FIWARE Global Summit - Adding Identity Management, Access Control and API Management in Your System
1. Adding Identity Management, Access Control and
API Management in your system
A complete framework for Identity, Access Control and API
Management
Álvaro Alonso
FIWARE Security Chapter
6. OAuth 2.0
▪ Mechanism to provide applications access to restricted resources
without sharing credentials.
• Applications use access tokens, issued by OAuth providers (e.g.
FIWARE), to access resources.
• OAuth 2.0 specification is designed for use with HTTP.
▪ Roles:
• Resource Owner: Entity capable of granting access to a protected
resource (e.g. end-user)
• Resource Server: Server hosting protected resources.
• Client: Application making protected resource requests on behalf of
the resource owner.
• Authorization Server: The server issuing access tokens to the client.
7. OAuth 2.0
▪ Authorization Code Grant
▪ Implicit Grant
▪ Resource Owner Password Credentials Grant
▪ Client Credentials Grant
14. Getting protected user info
14
Web App Account
OAuth2 requests flow
access-token
OAuthLibrary
Request user info using access-token
GET /user?access_token={token}
15. Web Applications and GEs
15
Generic Enabler
Account
Request +
access-token Oauth2 flows
access-token
OK + user info (roles)
Web App
OAuth Library
access_token
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
18. Securing your back-end
▪ Level 1: Authentication
• Check if a user has a FIWARE account
▪ Level 2: Basic Authorization
• Checks if a user has permissions to access a resource
• HTTP verb + resource path
▪ Level 3: Advanced Authorization
• Custom XACML policies
20. Level 2: Basic Authorization
20
Back-end
Apps
Account
Request +
access-token
Web App
Oauth Library
PEP Proxy
access-token
OK + user info
Oauth2 flows
access_token
Authz PDP
GE
XACML <Request>:
roles + verb + path
OK
Basic RBAC policies in
XACML
(simple role permissions)
24. APInf & PEP Proxy
Back-end
Request +
API Key
Web App
Back-end Back-end Back-end
25. APInf & PEP Proxy
Back
end
App
Account
Request +
access-token
Web App
Oauth Library
PEP Proxy
access-token
OK + user info (roles)
Oauth2 flows
access_token
Back
end
App
Back
end
App
Back
end
App
26. IoT Authentication
▪ Context Broker
• IoT Management
• Publish / subscribe model
□ Context producers
□ Context consumers
▪ Sensors Authentication
• Sensor registration in IdM applications
• Each sensor has its own account
□ Token creation and validation
29. Industrial Data Space
FIWARE Security ready
Industrial Data Space
Infrastructure
IdP PAP
Policies DB
PDP
Industrial Data Space
Context Consumer
Connector
Industrial Data Space
Context Producer
Connector
PEP
30. Security GEs
▪ Identity Management – Keyrock
▪ Authorization PDP – AuthZForce
▪ PEP Proxy – Wilma
▪ Get your own infrastructure!!!
• Follow Security GEs
Installation and Configuration Guides
32. New Keyrock release
▪ Support for custom themes.
▪ Improved OAuth 2.0 refresh tokens support.
▪ Application permissions can be now edited and removed.
▪ Driver for external database authentication.
▪ Support for configuring available Grant Types in registered applications.
▪ Improved organizations management.
▪ Clean up with regard Cloud dependencies.
▪ Support to PostgreSQL.
32
33. Security GEs – PEP Proxy - Wilma
▪ Policy Enforcement Point
▪ Compatible with OAuth2 and Keystone tokens
▪ Source code:
• https://github.com/ging/fi-ware-pep-proxy
▪ Documentation
• http://catalogue.fiware.org/enablers/pep-proxy-wilma
▪ Global instance
33
34. Security GEs – Authorization PDP – AuthZForce (1/2)
▪ Single Open Spec (Authorization PDP GE) & Open Source
implementation (GEri Authzforce) of 100% XACML-3.0 standard-
compliant and cloud-ready RESTful ABAC framework with XML
optimization
▪ Multi-tenant REST API for PDP(s)/PAP(s)
▪ Standards:
• OASIS: XACML 3.0 + Profiles (REST, RBAC, Multiple Decision)
• ISO: Fast Infoset
▪ Extensible: attribute providers (PIP), functions, etc.
▪ PDP clustering
34
By 2020, the majority of enterprises will use ABAC as the dominant mechanism
to protect critical assets, up from less than five percent today. (Gartner, 2013)
IBAC
ABAC
RBAC