Aim pwr 2012_cloud_identity
Upcoming SlideShare
Loading in...5
×
 

Aim pwr 2012_cloud_identity

on

  • 697 views

 

Statistics

Views

Total Views
697
Views on SlideShare
697
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Aim pwr 2012_cloud_identity Aim pwr 2012_cloud_identity Presentation Transcript

  • NOWE METODY AUTENTYKACJI I AUTORYZACJI WSIECI WEB. GOOGLE, FACEBOOK I TWITTER WTWOJEJ APLIKACJI. Maciej Machulak, Łukasz Moreń, Jacek Szpot
  • Agenda2  Introduction to IAM  Digital Identity  Authentication & Authorization  Existing protocols on the Web  OpenID  OAuth, OAuth 2.0  OpenID Connect  Cloud Identity  About  Internships
  • Digital Identity3  Digital identity = digital (e.g. Internet) equivalent to the real identity of an entity (person, computer system, organization)  Used for identification  Requires authentication  Examples of identities on the Web:  john.smith1  http://myopenid.com/john.smith  john.smith@email.example.com  AxR523afHYG2
  • Local Identity4 Identities Identities john.smith1 jsmith12 Organisation A Organisation B Login as “john.smith1” Login as “jsmith12” John Smith
  • Local Identity (Example)5 Identities Identities john.smith1 jsmith12@gmail.com Login as “john.smith1” Login as “jsmith12@gmail.com” John Smith
  • Federated Identity6 Identities Trust Relationship john.smith1 Organisation A Organisation B Login as “john.smith1” Login as “john.smith1” John Smith
  • Federated Identity (Example)7 Identities Trust Relationship john.smith1 Login as “john.smith1” Login as “john.smith1” John Smith
  • IAM – Identity & Access Management8  Identification  Authentication  Authorization (Access Control)  Auditing
  • Authentication (1)9  Authentication  An authentication system requires some sort of a credential from the subject in order to verify its identity  Credentials can be created using:  Something you know  Something you have  Something you are  Some combination of the three
  • Authentication (2)10  Multi-factor Authentication
  • Authentication (3)11  Identification  Authentication
  • Access Control12  Access Control (authorisation) protects resources against unauthorised accessess and modifications  Typically defines:  subjects  that can perform actions  on objects  (under certain constraints)
  • Existing Protocols on the Web13 OpenID OAuth (1.0, 2.0) OpenID Connect
  • OpenID14
  • OpenID15 Demo
  • OpenID16
  • OpenID - Request17 https://www.google.com/accounts/o8/id ?openid.ns=http://specs.openid.net/auth/2.0 &openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select &openid.identity=http://specs.openid.net/auth/2.0/identifier_select &openid.return_to=http://www.example.com/checkauth &openid.realm=http://www.example.com/ &openid.assoc_handle=ABSmpf6DNMw &openid.mode=checkid_setup
  • OpenID - Response18 http://www.example.com/checkauth ?openid.ns=http://specs.openid.net/auth/2.0 &openid.mode=id_res &openid.op_endpoint=https://www.google.com/accounts/o8/ud &openid.response_nonce=2008-09-18T04:14:41Zt6shNlcz-MBdaw &openid.return_to=http://www.example.com:8080/checkauth &openid.assoc_handle=ABSmpf6DNMw &openid.signed=op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle &openid.sig=s/gfiWSVLBQcmkjvsKvbIShczH2NOisjzBLZOsfizkI= &openid.identity=https://www.google.com/accounts/o8/id/id=ACyQatixLeLODscWvwqsCXWQ 2sa3RRaBhaKTkcsvUElI6tNHIQ1_egX_wt1x3fAY983DpW4UQV_U &openid.claimed_id=https://www.google.com/accounts/o8/id/id=ACyQatixLeLODscWvwqsC XWQ2sa3RRaBhaKTkcsvUElI6tNHIQ1_egX_wt1x3fAY983DpW4UQV_U
  • OAuth 1.0Author: Domenico Catalano, Sun Microsystems, Inc.; Eve L. Maler, PayPal, Inc.
  • OAuth 1.0Author: Domenico Catalano, Sun Microsystems, Inc.
  • OpenID + OAuth 1.021
  • OAuth 2.0Author: Domenico Catalano, Sun Microsystems, Inc.; Eve L. Maler, PayPal, Inc.
  • OAuth 2.0
  • OAuth 2.0 – Web Server Flow
  • OAuth 2.0 – Username/Password Flow
  • OAuth 2.0 Authorization RequestGET /authorize?response_type=code&client_id=s6BhdRkqt3& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2FcbHTTP/1.1 Host: server.example.com Authorization ResponseHTTP/1.1 302 FoundLocation: https://client.example.com/cb?code=i1WsRn1uB1
  • OAuth 2.0 Access Token RequestPOST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code&client_id=s6BhdRkqt3&client_secret=gX1fBat3bV&code=i1WsRn1uB1&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  • OAuth 2.0 Access Token ResponseHTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-store{"access_token":"SlAV32hkKG","token_type":"example","expires_in":3600,"refresh_token":"8xLOxBtZp8"}
  • OAuth 2.0 Access Request to Protected ResourceGET /resource HTTP/1.1Host: server.example.comAuthorization: OAuth SlAV32hkKG
  • OpenID Connect Authentication protocol based on OAuth 2.0 Suite of specifications for identity management via RESTful API Allows for clients SSO by obtaining information about identities and authenticated sessions http://openid.net/connect/
  • OpenID Connect Figure from Nat Sakimura, http://nat.sakimura.org/2012/01/20/openid-connect-nutshell
  • OpenID Connect Figure from Nat Sakimura, http://nat.sakimura.org/2012/01/20/openid-connect-nutshell
  • OpenID Connect Demo https://oauthssodemo.appspot.com Explains OpenID Connect authentication step by step Based on implicit grant – client resides in web browser, implemented in Java Script Google as an Authorization Server
  • Cloud Identity Ltd. Small startup founded 2011 with initial investment Close collaboration with Newcastle University  Our team won the Identity Deployment of the Year (IDDY) award – previous winners include Google and Oracle Involved in User-Managed Access Work Group (Kantara Initiative)  vice-chair, specification editor, implementation coordinator
  • Cloud Identity Ltd. Work on goverment projects (EU) Customized Access and Identity Management (AIM) solutions for the Web Identity consulting services http://www.cloudidentity.pl
  • Internships @ Cloud Identity Duration: 10-12 weeks (remotely; Newcastle upon Tyne, UK) Paid internship Flexible start date We are looking for:  Web Services and REST  Interest in Java, Python or mobile platforms (mainly Android)  Ready for permanent cooperation More information at: http://goo.gl/Q422I Apply at internships@cloudidentity.pl