Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing Access with Oauth2 in
KeyRock
Javier Cerviño
Álvaro Alonso
Joaquin Salvachua
(DIT-UPM)
How to authenticate users in your apps using FI-WARE Account
In this course you will learn to:
Use FI-WARE Account to cre...
Content
1. Introduction.
Introduction to FI-WARE Account and OAuth 2.0. We’ll see key concepts and topics.
2. First steps ...
Identity Management
3
Identity Management in FI-WARE
4
Identity Management in FI-WARE
 Management of users, their authentication and authorization, and privileges within organi...
OAuth 2.0
(RFC 6749)
6
OAuth 2.0
7
OAuth 2.0
 Mechanism to provide applications access to restricted resources without sharing credentials.
 Applications u...
OAuth Message Flow
9
Web App Account
redirect
request access-token
access-token
access-code
OAuthLibrary
Request user info...
Web Applications and GEs
10
Generic Enabler
Account
Request+
access-token
redirect
access-code
request access-token
access...
Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
11
AA for free!
12
Back-end Apps
Account
Request+
access-token
Web App
OauthLibrary
Proxy
redirect
access-code
request access...
OAuth 2.0 Architecture
13
OAuth 2.0 Architecture Authorization Code Grant
14
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
6. ...
OAuth 2.0 Architecture Implicit Grant
15
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
6. Access use...
OAuth 2.0 Arch. Resource Owner Password Credentials Grant
16
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservi...
OAuth 2.0 Architecture Client Credentials Grant
17
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
1. ...
Using the Access Token
18
Using the Access Token FI-WARE Resource Providers
19
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
A...
Using the Access Token Third-Party Resource Providers
20
PEP ProxyOAuth consumer
myservice.com
Access protected user info ...
Using the Access Token Cloud Hosting I
21
OAuth provider
account.lab.fi-ware.org
OAuth consumer
myservice.com
Retrieve lis...
Using the Access Token Cloud Hosting II
22
OAuth consumer
myservice.com
PaaS GE
pegasus.lab.fi-ware.org
Access using Scope...
Links
FI-LAB Account:
• Source Code: https://github.com/ging/fi-ware-idm
• Documentation: https://github.com/ging/fi-ware...
Upcoming SlideShare
Loading in …5
×

