SlideShare une entreprise Scribd logo

Auth experience - vol 1.0

Haggai Philip Zagury
Haggai Philip Zagury

Authentiaction & Autorization flows

Technologie
1  sur  35
Télécharger pour lire hors ligne
AuthExperienc e Modern authentication practices Haggai Philip Zagury | DevOps Group & Tech Lead | 2021
AGENDA Before the Cloud & Web Services The evolution of Authentication systems OAuth2.0 & JWT OAuth2.0 - the server side OIDC - Generic Understanding of Actors OIDC Flows - Behind the Scenes SAML SAML - Behind the Scenes What’s SSO got to do with it ? AuthExpereince
Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping)
Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping)
Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree
Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree Problem Security is internal (we trust our DC,LDAP) Organizations start consuming 3rd party services How do we manage our Customer / Client DB What if I don’t know his ID ? Origin ? 
 (Onboarding Issue all over Again)
Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree Problem Security is internal (we trust our DC,LDAP) Organizations start consuming 3rd party services How do we manage our Customer / Client DB What if I don’t know his ID ? Origin ? 
 (Onboarding Issue all over Again) SSO - Single Sign On / Use your corporate e-mail
Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree Problem Security is internal (we trust our DC,LDAP) Organizations start consuming 3rd party services How do we manage our Customer / Client DB What if I don’t know his ID ? Origin ? 
 (Onboarding Issue all over Again) SSO - Single Sign On / Use your corporate e-mail “Social” Login
OAUTH Misconception #1: OAUTH != Auth0 
 Misconception #2: It is used to AUTHORIZE not Identify 
 Purpose: Provide temporary access to your information Method: JWT - Json Web Token AuthExpereince
OAuth2.0 Usage Resource Owner (You!) Standard web login (username / password) Client / Application Authorization Server
OAuth2.0 Usage Resource Owner (You!) Standard web login (username / password) Client / Application Can we please import your contacts Authorization Server
OAuth2.0 Usage Resource Owner (You!) Standard web login (username / password) Client / Application Can we please import your contacts Authorization Server
OAuth2.0 Usage Resource Owner (You!) Client / Application Authorization Server User CONSENT
OAuth2.0 Usage Resource Owner (You!) Client / Application Authorization Server User CONSENT token GRANT
Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy
Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy Grant A token proving the ID is valid
Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy Grant A token proving the ID is valid
Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy CONCENT A token proving the ID is valid GRANT Based on the Scope the App/Client ID 
 has permissions to access
OAuth = Authorization (a.k.a access) grants access to a resource ! Identifying the user is the application / client’s job ! grants are provided via token tokens expire ! 
 
 We want to limit the duration / validity of the grant token
The Client Application has no record of the user How he logged in When he logged-in or logged-out 
 
 Only the authorization server u with the resource owner ! OAuth = Authorization (a.k.a access)
OIDC Purpose: Identity & Authentication layer for OAuth Method: 
 1. Dedicated Service Endpoints 2. JWT - Json Web Token AuthExpereince
OIDC FLOWS Purpose: Identity & Authentication layer for OAuth Method: 
 1. Dedicated Service Endpoints 2. JWT - Json Web Token AuthExpereince
Haggai Philip Zagury | DevOps Group & Tech Lead | 2021 OpenID Connect Adding the Identity Layer to OAuth
OpenIDC - OpenID Connect Resource Owner (You!) Endpoints Scopes Claims ID Token
Resource Owner (You!) Client / Application 
 Relaying Party Authorization Server Authorization 
 endpoint 1 2 3 Token 
 endpoint
Subject Issuing Authority Audience Issue Date Expiration Date ID Token
Security Assertion Markup Language
Goal 1 Goal 2 Goal 3 Goal 4
Resource Owner (You!)
Resource Owner (You!) Client / Application Content Server
Authorization Server (IDP) Resource Owner (You!) Client / Application Content Server { Token } { Scopes }
Kiryat Atidim, Building 7 , 3rd Floor POB 5826 9 Tel Aviv 6158102 IsraeL (+972) 3 6488618 info@tikalk.co m
Goal Infographics Marketing is the study and management of exchange relationships. Marketing is the business process of creating relationships with and satisfying customers. To get your company’s name out there, you need to make sure to get your company’s name out there. Goal 1 To get your company’s name out there, you need to make sure to get your company’s name out there. Goal 2 To get your company’s name out there, you need to make sure to get your company’s name. Goal 3 To get your company’s name out there, you need to make sure to get. Goal 4

Recommandé

Cloud Native Journey in Synchrony Financial
Cloud Native Journey in Synchrony FinancialCloud Native Journey in Synchrony Financial
Cloud Native Journey in Synchrony Financial
VMware Tanzu
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity Management
WSO2
 

Recommandé

Cloud Native Journey in Synchrony Financial
Cloud Native Journey in Synchrony FinancialCloud Native Journey in Synchrony Financial
Cloud Native Journey in Synchrony Financial
VMware Tanzu
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity Management
WSO2
 
Presentation
PresentationPresentation
Presentation
Laxman Kumar
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Integrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.FormsIntegrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.Forms
César Jesús Angulo Gasco
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
Derek Binkley
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Xamarin
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
Phuong Nguyen
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 

Contenu connexe

Tendances

Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Xamarin
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
Phuong Nguyen
 

Tendances (20)

Presentation
PresentationPresentation
Presentation
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
 
Integrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.FormsIntegrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.Forms
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
 

Similaire à Auth experience - vol 1.0

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CloudIDSummit
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
Roger CARHUATOCTO
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 

Similaire à Auth experience - vol 1.0 (20)

Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
OAuth
OAuthOAuth
OAuth
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 

Plus de Haggai Philip Zagury

Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPA
Haggai Philip Zagury
 

Plus de Haggai Philip Zagury (20)

DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
DevOpsDays Tel Aviv DEC 2022 | Building A Cloud-Native Platform Brick by Bric...
 
