SlideShare a Scribd company logo

FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)

Download as PPTX, PDF
C
cdanger

FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)

Software
1 of 12
Follow @FIWARE #FIWARE-AZ on Twitter ! The FI-WARE Project – Base Platform for Future Service Infrastructures FI-WARE Access Control GE Part 1 – API Access Control with OAuth/XACML Overview Cyril DANGERVILLE, Thales FI-WARE / WP8 / T8.2 fiware-api-cross@lists.fi-ware.eu
UC Requirement: GEs’ REST API Access Control Service 1. UC project apps need to invoke APIs provided by GEs to access user resources. 2. User privacy must be preserved. OAuth framework fits very well! The FI-WARE Project – Base Platform for Future Service Infrastructures FI-Ware Testbed Service GE IdM GE IdM GE GE Service GE Service GE Client APP Client APP GE
Sample scenario in OAuth context 1 2 3 4 (Resource Owner) The FI-WARE Project – Base Platform for Future Service Infrastructures Location GE (Resource Server) Location Tracking WebApp (Client App) 5 IdM GE •Registration Service •Authentication Service •Oauth Authorization Service 6 User registers to the Tracking App. And allows the tracking app to retrieve the location data from location GE User, Location Tracking webapp and Location GE have to be pre-registered at IDM GE.
OAuth Authorization Framework  IETF: RFC 6749, version in FIWARE: 2.0 (latest)  “enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.”  The old way: you (resource owner) share your credentials with the 3rd party  Security Issue 1: 3rd party ends up storing your credentials  Security Issue 2: works well for password authentication only  Security Issue 3: 3rd party get same complete access to your stuff as You  Security Issue 4: revoking 3rd-party access is VERY painful (password change) and hardly to never specific to an individual 3rd-party  Security Issue 5: if 3rd-party compromised, so are your credentials and data  Resource Owner: delegates LIMITED resource access to 3rd party (Client App)  Client App: the 3rd party from the Resource Owner’s standpoint  Resource Server (later referred as Target Service (GE)): hosts the resources  Authorization Endpoint: issues Authorization Code that represents resource owner granting access to 3rd party on his/her behalf  Token Endpoint: issues Access Token in exchange for Authorization Code (or refresh token), sent to the Resource Server to get access The FI-WARE Project – Base Platform for Future Service Infrastructures
XACML  eXtensible Access Control Markup Language  Fact: enterprise security policy (if exists) managed in different places (HR, Legal, Finance, IT, etc.), enforced in many points: network access, mail, intranet, business apps, etc. -> Consolidated view and global application of “best practices” in access control is VERY VERY HARD  Where to start? Common language for expressing security policy  OASIS standard, version in FIWARE: 2.0 (latest 3.0 released Jan 2013)  Related to IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) (RFC3198), and ISO10181-3 (Access Control Framework)  Policy Decision Point (PDP): provides authorization decisions based on Attribute-based Access Control (ABAC) / RBAC policies:  Subject(s) can do Action(s) on Resource(s) in given Environment, provided some Condition(s) on Subject/Action/Resource/Environment  Policy Administration Point (PAP)  Policy Repository Point (PRP)  Policy Enforcement Point (PEP): protects the resource, i.e. intercepts request and asks PDP for permission before letting it through  Attribute Finder (non-XACML term): gets attributes not provided by PEP The FI-WARE Project – Base Platform for Future Service Infrastructures
FIWARE API Access Control based on…  IdM GE:  Self-Registration/Self-Care Service  User & Service Administration Service  Authentication & SSO Service  OAuth Services:  Authorization Endpoint -> resource owner’s authz grant  Token Endpoint -> access token  DT GCP only tested so far with Access Control GE. NSN One-IDM will officially support OAuth 2.0 in R2.3.3 (end of June)  Access Control GE:  Access Control Policy Administration (PAP)  Access Control Policy Enforcement:  PEP(s) built-in or deployed as reverse proxy(ies) – Your own / Thales  Access Control Policy Decision Point (PDP)  OAuth access token validation  Attribute Finders provide attributes from various sources, e.g.  OAuth access token, such as JSON Web Token (JWT)  IdM GE API for user attribute mgt The FI-WARE Project – Base Platform for Future Service Infrastructures
Solution for OAuth-UNaware PEP (option 1) The FI-WARE Project – Base Platform for Future Service Infrastructures
Example: Cloud WP Oauth-Enabled Client App Keystone PEP 9 request info + token 14 validation result + request info + attrib The FI-WARE Project – Base Platform for Future Service Infrastructures NSN/DT IdM 11 Access token Thales RBAC/XACML Asset 1 request 2 redirect to IdM OAuth 4 Authentication + Json token 5 Json token 6 Json token + client id + client secret Resource 7 Access token 8 request + token 10 request info + token 12 Access token + attrib 13 validation result + request info + attrib 15 request Proxy Keystone Middleware Accounting + Monitoring 7
Solution for OAuth-aware PEP (option 2) The FI-WARE Project – Base Platform for Future Service Infrastructures
Solution for OAuth-aware/IdM-integrated PEP (option 3) The FI-WARE Project – Base Platform for Future Service Infrastructures
Example: Live Demo Oauth-Enabled Client App (simulation of call center backend) C Proxy - D The FI-WARE Project – Base Platform for Future Service Infrastructures IdM-like component 0 user role can do verb 10 A Thales RBAC/XACML Asset - B 1. User & password 2. Authentication + token-1 3 token-1 + client id + client secret 4 Oauth access token 5 request + Oauth access token 7 user role 9 validation result 10 request Live Demo app backend 6 Oauth access token 8 user role, verb Configuration scripts - E
Thanks ! http://fi-ppp.eu http://fi-ware.eu Follow @FIWARE #FIWARE-AZ on Twitter ! The FI-WARE Project – Base Platform for Future Service Infrastructures 11