Id fiware upm-dit

1,435 views

Published on

Introduction to Fiware Idm and the Oauth 2 usage

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Id fiware upm-dit

  1. 1. Securing Access with Oauth2 in KeyRock Javier Cerviño Álvaro Alonso Joaquin Salvachua (DIT-UPM)
  2. 2. How to authenticate users in your apps using FI-WARE Account In this course you will learn to: Use FI-WARE Account to create users, organizations and register your Applications. Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0. They’ll securely access resources thanks to authorization in FI-WARE Account. 1
  3. 3. Content 1. Introduction. Introduction to FI-WARE Account and OAuth 2.0. We’ll see key concepts and topics. 2. First steps in FI-WARE Account. Register on FI-WARE Account, create organizations and manage roles of users in your organizations. 3. Secure your web applications using OAuth 2.0. Secure your own web applications to authenticate your users with their username and password in FI-WARE Account. 4. Authenticate your users from native applications using OAuth 2.0. Adapt your native applications to authenticate your users with their username and password in FI-WARE Account. 5. Developing secured APIs using OAuth 2.0. Deploy a FI-WARE PEP Security Proxy in front of your backend to secure requests to your APIs. 6. Authorizing access to protected resources. Create roles in your applications to allow or deny access of users to protected resources. 2
  4. 4. Identity Management 3
  5. 5. Identity Management in FI-WARE 4
  6. 6. Identity Management in FI-WARE  Management of users, their authentication and authorization, and privileges within organizations.  Resources used: • Users • Organizations • Roles • Applications  Users register themselves, create organizations, and assign roles into these organizations.  It enables applications to access user’s protected information. • Trusted environment • OAuth 2.0 standard  http://oauth.net/2/ • PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. 5
  7. 7. OAuth 2.0 (RFC 6749) 6
  8. 8. OAuth 2.0 7
  9. 9. OAuth 2.0  Mechanism to provide applications access to restricted resources without sharing credentials.  Applications use access tokens, issued by OAuth providers (e.g. FI-WARE), to access resources.  OAuth 2.0 specification is designed for use with HTTP.  Roles: • Resource Owner: Entity capable of granting access to a protected resource (e.g. end-user) • Resource Server: Server hosting protected resources. • Client: Application making protected resource requests on behalf of the resource owner. • Authorization Server: The server issuing access tokens to the client. 8
  10. 10. OAuth Message Flow 9 Web App Account redirect request access-token access-token access-code OAuthLibrary Request user info using access-token
  11. 11. Web Applications and GEs 10 Generic Enabler Account Request+ access-token redirect access-code request access-token access-token access-token + path OK + user info Web App OAuthLibrary
  12. 12. Web Applications and GEs GET https://GE_URL HTTP/1.1 Host: GE_hostname X-Auth-Token: access_token 11
  13. 13. AA for free! 12 Back-end Apps Account Request+ access-token Web App OauthLibrary Proxy redirect access-code request access-token access-token access-token + path OK + user info
  14. 14. OAuth 2.0 Architecture 13
  15. 15. OAuth 2.0 Architecture Authorization Code Grant 14 OAuth provider account.lab.fi-ware.org OAuth consumer myservice.com 6. Response code + myservice.com credentials 7. Ok, this is the Access Token 8. Access user’s resources with Access Token
  16. 16. OAuth 2.0 Architecture Implicit Grant 15 OAuth provider account.lab.fi-ware.org OAuth consumer myservice.com 6. Access user’s resources with Access Token
  17. 17. OAuth 2.0 Arch. Resource Owner Password Credentials Grant 16 OAuth provider account.lab.fi-ware.org OAuth consumer myservice.com 2. Give access with myservice.com credentials and user’s password credentials 3. OK, this is the access token 4. Access user’s resources with Access Token
  18. 18. OAuth 2.0 Architecture Client Credentials Grant 17 OAuth provider account.lab.fi-ware.org OAuth consumer myservice.com 1. Client authentication with myservice.com credentials 2. OK, this is the access token 3. Access myservice.com resources with Access Token
  19. 19. Using the Access Token 18
  20. 20. Using the Access Token FI-WARE Resource Providers 19 OAuth provider account.lab.fi-ware.org OAuth consumer myservice.com Access protected user info with Access Token Generic Enablers *.fi-ware.org GET https://ge_url HTTP/1.1 Host: GE_hostname Authorization: Bearer access_token GET /user?access_token=access_token
  21. 21. Using the Access Token Third-Party Resource Providers 20 PEP ProxyOAuth consumer myservice.com Access protected user info with Access Token Unsecured Resource Provider GET https://protected_url HTTP/1.1 Host: GE_hostname Authorization: Bearer access_token
  22. 22. Using the Access Token Cloud Hosting I 21 OAuth provider account.lab.fi-ware.org OAuth consumer myservice.com Retrieve list of organizations POST http://cloud.lab.fi-ware.eu:4730/v2.0/tokens { "auth":{ "tenantID":”ORG_ID", "token":{ "id":"access_token" } } } GET /user?access_token=access_token Keystone Proxy cloud.lab.fi-ware.org
  23. 23. Using the Access Token Cloud Hosting II 22 OAuth consumer myservice.com PaaS GE pegasus.lab.fi-ware.org Access using Scoped Token DCRM GE cloud.lab.fi-ware.org SDC GE saggita.lab.fi-ware.org Object Storage GE 130.206.82.9 Access using Scoped Token Access using Scoped Token Access using Scoped Token
  24. 24. Links FI-LAB Account: • Source Code: https://github.com/ging/fi-ware-idm • Documentation: https://github.com/ging/fi-ware-idm/wiki FI-LAB OAuth Demo using node.js: • https://github.com/ging/oauth2-example-client FI-LAB Proxy: • https://github.com/ging/fi-ware-pep-proxy 23

×