flow                           the same                                               ...
Two Apps, Single Sign On with Separate Authentication                                                “Im Fred,            ...
SSO With Spring Security●   Good support for CAS●   Many custom implementations for commercial products like    SiteMinder...
Trust●   You say you are Fred Bloggs? Can you prove it?●   Oh, I remember, Martha said youre alright. Come in...●   I trus...
Consumer Trusts Provider                                                     “Im Fred,                                    ...
Simplified User-App-IDP Interaction                      COPYRIGHT VMWARE, INC, 2011
So What did we Gain with an Identity Provider?●   App no longer has to do authentication or keep record of secure    infor...
Complexity: Schematic Actual Conversation                     COPYRIGHT VMWARE, INC, 2011
Complexity: HTTP Protocol Actual Conversation                     COPYRIGHT VMWARE, INC, 2011
Compare: Native Authentication                     COPYRIGHT VMWARE, INC, 2011
OpenID                                                    “Im Fred,                                                    sho...
OpenID●   Protocol for attribute exchange●   Sits on top of HTTP(S)●   Form plus JSONish on back channel (attribute fetch)...
Spring Security OpenID RP<http xmlns="http://www.springframework.org/schema/security">    ...   <openid-login login-page="...
SSO with OpenID                                                   “Im Fred,                                               ...
SSO with OpenID                                                No user input                                              ...
Delegation and Client Authorization●   So Fred told you to come and pick up his order?●   You say youre Martha? Show me so...
Delegation and Client Authorization●   An App needs to access Freds resources on his behalf●   Resources live in a protect...
Delegation                                                     “Im Fred,                                                  ...
Example Token Services using Shared Storage                                                  “Im Fred,                    ...
Delegation Standards●   SAML 1.0, 2.0     ● XML     ● back channel                                       Need key         ...
OAuth2●   Client /app      GET /api/photos      Authorization: Bearer FDSHGK78JH356G●   Resource Server /api       authent...
OAuth2 Acquiring an Access Token●   Grant Types     ● Password     ● Authorization Code     ● Refresh Token     ● Implicit...
OAuth2 Grant Type: Password●   Resource Server /api      GET /auth/token?response_type=password&username=......&...      A...
OAuth2: Grant Type Password                    COPYRIGHT VMWARE, INC, 2011
OAuth2 Grant Type: Authorization Code●    Client /app    GET /auth/authorize?response_type=authorization_code&...    Autho...
OAuth2 Grant Type: Authorization Code●   Resource Server /api      GET /auth/token?grant_type=authorization_code&code=.......
OAuth2 Grant Type: Authorization Code                                                   ????                     COPYRIGHT...
OAuth2 Grant Type: Authorization Code, Explicit Authorization         The spec doesnt say how this happens, just that it d...
OAuth2: More Detail and Options●   Grant type     ● Password – native apps, fixed authentication     ● Authorization Code ...
Spring Security OAuth: Resource Server /api    <sec:http ...>        ...        <sec:custom-filter ref="oauth2ServiceFilte...
Spring Security OAuth: Authorization Server /auth<sec:http>  ...    <sec:custom-filter ref="oauth2ServiceFilter" after="EX...
Spring Security OAuth: Client /app <sec:http>   ...     <sec:custom-filter ref="oauth2ClientFilter"     after="EXCEPTION_T...
OpenID Connect●   Similar to OpenID in the role that it plays, but not in any other way    related●   Uses OAuth2 as a pro...
OpenID Connect: Token Acquisition●   Resource Server /api      GET /auth/token?grant_type=authorization_code&code=......&....
OpenID Connect: User Info●   Resource Server /api      GET /auth/userinfo      Authorization: Bearer JAHDGFJH78IOUY●   Aut...
SCIM●   Simple Cloud Identity Management●   Plain test / JSON standard for provisioning identity systems●   Standard endpo...
Spring Security: Project Organization         Luke Taylor (VMW),                                                          ...
CloudFoundry IDM                                                     “Im Fred,                                            ...
CloudFoundry IDM                                                     “Im Fred,                                            ...
Links●   SECOAUTH:    https://github.com/SpringSource/spring-security-oauth●   OpenId4J: http://code.google.com/p/openid4j...
