SlideShare une entreprise Scribd logo

IdM and AC

Télécharger en tant que PPTX, PDF
Fernando Lopez Aguilar
Fernando Lopez Aguilar

Detailed flow description about the use of the IdM and AC in the FIWARE Lab.

Technologie
1  sur  43
FIWARE Security Components (IdM & AC) Fernando López FIWARE Cloud and Platform Senior Expert fernando.lopez@fiware.org @flopezaguilar
Identity Manager 2
Identity Manager 3 Account
OAuth 2.0 4 Login with
OAuth 2.0 5
OAuth 2.0 Message Flow 6 Web App Account redirect request access-token access-token access-code OAuthLibrary Request user info using access-token IP: a.b.c.dIP: e.f.g.h
OAuth 2.0 libraries 7 • http://oauth.net/2/ – PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. • Example using Node.js – https://github.com/ging/oauth2-example-client
Previous steps with IdM portal 1) Create User 8
Previous steps with IdM portal 2) Add an application with roles 9
Previous steps with IdM portal 2) Add an application with roles 10
Previous steps with IdM portal 2) Add an application with roles 11
Previous steps with IdM portal 2) Add an application with roles 12
1) Redirect 13 First time, we have to redirect (go) to the IdM web site in order to authorize the access to the new application. https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
1) Redirect 14
2) Access code 15 After clicking the “Accept” button, the browser redirect us to a page of our application: http://e.f.g.h/login?code=gW6mpb4Ncfa22YHEf7g6RLqIUyWP_Xwl3IWmr2QgtXoPZm GDb_ZJud1qfoY2m1CCZAhndKtYpmZAKQAUBBZIdg This is the callback URL specified in the registry of the application. IdM uses the URL + Callback URL specified in the registration of the application (slide 12). We get the “code” value, which will be used in the authentication process.
3) Request Access token 16 In order to request an access-token, without the knowledge of the credentials of the user: curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4 OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFj ZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d grant_type=password&username=b.rcs@tid.es&password=supersecret Where Authorization is obtained from: Base64(Client_ID:Client_Secret) from application credentials (see slide 12).
4) Access token 17 The previous request will return the following information: HTTP/1.1 200 OK Content-Type: application/json { "access_token": "RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no- Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB- ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer" }
Securing your backend 18 • Level 1: Authentication – Check if a user has a FIWARE account • Level 2: Basic Authorization – Check if a user has permissions to access a resource – HTTP verb + resource path • Level 3: Advanced Authorization – Custom XACML policies
Level 1: Authentication 19 Backend Apps IdM 5)Request+ access-token OAuth2 flows 6) access-token 7) OK + user info (roles) Web App OAuthLibrary 4) access-token
Level 1: Authentication 20 Backend Apps IdM 5)Request+ access-token Web App OAuthLibrary Proxy 6) access-token 7) OK + user info (roles) OAuth2 flows 4) access-token
Level 1: Authentication Request + access token (step 5) 21 GET https://{backend-apps-url} HTTP/1.1 Host: {backend-apps-hostname} X-Auth-Token: {access-token} • The request from web application to the backend and GEs would look like: Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 17): 3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XL UziWOFdCs7qSHELlA
Level 1: Authentication Validate X-Auth-Token (step 6) 22 As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token. curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
Level 1: Authentication Validate X-Auth-Token (step 6) 23 Previous call will return the following message: { "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } } }
Level 1: Authentication Validate X-Auth-Token (step 6) 24 Assuming that you have a valid admin token (see slides 22 & 23 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5): curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Please note X-Auth-Token header in this request is the admin token, while the access- token being validated is part of the resource path in URL. This could return the following status codes if something is wrong: • 404  Access_token not valid • 401  X-Auth-Token not valid (unauthorized) • 403  X-Auth-Token not valid (expired)
Level 1: Authentication Validate X-Auth-Token (step 6) 25 If there is no error, it returns: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
Level 1: Authentication Validate X-Auth-Token (step 6) 26 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
Level 2: Basic Authorization 27 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy 6) access-token + verb + path 7) OK + user info Oauth2 flows access-token AC GE
Level 2: Basic Authorization Access token + verb + path (step 6) 28 In this case you should call the API with the following information: curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content- Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Where: • path, is the URL of the resource to be accessed, (e.g./resource1/item2) • verb, is the HTTP verb associated to the request (GET, PUT, POST, DELETE) • X-Auth-Token, is the admin token from slides 22 & 23 (FIWARE Proxy token) • As before, request URL includes the access-token being validated
Level 2: Basic Authorization OK + user info (step 7) 29 It returns: • 401 HTTP 401 Unauthorized. • 200 Ok if all was OK, with the following user information: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
Level 2: Basic Authorization OK + user info (step 7) 30 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
Level 3: Advanced Authorization 31 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy extension 6) access-token + verb + path OK + user info Oauth2 flows access-token AC GE
Policies creation in IdM 1) Edit application properties 32
Policies creation in IdM 2) Create a new role 33
Policies creation in IdM 3) Add a new permission 34
Policies creation in IdM 4) Change to advanced mode 35
Policies creation in IdM 5) Fill in the rule field 36
Policies creation in IdM Sample XACML rule content 37 Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.: <Rule RuleId="PR:Manage" Effect="Permit"> <Description>Rule: Permission example</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> …
Policies creation in IdM Sample XACML rule content 38 … <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule>
Documentation 39 • FIWARE IdM: – Source Code: https://github.com/ging/fi-ware-idm – Documentation: https://github.com/ging/fi-ware-idm/wiki • FIWARE Access Control: – http://catalogue.fi-ware.org/enablers/access-control-tha- implementation/documentation • FIWARE OAuth2 Demo: – https://github.com/ging/oauth2-example-client • FIWARE Proxy: – https://github.com/ging/fi-ware-pep-proxy
40 fiware-tech-help@lists.fiware.org fiware-lab-help@lists.fiware.org
42 http://fiware.org Follow @FIWARE on Twitter
Thank you! http://fiware.org Follow @FIWARE on Twitter

