13. 1) Redirect
13
First time, we have to redirect (go) to the IdM web site in order to authorize the access to
the new application.
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
15. 2) Access code
15
After clicking the “Accept” button, the browser redirect us to a page of our application:
http://e.f.g.h/login?code=gW6mpb4Ncfa22YHEf7g6RLqIUyWP_Xwl3IWmr2QgtXoPZm
GDb_ZJud1qfoY2m1CCZAhndKtYpmZAKQAUBBZIdg
This is the callback URL specified in the registry of the application. IdM uses the URL +
Callback URL specified in the registration of the application (slide 12).
We get the “code” value, which will be used in the authentication process.
16. 3) Request Access token
16
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type:
application/x-www-form-urlencoded" -H "Authorization: Basic
MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4
OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFj
ZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d
grant_type=password&username=b.rcs@tid.es&password=supersecret
Where Authorization is obtained from:
Base64(Client_ID:Client_Secret)
from application credentials (see slide 12).
17. 4) Access token
17
The previous request will return the following information:
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no-
Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw",
"expires_in": 2591999,
"refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-
ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg",
"token_type": "bearer"
}
18. Securing your backend
18
• Level 1: Authentication
– Check if a user has a FIWARE account
• Level 2: Basic Authorization
– Check if a user has permissions to access a resource
– HTTP verb + resource path
• Level 3: Advanced Authorization
– Custom XACML policies
21. Level 1: Authentication
Request + access token (step 5)
21
GET https://{backend-apps-url} HTTP/1.1
Host: {backend-apps-hostname}
X-Auth-Token: {access-token}
• The request from web application to the backend and GEs would
look like:
Request should include the X-Auth-Token header with the exact
access token received at previous step 4 (see slide 17):
3-
EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XL
UziWOFdCs7qSHELlA
22. Level 1: Authentication
Validate X-Auth-Token (step 6)
22
As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h)
in order to request the validation of the auth token.
curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password":
"pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens
KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the
admin token, but in a future a registry of users and passwords will be maintained.
24. Level 1: Authentication
Validate X-Auth-Token (step 6)
24
Assuming that you have a valid admin token (see slides 22 & 23 and remember it is 24
hours valid only), we can validate the access token included in the request (step 5):
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f"
http://a.b.c.d:4731/v2.0/access-tokens/3-
EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO
FdCs7qSHELlA
Please note X-Auth-Token header in this request is the admin token, while the access-
token being validated is part of the resource path in URL.
This could return the following status codes if something is wrong:
• 404 Access_token not valid
• 401 X-Auth-Token not valid (unauthorized)
• 403 X-Auth-Token not valid (expired)
25. Level 1: Authentication
Validate X-Auth-Token (step 6)
25
If there is no error, it returns:
{
"actorId": 1,
"displayName": "prueba",
"email": "b.rcs@tid.es",
"id": 1,
"nickName": "prueba",
"organizations": [
{
"id": 1,
"name": "prueba",
"roles": [
{
"id": "8db87ccbca3b4d1ba4814c3bb0d63aab",
"name": "Member"
…
26. Level 1: Authentication
Validate X-Auth-Token (step 6)
26
…
}
]
}
],
"roles": [
{
"id": 5,
"name": "Provider"
}
]
}
Where you can see the roles associated to the organization (in red) and the roles
associated to the application (in blue).
27. Level 2: Basic Authorization
27
Backend
Apps
IdM
Request+
access-token
Web App OAuthLibrary
Proxy
6) access-token + verb + path
7) OK + user info
Oauth2 flows
access-token
AC GE
28. Level 2: Basic Authorization
Access token + verb + path (step 6)
28
In this case you should call the API with the following information:
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content-
Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb”
http://a.b.c.d:4731/v2.0/access-tokens/authREST/3-
EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO
FdCs7qSHELlA
Where:
• path, is the URL of the resource to be accessed, (e.g./resource1/item2)
• verb, is the HTTP verb associated to the request (GET, PUT, POST, DELETE)
• X-Auth-Token, is the admin token from slides 22 & 23 (FIWARE Proxy token)
• As before, request URL includes the access-token being validated
29. Level 2: Basic Authorization
OK + user info (step 7)
29
It returns:
• 401 HTTP 401 Unauthorized.
• 200 Ok if all was OK, with the following user information:
{
"actorId": 1,
"displayName": "prueba",
"email": "b.rcs@tid.es",
"id": 1,
"nickName": "prueba",
"organizations": [
{
"id": 1,
"name": "prueba",
"roles": [
{
"id": "8db87ccbca3b4d1ba4814c3bb0d63aab",
"name": "Member"
…
30. Level 2: Basic Authorization
OK + user info (step 7)
30
…
}
]
}
],
"roles": [
{
"id": 5,
"name": "Provider"
}
]
}
Where you can see the roles associated to the organization (in red) and the roles
associated to the application (in blue).
31. Level 3: Advanced Authorization
31
Backend
Apps
IdM
Request+
access-token
Web App
OAuthLibrary
Proxy extension
6) access-token + verb + path
OK + user info
Oauth2 flows
access-token
AC GE
37. Policies creation in IdM
Sample XACML rule content
37
Permissions in XACML format may include 1 or more resources and 1
or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit">
<Description>Rule: Permission example</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
…