Overview●    What is Identity Management?●    Is it anything to do with Security?●    Some existing and emerging standards...
Upcoming SlideShare
Loading in …5
×

dsyer s2gx2011 idm

1,637 views

Published on

Identity Management with Spring Security. Presentation from SpringOne2GX, Chicago, 2011.

Application and platform security requirements are changing under the
influence of standards like OpenID and OAuth2, and the increasing
demand for lightweight and multi-language platforms. Everyone used to
be happy if they could implement single sign on for their Java web
applications. That's still important, but there is a growing demand
for more extensive Identity Management services, both in the
enterprise and for public web applications. CloudFoundry is a nice use
case for this new service model: it has multi-language support and
security requirements that go beyond simple single sign on. What does
that mean, and what does it mean for Spring Security? Come to this
presentation to find out.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,637
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
28
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

dsyer s2gx2011 idm

  1. 1. Identity Management with Spring Security Dave Syer, VMware, SpringOne 2011
  2. 2. Overview● What is Identity Management?● Is it anything to do with Security?● Some existing and emerging standards● Relevant features of Spring Security and other Spring projects● Common use cases● Demo of prototype IDM system COPYRIGHT VMWARE, INC, 2011
  3. 3. Agenda● Core domain: ● Authentication, identity, trust, delegation, claim, authorization● SSO● Identity Management● Standards: ● SAML ● OpenID ● OAuth, OAuth2 ● OpenID Connect ● SCIM ● JWT● Spring Security and other projects● Use cases (Google, Facebook, CloudFoundry) and demos● IDM as a Service COPYRIGHT VMWARE, INC, 2011
  4. 4. Demo Code $ git clone git://gist.github.com/1316904.git COPYRIGHT VMWARE, INC, 2011
  5. 5. Authentication● You say you are Fred Bloggs? Can you prove it?● Human-human interactions ● Official document (passport, driving licence, etc.) ● We actually call it “ID” ● Letter of introduction ● Word of mouth, friend of a friend● Machine-human interactions ● Something you know, hopefully unguessable, maybe random, e.g. username/password ● Something you have, e.g. one Time Password (OTP) from RSA hard/soft token ● Multifactor authentication● Machine-machine interactions COPYRIGHT VMWARE, INC, 2011
  6. 6. Typical System Architecture “Im Fred, show me my photos” User APP DB User details store COPYRIGHT VMWARE, INC, 2011
  7. 7. Fred Accesses his Photos COPYRIGHT VMWARE, INC, 2011
  8. 8. Two Apps, No Shared Authentication “Im Fred, show me my photos” User APP1 “Im Fred, can I buy a book?” APP2 DB User details store DB COPYRIGHT VMWARE, INC, 2011
  9. 9. Two Apps, Shared User Details “Im Fred, show me my photos” User APP1 “Im Fred, can I buy a book?” APP2 DB User details store COPYRIGHT VMWARE, INC, 2011
  10. 10. Two Apps, Single Sign On “Im Fred, show me my photos” User APP1 “Im Fred, can I buy a book?” APP2 SSO DB User details store COPYRIGHT VMWARE, INC, 2011
  11. 11. All Apps areSingle Sign On: Example Flow the same ● Explicit authentication required on first visit ● Avoidable subsequently if App can store token – but then with multiple apps you have distributed state This is unavoidable COPYRIGHT VMWARE, INC, 2011
  12. 12. Two Apps, Single Sign On with Separate Authentication “Im Fred, show me my photos” User APP1 “Im Fred, can I buy a book?” AUTH APP2 SSO DB User details store COPYRIGHT VMWARE, INC, 2011
  13. 13. SSO With Spring Security● Good support for CAS● Many custom implementations for commercial products like SiteMinder● Field is fragmented● OpenID... COPYRIGHT VMWARE, INC, 2011