Recommended

FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & InterfacesFI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfacescdanger
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREÁlvaro Alonso González
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationÁlvaro Alonso González
 
Lesson 5 - Installing Keyrock in your own infrastructure
Lesson 5 - Installing Keyrock in your own infrastructure Lesson 5 - Installing Keyrock in your own infrastructure
Lesson 5 - Installing Keyrock in your own infrastructure Álvaro Alonso González
 

Recommended

FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & InterfacesFI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfacescdanger
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREÁlvaro Alonso González
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationÁlvaro Alonso González
 
Lesson 5 - Installing Keyrock in your own infrastructure
Lesson 5 - Installing Keyrock in your own infrastructure Lesson 5 - Installing Keyrock in your own infrastructure
Lesson 5 - Installing Keyrock in your own infrastructure Álvaro Alonso González
 
Id fiware upm-dit
Id fiware upm-ditId fiware upm-dit
Id fiware upm-ditJoaquín Salvachúa
 
Adding Identity Management and Access Control to your Application - Exersices
Adding Identity Management and Access Control to your Application - ExersicesAdding Identity Management and Access Control to your Application - Exersices
Adding Identity Management and Access Control to your Application - ExersicesÁlvaro Alonso González
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)Kumaresh Chandra Baruri
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Api security
Api security Api security
Api security teodorcotruta
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Keyrock - Lesson 1. Introduction
Keyrock - Lesson 1. IntroductionKeyrock - Lesson 1. Introduction
Keyrock - Lesson 1. IntroductionÁlvaro Alonso González
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Visio Diagram of a user SSO Flow
Visio Diagram of a user SSO FlowVisio Diagram of a user SSO Flow
Visio Diagram of a user SSO FlowMike Reams
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
Android app security
Android app securityAndroid app security
Android app securityPositive Hack Days
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...Eric Shupps
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoftakshay yeluru
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
Orion context broker webminar 2013 06-19
Orion context broker webminar 2013 06-19Orion context broker webminar 2013 06-19
Orion context broker webminar 2013 06-19Fermin Galan
 

More Related Content

What's hot

Adding Identity Management and Access Control to your Application - Exersices
Adding Identity Management and Access Control to your Application - ExersicesAdding Identity Management and Access Control to your Application - Exersices
Adding Identity Management and Access Control to your Application - ExersicesÁlvaro Alonso González
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Visio Diagram of a user SSO Flow
Visio Diagram of a user SSO FlowVisio Diagram of a user SSO Flow
Visio Diagram of a user SSO FlowMike Reams
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...Eric Shupps
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoftakshay yeluru
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 

