Adding Identity Management and Access Control to your Application, Authorization using the FIWARE components: Identity Management, PEP Proxy, Access Control (PDP/PAP).
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Adding Identity Management and Access Control to your Application, Authorization
1. Adding Identity Management and Access Control to your Application, Authorization
Daniel Morán, Fernando López
Telefónica I+D
FIWARE
daniel.moranjimenez@telefonica.com
fernando.lopezaguilar@telefonica.com
http://bit.ly/fiware-authorization
6. Oauth 2.0 Message Flow
6
Web App
Account
redirect
request access-token
access-token
Get access-code
OAuthLibrary
Request user info using access-token
Browser
login
Acces
s
code
RS + IDM
11. Preliminary steps with IdM at FIWARE Account Portal
Result: OAuth credentials for the application
12. First, we have to redirect user to the IdM web site in order to login and authorize
the access to the new application (identified by its client_id).
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=9
OAuth 2.0 messages flow
1) Redirect
12
14. After introducing user/password to login and clicking the “Accept” button (needed
only once), the browser redirect us back to the web page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-
N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
IdM uses the callback URL specified in the registration of the application (Cloud Portal,
in this example).
We get the “code” value, which will be used in order to authenticate user.
OAuth 2.0 messages flow
2) Access code
14
15. In order to request an access-token, without the knowledge of the credentials of the
user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type:
application/x-www-form-urlencoded" -H "Authorization: Basic
MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlN
TA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2
Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -
d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-
N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
&redirect_uri=http://e.f.g.h/login"
Where: Authorization is calculated as
Base64(Client_ID:Client_Secret)
from application credentials (see slide 11)
code is the access-code obtained in
the former step and redirect_uri is
the callback url the access-code
was sent to (see previous slide)
OAuth 2.0 messages flow
3) Request access token
15
16. The previous request will return the following information:
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "3-
EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80
_XLUziWOFdCs7qSHELlA",
"expires_in": 2591999,
"refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-
ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg",
"token_type": "bearer"
}
OAuth 2.0 messages flow
4) Access token
16
18. Web Applications and GEs
18
Generic Enabler
Account
Request+
access-token
Oauth2 flows
access-token
OK + user info (roles)
Web App OAuthLibrary
access_token
19. Web Applications and GEs
GET https://GE_URL HTTP/1.1
Host: GE_hostname
X-Auth-Token: access_token
19
21. Securing your back-end: the XACML model
21
Policy Enforcement Point (PEP)
Policy Decision
Point (PDP)
Policy
Administration
Point (PAP)
Backend to secure
AdminUser
Access Control
22. Securing your back-end
• Level 1: Authentication
– Check if a user has a FIWARE account
• Level 2: Basic Authorization
– Checks if a user has permissions to access a
resource
– HTTP verb + resource path
• Level 3: Advanced Authorization
– Custom XACML policies
24. Level 2: Basic Authorization
24
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy
access-token
OK + user info
Oauth2 flows
access_token
Access
Control
roles + verb + path
OK
29. Level 3: Advanced Authorization
29
Back-end
Apps
Account
Request+
access-token
Web App OauthLibrary
PEP Proxy extension
Oauth2 flows
access_token
Access
Control
access-token
OK + user info
roles + XACML <Request>
OK
32. Permissions in XACML format may include 1 or more resources and
1 or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit">
<Description>Rule: Permission example</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
…
32
Policies creation in IdM
Sample XACML rule content
39. Adding Identity Management and Access Control to your Application, Authorization
Daniel Morán, Fernando López
Telefónica I+D
FIWARE
daniel.moranjimenez@telefonica.com
fernando.lopezaguilar@telefonica.com