Recommandé

Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaDalton Valadares
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionFIWARE
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersDataWorks Summit
 
How to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSHow to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSJohn Gasper
 

Recommandé

Integrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaIntegrating Fiware Orion, Keyrock and Wilma
Integrating Fiware Orion, Keyrock and WilmaDalton Valadares
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionFIWARE
 
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersApache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users
Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise UsersDataWorks Summit
 
How to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSHow to CASifying PeopleSoft and Integrating CAS and ADFS
How to CASifying PeopleSoft and Integrating CAS and ADFSJohn Gasper
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEsandipg123
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Alliance
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get startedIsmaeel Enjreny
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
A Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraA Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraMarkus Lanthaler
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID ManagementMiguel García González
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 

Contenu connexe

Tendances

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEsandipg123
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Alliance
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get startedIsmaeel Enjreny
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
A Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraA Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraMarkus Lanthaler
 

Tendances (20)

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)Postman Collection Format v2.0 (pre-draft)
Postman Collection Format v2.0 (pre-draft)
 
IBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWEIBM Datapower Security Scenario with JWS & JWE
IBM Datapower Security Scenario with JWS & JWE
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth
OAuthOAuth
OAuth
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get started
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE ArchitecturesFIWARE Wednesday Webinars - How to Secure FIWARE Architectures
FIWARE Wednesday Webinars - How to Secure FIWARE Architectures
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
A Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraA Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and Hydra
 

Similaire à IdM and AC

Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationKAI CHU CHUNG
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Dejan Glozic
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppBen Adida
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityNexThoughts Technologies
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 

Similaire à IdM and AC (20)

FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your Application
 
FIware Identity Manager
FIware Identity ManagerFIware Identity Manager
FIware Identity Manager
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 

Plus de Fernando Lopez Aguilar

Building the Smart City Platform on FIWARE Lab
Building the Smart City Platform on FIWARE LabBuilding the Smart City Platform on FIWARE Lab
Building the Smart City Platform on FIWARE LabFernando Lopez Aguilar
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREFernando Lopez Aguilar
 
Operational Dashboards with FIWARE WireCloud
Operational Dashboards with FIWARE WireCloudOperational Dashboards with FIWARE WireCloud
Operational Dashboards with FIWARE WireCloudFernando Lopez Aguilar
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoFernando Lopez Aguilar
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFernando Lopez Aguilar
 
Data persistency (draco, cygnus, sth comet, quantum leap)
Data persistency (draco, cygnus, sth comet, quantum leap)Data persistency (draco, cygnus, sth comet, quantum leap)
Data persistency (draco, cygnus, sth comet, quantum leap)Fernando Lopez Aguilar
 
Cloud and Big Data in the agriculture sector
Cloud and Big Data in the agriculture sectorCloud and Big Data in the agriculture sector
Cloud and Big Data in the agriculture sectorFernando Lopez Aguilar
 
Context Information Management in IoT enabled smart systems - the basics
Context Information Management in IoT enabled smart systems - the basicsContext Information Management in IoT enabled smart systems - the basics
Context Information Management in IoT enabled smart systems - the basicsFernando Lopez Aguilar
 

Plus de Fernando Lopez Aguilar (20)

Introduction to FIWARE technology
Introduction to FIWARE technologyIntroduction to FIWARE technology
Introduction to FIWARE technology
 
DW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE PlatformDW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE Platform
 
FIWARE and Smart Data Models
FIWARE and Smart Data ModelsFIWARE and Smart Data Models
FIWARE and Smart Data Models
 
How to deploy a smart city platform?
How to deploy a smart city platform?How to deploy a smart city platform?
How to deploy a smart city platform?
 
