In this course you will learn to:
Use FI-WARE Account to create users, organizations and register your Applications.
Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0.
They’ll securely access resources thanks to authorization in FI-WARE Account.
How to authenticate users in your apps using FI-WARE Account - Introduction
1. How to authenticate users in your apps using FI-WARE Account
In this course you will learn to:
§ Use FI-WARE Account to create users, organizations and register your Applications.
§ Authenticate users in your apps with their credentials on FI-WARE using OAuth 2.0.
They’ll securely access resources thanks to authorization in FI-WARE Account.
1
2. Content
1. Introduction.
Introduction to FI-WARE Account and OAuth 2.0. We’ll see key concepts and topics.
2. First steps in FI-WARE Account.
Register on FI-WARE Account, create organizations and manage roles of users in your organizations.
3. Secure your web applications using OAuth 2.0.
Secure your own web applications to authenticate your users with their username and password in FI-WARE Account.
4. Authenticate your users from native applications using OAuth 2.0.
Adapt your native applications to authenticate your users with their username and password in FI-WARE Account.
5. Developing secured APIs using OAuth 2.0.
Deploy a FI-WARE PEP Security Proxy in front of your backend to secure requests to your APIs.
6. Authorizing access to protected resources.
Create roles in your applications to allow or deny access of users to protected resources.
2
8. OAuth 2.0
§ Mechanism to provide applications access to restricted resources without sharing credentials.
§ Applications use access tokens, issued by OAuth providers (e.g. FI-WARE), to access resources.
§ OAuth 2.0 specification is designed for use with HTTP.
§ Roles:
• Resource Owner: Entity capable of granting access to a protected resource (e.g. end-user)
• Resource Server: Server hosting protected resources.
• Client: Application making protected resource requests on behalf of the resource owner.
• Authorization Server: The server issuing access tokens to the client.
8
10. OAuth 2.0 Architecture
Authorization Code Grant
6. Response code + myservice.com credentials
7. Ok, this is the Access Token
8. Access user’s resources with Access Token
OAuth consumer
myservice.com
OAuth provider
account.lab.fi-ware.org
10
11. OAuth 2.0 Architecture
Implicit Grant
6. Access user’s resources with Access Token
OAuth consumer
myservice.com
OAuth provider
account.lab.fi-ware.org
11
12. OAuth 2.0 Arch.
Resource Owner Password Credentials Grant
2. Give access with
myservice.com credentials and
user’s password credentials
3. OK, this is the access token
OAuth consumer
myservice.com
4. Access user’s resources with Access Token
12
OAuth provider
account.lab.fi-ware.org
13. OAuth 2.0 Architecture
Client Credentials Grant
1. Client authentication with
myservice.com credentials
2. OK, this is the access token
OAuth consumer
myservice.com
3. Access myservice.com resources with Access Token
13
OAuth provider
account.lab.fi-ware.org
15. Using the Access Token
FI-WARE Resource Providers
GET /user?access_token=access_token
Access protected user info with Access Token
OAuth consumer
myservice.com
OAuth provider
account.lab.fi-ware.org
Acce
ss p
rotec
ted r
e
sour
ces
GET https://ge_url HTTP/1.1
Host: GE_hostname
Authorization: Bearer access_token
with
Acce
ss T
oken
Generic Enablers
*.fi-ware.org
15
16. Using the Access Token
Third-Party Resource Providers
GET https://protected_url HTTP/1.1
Host: GE_hostname
Authorization: Bearer access_token
Access protected user info with Access Token
OAuth consumer
myservice.com
PEP Proxy
Unsecured Resource Provider
16
17. Using the Access Token
Cloud Hosting I
GET /user?access_token=access_token
Retrieve list of organizations
OAuth consumer
myservice.com
Retr
OAuth provider
account.lab.fi-ware.org
ieve
Scop
ed T
oken
in or
g
aniz
ation
ORG
_ID
POST http://cloud.lab.fi-ware.eu:4730/v2.0/tokens
{
"auth":{
"tenantID":”ORG_ID",
"token":{
"id":"access_token"
}
}
}
17
Keystone Proxy
cloud.lab.fi-ware.org
18. Using the Access Token
Cloud Hosting II
Access using Scoped Token
DCRM GE
cloud.lab.fi-ware.org
Access using Scoped Token
PaaS GE
pegasus.lab.fi-ware.org
Access using Scoped Token
SDC GE
saggita.lab.fi-ware.org
Access using Scoped Token
Object Storage GE
130.206.82.9
OAuth consumer
myservice.com
18
19. More Info
§ FI-WARE Account’s OAuth 2.0 API:
• Documentation: https://github.com/ging/fi-ware-idm/wiki/
• OAuth 2.0 API: https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance
§ OAuth 2.0 Specification:
• http://tools.ietf.org/html/rfc6749
§ FI-WARE PEP Proxy:
• https://github.com/ging/fi-ware-pep-proxy
19