What's hot (20)

Id fiware upm-dit
Id fiware upm-ditId fiware upm-dit
Id fiware upm-dit
 
Adding Identity Management and Access Control to your Application - Exersices
Adding Identity Management and Access Control to your Application - ExersicesAdding Identity Management and Access Control to your Application - Exersices
Adding Identity Management and Access Control to your Application - Exersices
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Api security
Api security Api security
Api security
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
 
Keyrock - Lesson 1. Introduction
Keyrock - Lesson 1. IntroductionKeyrock - Lesson 1. Introduction
Keyrock - Lesson 1. Introduction
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
Visio Diagram of a user SSO Flow
Visio Diagram of a user SSO FlowVisio Diagram of a user SSO Flow
Visio Diagram of a user SSO Flow
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
Android app security
Android app securityAndroid app security
Android app security
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.io
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 

Similar to FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)

Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
Orion context broker webminar 2013 06-19
Orion context broker webminar 2013 06-19Orion context broker webminar 2013 06-19
Orion context broker webminar 2013 06-19Fermin Galan
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIMTamim Khan
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE
 
Orion context broker webminar 2013 05-30
Orion context broker webminar 2013 05-30Orion context broker webminar 2013 05-30
Orion context broker webminar 2013 05-30Fermin Galan
 
Application Programming Interface
Application Programming InterfaceApplication Programming Interface
Application Programming InterfaceSeculert
 
Building an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPABuilding an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPANeo4j
 
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalSummit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalOPNFV
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptxAkashThorat25
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 

Similar to FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1) (20)

Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
 
Orion context broker webminar 2013 06-19
Orion context broker webminar 2013 06-19Orion context broker webminar 2013 06-19
Orion context broker webminar 2013 06-19
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
Orion context broker webminar 2013 05-30
Orion context broker webminar 2013 05-30Orion context broker webminar 2013 05-30
Orion context broker webminar 2013 05-30
 
Application Programming Interface
Application Programming InterfaceApplication Programming Interface
Application Programming Interface
 
Building an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPABuilding an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPA
 
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalSummit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 

Recently uploaded

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 

Recently uploaded (20)

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 

FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)