Building the Smart City Platform on FIWARE Lab
Building the Smart City Platform on FIWARE LabBuilding the Smart City Platform on FIWARE Lab
Building the Smart City Platform on FIWARE Lab
 
Data Modeling with NGSI, NGSI-LD
Data Modeling with NGSI, NGSI-LDData Modeling with NGSI, NGSI-LD
Data Modeling with NGSI, NGSI-LD
 
FIWARE and Robotics
FIWARE and RoboticsFIWARE and Robotics
FIWARE and Robotics
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
 
Operational Dashboards with FIWARE WireCloud
Operational Dashboards with FIWARE WireCloudOperational Dashboards with FIWARE WireCloud
Operational Dashboards with FIWARE WireCloud
 
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE PerseoCreating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
Creating a Context-Aware solution, Complex Event Processing with FIWARE Perseo
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
Data persistency (draco, cygnus, sth comet, quantum leap)
Data persistency (draco, cygnus, sth comet, quantum leap)Data persistency (draco, cygnus, sth comet, quantum leap)
Data persistency (draco, cygnus, sth comet, quantum leap)
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
Core Context Management
Core Context ManagementCore Context Management
Core Context Management
 
What is an IoT Agent
What is an IoT AgentWhat is an IoT Agent
What is an IoT Agent
 
FIWARE Overview
FIWARE OverviewFIWARE Overview
FIWARE Overview
 
Overview of the FIWARE Ecosystem
Overview of the FIWARE EcosystemOverview of the FIWARE Ecosystem
Overview of the FIWARE Ecosystem
 
Cloud and Big Data in the agriculture sector
Cloud and Big Data in the agriculture sectorCloud and Big Data in the agriculture sector
Cloud and Big Data in the agriculture sector
 
Berlin OpenStack Summit'18
Berlin OpenStack Summit'18Berlin OpenStack Summit'18
Berlin OpenStack Summit'18
 
Context Information Management in IoT enabled smart systems - the basics
Context Information Management in IoT enabled smart systems - the basicsContext Information Management in IoT enabled smart systems - the basics
Context Information Management in IoT enabled smart systems - the basics
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