  14. 14. Trust● You say you are Fred Bloggs? Can you prove it?● Oh, I remember, Martha said youre alright. Come in...● I trust Martha, USDOT, UKPA, etc, to verify Freds identity● Why?● Because I know them, and they say they know Fred. COPYRIGHT VMWARE, INC, 2011
  15. 15. Consumer Trusts Provider “Im Fred, show me my photos” User Consumer, APP Relying Party IDP Provider DB User details store COPYRIGHT VMWARE, INC, 2011
  16. 16. Simplified User-App-IDP Interaction COPYRIGHT VMWARE, INC, 2011
  17. 17. So What did we Gain with an Identity Provider?● App no longer has to do authentication or keep record of secure information about users● User only has to type secrets into a known trusted site (e.g. Google)● Separation of concerns● Abstraction always comes at a cost● Increased complexity – more to understand, more to maintain, more to go wrong● Complexity and Security are uneasy bedfellows● Hence there are standards that cover this interaction COPYRIGHT VMWARE, INC, 2011
  18. 18. Complexity: Schematic Actual Conversation COPYRIGHT VMWARE, INC, 2011
  19. 19. Complexity: HTTP Protocol Actual Conversation COPYRIGHT VMWARE, INC, 2011
  20. 20. Compare: Native Authentication COPYRIGHT VMWARE, INC, 2011
  21. 21. OpenID “Im Fred, show me my photos” User Relying Party APP OpenID Provider DB User details store COPYRIGHT VMWARE, INC, 2011
  22. 22. OpenID● Protocol for attribute exchange● Sits on top of HTTP(S)● Form plus JSONish on back channel (attribute fetch)● Form data and redirects on front channel● Does not specify authentication (up to the Provider)● Does not require pre-registration of Relying Parties (Apps)● Implemented in various languages, e.g. Java->OpenID4J (Google code)● Support in Spring Security for Relying Party COPYRIGHT VMWARE, INC, 2011
  23. 23. Spring Security OpenID RP<http xmlns="http://www.springframework.org/schema/security"> ... <openid-login login-page="/openid" user-service-ref="registeringUserService" authentication-failure-url="/login_error.jsp"> <attribute-exchange identifier-match=".*"> <openid-attribute name="email" Type="http://schema.openid.net/contact/email" required="true" /> <openid-attribute name="fullname" type="http://schema.openid.net/namePerson" required="true" /> </attribute-exchange> </openid-login></http> COPYRIGHT VMWARE, INC, 2011
  24. 24. SSO with OpenID “Im Fred, show me my photos” User Relying Party APP1 “Im Fred, can I buy a book?” APP2 OpenID DB Provider User details store COPYRIGHT VMWARE, INC, 2011
  25. 25. SSO with OpenID No user input required here if IDP is stateful COPYRIGHT VMWARE, INC, 2011
  26. 26. Delegation and Client Authorization● So Fred told you to come and pick up his order?● You say youre Martha? Show me some ID.● And what about some documentation about the order? Resource Owner Client (e.g. a service provider) Scope of responsibility COPYRIGHT VMWARE, INC, 2011
  27. 27. Delegation and Client Authorization● An App needs to access Freds resources on his behalf● Resources live in a protected Resource Server (API)● Fred is the Resource Owner: he can read and write his resources if he logs into the API himself● But App is the Client of the API service not Fred, and Fred doesnt want to grant App write access● Resource Server can grant App access to a restricted Scope of activity● Fred authorizes the App to read his Resources● App gets an Access Token that enables it to act on behalf of Fred● Where does it get the token from? An Authorization Server COPYRIGHT VMWARE, INC, 2011
  28. 28. Delegation “Im Fred, show me my photos” Resource Client APP Owner Token API Resource Server Token Authorization AUTH Services Server COPYRIGHT VMWARE, INC, 2011
  29. 29. Example Token Services using Shared Storage “Im Fred, show me my photos” Resource Client APP Owner Token API Resource Server AUTH Authorization Server DB Token Store COPYRIGHT VMWARE, INC, 2011