  • 1. Follow @FIWARE #FIWARE-AZ on Twitter ! The FI-WARE Project – Base Platform for Future Service Infrastructures FI-WARE Access Control GE Part 1 – API Access Control with OAuth/XACML Overview Cyril DANGERVILLE, Thales FI-WARE / WP8 / T8.2 fiware-api-cross@lists.fi-ware.eu
  • 2. UC Requirement: GEs’ REST API Access Control Service 1. UC project apps need to invoke APIs provided by GEs to access user resources. 2. User privacy must be preserved. OAuth framework fits very well! The FI-WARE Project – Base Platform for Future Service Infrastructures FI-Ware Testbed Service GE IdM GE IdM GE GE Service GE Service GE Client APP Client APP GE
  • 3. Sample scenario in OAuth context 1 2 3 4 (Resource Owner) The FI-WARE Project – Base Platform for Future Service Infrastructures Location GE (Resource Server) Location Tracking WebApp (Client App) 5 IdM GE •Registration Service •Authentication Service •Oauth Authorization Service 6 User registers to the Tracking App. And allows the tracking app to retrieve the location data from location GE User, Location Tracking webapp and Location GE have to be pre-registered at IDM GE.
  • 4. OAuth Authorization Framework  IETF: RFC 6749, version in FIWARE: 2.0 (latest)  “enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.”  The old way: you (resource owner) share your credentials with the 3rd party  Security Issue 1: 3rd party ends up storing your credentials  Security Issue 2: works well for password authentication only  Security Issue 3: 3rd party get same complete access to your stuff as You  Security Issue 4: revoking 3rd-party access is VERY painful (password change) and hardly to never specific to an individual 3rd-party  Security Issue 5: if 3rd-party compromised, so are your credentials and data  Resource Owner: delegates LIMITED resource access to 3rd party (Client App)  Client App: the 3rd party from the Resource Owner’s standpoint  Resource Server (later referred as Target Service (GE)): hosts the resources  Authorization Endpoint: issues Authorization Code that represents resource owner granting access to 3rd party on his/her behalf  Token Endpoint: issues Access Token in exchange for Authorization Code (or refresh token), sent to the Resource Server to get access The FI-WARE Project – Base Platform for Future Service Infrastructures
  • 5. XACML  eXtensible Access Control Markup Language  Fact: enterprise security policy (if exists) managed in different places (HR, Legal, Finance, IT, etc.), enforced in many points: network access, mail, intranet, business apps, etc. -> Consolidated view and global application of “best practices” in access control is VERY VERY HARD  Where to start? Common language for expressing security policy  OASIS standard, version in FIWARE: 2.0 (latest 3.0 released Jan 2013)  Related to IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) (RFC3198), and ISO10181-3 (Access Control Framework)  Policy Decision Point (PDP): provides authorization decisions based on Attribute-based Access Control (ABAC) / RBAC policies:  Subject(s) can do Action(s) on Resource(s) in given Environment, provided some Condition(s) on Subject/Action/Resource/Environment  Policy Administration Point (PAP)  Policy Repository Point (PRP)  Policy Enforcement Point (PEP): protects the resource, i.e. intercepts request and asks PDP for permission before letting it through  Attribute Finder (non-XACML term): gets attributes not provided by PEP The FI-WARE Project – Base Platform for Future Service Infrastructures
  • 6. FIWARE API Access Control based on…  IdM GE:  Self-Registration/Self-Care Service  User & Service Administration Service  Authentication & SSO Service  OAuth Services:  Authorization Endpoint -> resource owner’s authz grant  Token Endpoint -> access token  DT GCP only tested so far with Access Control GE. NSN One-IDM will officially support OAuth 2.0 in R2.3.3 (end of June)  Access Control GE:  Access Control Policy Administration (PAP)  Access Control Policy Enforcement:  PEP(s) built-in or deployed as reverse proxy(ies) – Your own / Thales  Access Control Policy Decision Point (PDP)  OAuth access token validation  Attribute Finders provide attributes from various sources, e.g.  OAuth access token, such as JSON Web Token (JWT)  IdM GE API for user attribute mgt The FI-WARE Project – Base Platform for Future Service Infrastructures
  • 7. Solution for OAuth-UNaware PEP (option 1) The FI-WARE Project – Base Platform for Future Service Infrastructures
  • 8. Example: Cloud WP Oauth-Enabled Client App Keystone PEP 9 request info + token 14 validation result + request info + attrib The FI-WARE Project – Base Platform for Future Service Infrastructures NSN/DT IdM 11 Access token Thales RBAC/XACML Asset 1 request 2 redirect to IdM OAuth 4 Authentication + Json token 5 Json token 6 Json token + client id + client secret Resource 7 Access token 8 request + token 10 request info + token 12 Access token + attrib 13 validation result + request info + attrib 15 request Proxy Keystone Middleware Accounting + Monitoring 7
  • 9. Solution for OAuth-aware PEP (option 2) The FI-WARE Project – Base Platform for Future Service Infrastructures
  • 10. Solution for OAuth-aware/IdM-integrated PEP (option 3) The FI-WARE Project – Base Platform for Future Service Infrastructures
  • 11. Example: Live Demo Oauth-Enabled Client App (simulation of call center backend) C Proxy - D The FI-WARE Project – Base Platform for Future Service Infrastructures IdM-like component 0 user role can do verb 10 A Thales RBAC/XACML Asset - B 1. User & password 2. Authentication + token-1 3 token-1 + client id + client secret 4 Oauth access token 5 request + Oauth access token 7 user role 9 validation result 10 request Live Demo app backend 6 Oauth access token 8 user role, verb Configuration scripts - E
  • 12. Thanks ! http://fi-ppp.eu http://fi-ware.eu Follow @FIWARE #FIWARE-AZ on Twitter ! The FI-WARE Project – Base Platform for Future Service Infrastructures 11