IdM and AC

  • 1. FIWARE Security Components (IdM & AC) Fernando López FIWARE Cloud and Platform Senior Expert fernando.lopez@fiware.org @flopezaguilar
  • 6. OAuth 2.0 Message Flow 6 Web App Account redirect request access-token access-token access-code OAuthLibrary Request user info using access-token IP: a.b.c.dIP: e.f.g.h
  • 7. OAuth 2.0 libraries 7 • http://oauth.net/2/ – PHP, Cocoa, iOS, Java, Ruby, Javascript, Python. • Example using Node.js – https://github.com/ging/oauth2-example-client
  • 8. Previous steps with IdM portal 1) Create User 8
  • 9. Previous steps with IdM portal 2) Add an application with roles 9
  • 10. Previous steps with IdM portal 2) Add an application with roles 10
  • 11. Previous steps with IdM portal 2) Add an application with roles 11
  • 12. Previous steps with IdM portal 2) Add an application with roles 12
  • 13. 1) Redirect 13 First time, we have to redirect (go) to the IdM web site in order to authorize the access to the new application. https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
  • 15. 2) Access code 15 After clicking the “Accept” button, the browser redirect us to a page of our application: http://e.f.g.h/login?code=gW6mpb4Ncfa22YHEf7g6RLqIUyWP_Xwl3IWmr2QgtXoPZm GDb_ZJud1qfoY2m1CCZAhndKtYpmZAKQAUBBZIdg This is the callback URL specified in the registry of the application. IdM uses the URL + Callback URL specified in the registration of the application (slide 12). We get the “code” value, which will be used in the authentication process.
  • 16. 3) Request Access token 16 In order to request an access-token, without the knowledge of the credentials of the user: curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4 OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFj ZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d grant_type=password&username=b.rcs@tid.es&password=supersecret Where Authorization is obtained from: Base64(Client_ID:Client_Secret) from application credentials (see slide 12).
  • 17. 4) Access token 17 The previous request will return the following information: HTTP/1.1 200 OK Content-Type: application/json { "access_token": "RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no- Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB- ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer" }
  • 18. Securing your backend 18 • Level 1: Authentication – Check if a user has a FIWARE account • Level 2: Basic Authorization – Check if a user has permissions to access a resource – HTTP verb + resource path • Level 3: Advanced Authorization – Custom XACML policies
  • 19. Level 1: Authentication 19 Backend Apps IdM 5)Request+ access-token OAuth2 flows 6) access-token 7) OK + user info (roles) Web App OAuthLibrary 4) access-token
  • 20. Level 1: Authentication 20 Backend Apps IdM 5)Request+ access-token Web App OAuthLibrary Proxy 6) access-token 7) OK + user info (roles) OAuth2 flows 4) access-token
  • 21. Level 1: Authentication Request + access token (step 5) 21 GET https://{backend-apps-url} HTTP/1.1 Host: {backend-apps-hostname} X-Auth-Token: {access-token} • The request from web application to the backend and GEs would look like: Request should include the X-Auth-Token header with the exact access token received at previous step 4 (see slide 17): 3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XL UziWOFdCs7qSHELlA
  • 22. Level 1: Authentication Validate X-Auth-Token (step 6) 22 As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token. curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
  • 23. Level 1: Authentication Validate X-Auth-Token (step 6) 23 Previous call will return the following message: { "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } } }
  • 24. Level 1: Authentication Validate X-Auth-Token (step 6) 24 Assuming that you have a valid admin token (see slides 22 & 23 and remember it is 24 hours valid only), we can validate the access token included in the request (step 5): curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Please note X-Auth-Token header in this request is the admin token, while the access- token being validated is part of the resource path in URL. This could return the following status codes if something is wrong: • 404  Access_token not valid • 401  X-Auth-Token not valid (unauthorized) • 403  X-Auth-Token not valid (expired)
  • 25. Level 1: Authentication Validate X-Auth-Token (step 6) 25 If there is no error, it returns: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
  • 26. Level 1: Authentication Validate X-Auth-Token (step 6) 26 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
  • 27. Level 2: Basic Authorization 27 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy 6) access-token + verb + path 7) OK + user info Oauth2 flows access-token AC GE
  • 28. Level 2: Basic Authorization Access token + verb + path (step 6) 28 In this case you should call the API with the following information: curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content- Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3- EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWO FdCs7qSHELlA Where: • path, is the URL of the resource to be accessed, (e.g./resource1/item2) • verb, is the HTTP verb associated to the request (GET, PUT, POST, DELETE) • X-Auth-Token, is the admin token from slides 22 & 23 (FIWARE Proxy token) • As before, request URL includes the access-token being validated
  • 29. Level 2: Basic Authorization OK + user info (step 7) 29 It returns: • 401 HTTP 401 Unauthorized. • 200 Ok if all was OK, with the following user information: { "actorId": 1, "displayName": "prueba", "email": "b.rcs@tid.es", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member" …
  • 30. Level 2: Basic Authorization OK + user info (step 7) 30 … } ] } ], "roles": [ { "id": 5, "name": "Provider" } ] } Where you can see the roles associated to the organization (in red) and the roles associated to the application (in blue).
  • 31. Level 3: Advanced Authorization 31 Backend Apps IdM Request+ access-token Web App OAuthLibrary Proxy extension 6) access-token + verb + path OK + user info Oauth2 flows access-token AC GE
  • 32. Policies creation in IdM 1) Edit application properties 32
  • 33. Policies creation in IdM 2) Create a new role 33
  • 34. Policies creation in IdM 3) Add a new permission 34
  • 35. Policies creation in IdM 4) Change to advanced mode 35
  • 36. Policies creation in IdM 5) Fill in the rule field 36
  • 37. Policies creation in IdM Sample XACML rule content 37 Permissions in XACML format may include 1 or more resources and 1 or several actions, e.g.: <Rule RuleId="PR:Manage" Effect="Permit"> <Description>Rule: Permission example</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> …
  • 38. Policies creation in IdM Sample XACML rule content 38 … <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule>
  • 39. Documentation 39 • FIWARE IdM: – Source Code: https://github.com/ging/fi-ware-idm – Documentation: https://github.com/ging/fi-ware-idm/wiki • FIWARE Access Control: – http://catalogue.fi-ware.org/enablers/access-control-tha- implementation/documentation • FIWARE OAuth2 Demo: – https://github.com/ging/oauth2-example-client • FIWARE Proxy: – https://github.com/ging/fi-ware-pep-proxy
  • 41.