  30. 30. Delegation Standards● SAML 1.0, 2.0 ● XML ● back channel Need key exchange ● cryptography ● Spring Security SAML, Service Provider = Resource Server only● OAuth 1.0a ● plain text ● back channel Nonce and request token ● cryptography ● Spring Security OAuth (consumer and provider)● OAuth 2 ● JSON (plus optional custom formats) ● no back channel in spec (but need token services in practice) ● clear text (need SSL), plus extensions ● Spring Security OAuth (consumer and provider) COPYRIGHT VMWARE, INC, 2011
  31. 31. OAuth2● Client /app GET /api/photos Authorization: Bearer FDSHGK78JH356G● Resource Server /api authenticated: 200 OK ... unauthenticated: 401 Unauthorized WWW-Authenticate: Bearer realm=”/auth” COPYRIGHT VMWARE, INC, 2011
  32. 32. OAuth2 Acquiring an Access Token● Grant Types ● Password ● Authorization Code ● Refresh Token ● Implicit ● Client Credentials● Others allowed as extensions, e.g. SAML assertion COPYRIGHT VMWARE, INC, 2011
  33. 33. OAuth2 Grant Type: Password● Resource Server /api GET /auth/token?response_type=password&username=......&... Authorization: Basic asdsdfggghf=● Authorization Server /auth Client credentials ● Token Endpoint 200 OK { “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600” } COPYRIGHT VMWARE, INC, 2011
  34. 34. OAuth2: Grant Type Password COPYRIGHT VMWARE, INC, 2011
  35. 35. OAuth2 Grant Type: Authorization Code● Client /app GET /auth/authorize?response_type=authorization_code&... Authorization: Basic asdsdfggghf=● Authorization Server /auth ● Authorization Endpoint 302 Found Location: /app/photos?code=dfjhg COPYRIGHT VMWARE, INC, 2011
  36. 36. OAuth2 Grant Type: Authorization Code● Resource Server /api GET /auth/token?grant_type=authorization_code&code=......&... Authorization: Basic asdsdfggghf=● Authorization Server /auth ● Token Endpoint 200 OK { “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600” } COPYRIGHT VMWARE, INC, 2011
  37. 37. OAuth2 Grant Type: Authorization Code ???? COPYRIGHT VMWARE, INC, 2011
  38. 38. OAuth2 Grant Type: Authorization Code, Explicit Authorization The spec doesnt say how this happens, just that it does, e.g: ???? COPYRIGHT VMWARE, INC, 2011
  39. 39. OAuth2: More Detail and Options● Grant type ● Password – native apps, fixed authentication ● Authorization Code – webapps with browser redirects ● Refresh Token – optional for tokens issued with Auth Code ● Implicit – script clients in webapps, native apps ● Client Credentials – service peers ● Other, e.g. SAML● Token type ● Bearer ● Other, e.g. MAC● Scope ● Arbitrary string. Signifies something to Resource Server about which resources are available. C.f. “audience” in SAML.● State COPYRIGHT VMWARE, INC, 2011
  40. 40. Spring Security OAuth: Resource Server /api <sec:http ...> ... <sec:custom-filter ref="oauth2ServiceFilter" before="EXCEPTION_TRANSLATION_FILTER" /> </sec:http> <oauth:provider id="oauth2ServiceFilter" token-services-ref="tokenServices"> <oauth:resource-server resource-id="api" /> </oauth:provider> COPYRIGHT VMWARE, INC, 2011
  41. 41. Spring Security OAuth: Authorization Server /auth<sec:http> ... <sec:custom-filter ref="oauth2ServiceFilter" after="EXCEPTION_TRANSLATION_FILTER" /></sec:http><oauth:provider id="oauth2ServiceFilter" token-services-ref="tokenServices"> <oauth:authorization-server client-details-service-ref="clientDetails"> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server></oauth:provider><oauth:client-details-service id="clientDetails"> <oauth:client clientId="app" authorizedGrantTypes="password,authorization_code,refresh_token" scope="read_photos" authorities="ROLE_GUEST" /></oauth:client-details-service> COPYRIGHT VMWARE, INC, 2011
  42. 42. Spring Security OAuth: Client /app <sec:http> ... <sec:custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER"/> </sec:http> <oauth:client id="oauth2ClientFilter" token-services-ref="oauth2TokenServices" /> <bean class="apiRestTemplate" class="org...oauth2.client.OAuth2RestTemplate"> <constructor-arg ref="api" /> </bean> <oauth:resource id="api" type="authorization_code" clientId="app" accessTokenUri="${accessTokenUri}" userAuthorizationUri="${userAuthorizationUri}" scope="read_photos" /> N.B. Spring Social has client support as well (similar approach, convergence will come later) COPYRIGHT VMWARE, INC, 2011
  43. 43. OpenID Connect● Similar to OpenID in the role that it plays, but not in any other way related● Uses OAuth2 as a protocol for attribute exchange● Google, Salesforce, etc. behind spec● OAuth2 endpoints: ● /authorize ● /token● OpenID endpoints are OAuth2 protected resources: ● /userinfo ● /check_id● Clients obtain access token with scope=openid● OAuth /token endpoint includes id token in response as well as access token● Responses in JSON or JWT (=encrypted JSON)● Not implemented in Spring project (yet), SECOAUTH or SEC COPYRIGHT VMWARE, INC, 2011
  44. 44. OpenID Connect: Token Acquisition● Resource Server /api GET /auth/token?grant_type=authorization_code&code=......&... Authorization: Basic asdsdfggghf=● Authorization Server /auth ● Token Endpoint 200 OK { “access_token” : “JAHDGFJH78IOUY”, “token_type” : “bearer”, “expires_in” : “3600”, “scope” : “openid”, “id_token” : “LKJADSFKHJG8723E” } COPYRIGHT VMWARE, INC, 2011
  45. 45. OpenID Connect: User Info● Resource Server /api GET /auth/userinfo Authorization: Bearer JAHDGFJH78IOUY● Authorization Server /auth ● User Info Endpoint 200 OK { “user_id” : “dsyer”, “name” : “Dave Syer”, “email” : “dsyer@vmware.com”, ... } COPYRIGHT VMWARE, INC, 2011
  46. 46. SCIM● Simple Cloud Identity Management● Plain test / JSON standard for provisioning identity systems● Standard endpoints ● /Users – query user accounts ● /User – CRUD operations on users ● /Groups – CRUD operations on groups● An OAuth2 authorization service might implement SCIM● Not implemented (yet) in Spring COPYRIGHT VMWARE, INC, 2011
  47. 47. Spring Security: Project Organization Luke Taylor (VMW), Core Robert Winch Spring Security Web ● 3.1.0 just released ● Stable, mature Ryan Heaton, LDAP OpenID ... Dave Syer (VMW), Spring Security OAuth Spring Extensions: Security Vladimir Schaefer, Keith Donald (VMW), Mike Wiesner (VMW) OAuth1a OAuth2 Craig Walls (VMW) SAML Kerberos Spring Social ● Oauth2 spec not yet final ● External lead ● 1.0.0 not yet released ● 1.0.0 just released ● Partly external, low-activity ● 1.0.0.M5 release in pipeline ● Consumer for well- known providers COPYRIGHT VMWARE, INC, 2011
  48. 48. CloudFoundry IDM “Im Fred, show me my apps” Resource Client Admin Console Owner Token CloudController Resource Server Authorization Access Token Server: UAA Decision Services OAuth2, OpenID Connect, Collab Spaces SCIM COPYRIGHT VMWARE, INC, 2011
  49. 49. CloudFoundry IDM “Im Fred, show me my apps” Resource Client VMC Owner Token CloudController Resource Server Authorization Access Token Server: UAA Decision Services OAuth2, OpenID Connect, Collab Spaces SCIM COPYRIGHT VMWARE, INC, 2011
  50. 50. Links● SECOAUTH: https://github.com/SpringSource/spring-security-oauth● OpenId4J: http://code.google.com/p/openid4java/● OpenID Connect: http://openid.net/developers/specs/● OAuth2: http://tools.ietf.org/html/draft-ietf-oauth-v2● SCIM: http://www.simplecloud.info● SES (SAML and Kerberos): http://static.springsource.org/spring-security/site/extensions.html● Demos: http://gist.github.com/1316904 COPYRIGHT VMWARE, INC, 2011
  51. 51. Overview● What is Identity Management?● Is it anything to do with Security?● Some existing and emerging standards● Relevant features of Spring Security and other Spring projects● Common use cases● Demo of prototype IDM system COPYRIGHT VMWARE, INC, 2011

×