Kube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPAKube Security Shifting left | Scanners & OPA
Kube Security Shifting left | Scanners & OPA
 
TechRadarCon 2022 | Have you built your platform yet ?
TechRadarCon 2022 | Have you built your platform yet ?TechRadarCon 2022 | Have you built your platform yet ?
TechRadarCon 2022 | Have you built your platform yet ?
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
DevEx | there’s no place like k3s
DevEx | there’s no place like k3sDevEx | there’s no place like k3s
DevEx | there’s no place like k3s
 
Git ops & Continuous Infrastructure with terra*
Git ops & Continuous Infrastructure with terra*Git ops & Continuous Infrastructure with terra*
Git ops & Continuous Infrastructure with terra*
 
Linux intro
Linux introLinux intro
Linux intro
 
Auth experience
Auth experienceAuth experience
Auth experience
 
Kubexperience intro session
Kubexperience intro sessionKubexperience intro session
Kubexperience intro session
 
Scaling i/o bound Microservices
Scaling i/o bound MicroservicesScaling i/o bound Microservices
Scaling i/o bound Microservices
 
The 2nd half. Scaling to the next^2
The 2nd half. Scaling to the next^2The 2nd half. Scaling to the next^2
The 2nd half. Scaling to the next^2
 
Terraform 101
Terraform 101Terraform 101
Terraform 101
 
Chaos is a ladder !
Chaos is a ladder !Chaos is a ladder !
Chaos is a ladder !
 
Natively clouded Journey
Natively clouded JourneyNatively clouded Journey
Natively clouded Journey
 
Deep Learning - Continuous Operations
Deep Learning - Continuous Operations Deep Learning - Continuous Operations
Deep Learning - Continuous Operations
 
Terraform 101
Terraform 101Terraform 101
Terraform 101
 
Helm intro
Helm introHelm intro
Helm intro
 
Machine Learning - Continuous operations
Machine Learning - Continuous operationsMachine Learning - Continuous operations
Machine Learning - Continuous operations
 
Whats all the FaaS About
Whats all the FaaS AboutWhats all the FaaS About
Whats all the FaaS About
 
Modern Monitoring [ with Prometheus ]
Modern Monitoring [ with Prometheus ]Modern Monitoring [ with Prometheus ]
Modern Monitoring [ with Prometheus ]
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

Auth experience - vol 1.0

  • 1. AuthExperienc e Modern authentication practices Haggai Philip Zagury | DevOps Group & Tech Lead | 2021
  • 2. AGENDA Before the Cloud & Web Services The evolution of Authentication systems OAuth2.0 & JWT OAuth2.0 - the server side OIDC - Generic Understanding of Actors OIDC Flows - Behind the Scenes SAML SAML - Behind the Scenes What’s SSO got to do with it ? AuthExpereince
  • 3. Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping)
  • 4. Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping)
  • 5. Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree
  • 6. Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree Problem Security is internal (we trust our DC,LDAP) Organizations start consuming 3rd party services How do we manage our Customer / Client DB What if I don’t know his ID ? Origin ? 
 (Onboarding Issue all over Again)
  • 7. Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree Problem Security is internal (we trust our DC,LDAP) Organizations start consuming 3rd party services How do we manage our Customer / Client DB What if I don’t know his ID ? Origin ? 
 (Onboarding Issue all over Again) SSO - Single Sign On / Use your corporate e-mail
  • 8. Before the Cloud 1 user per application Onboarding was an issue … Grouping (Scoping) 
 Common Solution LDAP -Lightweight Directory Access Protocol Identify the User in the directory, Identi fi cation is Based on the Location in the Directory tree Problem Security is internal (we trust our DC,LDAP) Organizations start consuming 3rd party services How do we manage our Customer / Client DB What if I don’t know his ID ? Origin ? 
 (Onboarding Issue all over Again) SSO - Single Sign On / Use your corporate e-mail “Social” Login
  • 9. OAUTH Misconception #1: OAUTH != Auth0 
 Misconception #2: It is used to AUTHORIZE not Identify 
 Purpose: Provide temporary access to your information Method: JWT - Json Web Token AuthExpereince
  • 10. OAuth2.0 Usage Resource Owner (You!) Standard web login (username / password) Client / Application Authorization Server
  • 11. OAuth2.0 Usage Resource Owner (You!) Standard web login (username / password) Client / Application Can we please import your contacts Authorization Server
  • 12. OAuth2.0 Usage Resource Owner (You!) Standard web login (username / password) Client / Application Can we please import your contacts Authorization Server
  • 13. OAuth2.0 Usage Resource Owner (You!) Client / Application Authorization Server User CONSENT
  • 14. OAuth2.0 Usage Resource Owner (You!) Client / Application Authorization Server User CONSENT token GRANT
  • 15. Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy
  • 16. Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy Grant A token proving the ID is valid
  • 17. Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy Grant A token proving the ID is valid
  • 18. Client / Application ID A way for the identity provider to Identify the Client / Application Client Secret A unique identi fi er of that application ID OAuth2.0 - Behind the scenes zero trust policy CONCENT A token proving the ID is valid GRANT Based on the Scope the App/Client ID 
 has permissions to access
  • 19. OAuth = Authorization (a.k.a access) grants access to a resource ! Identifying the user is the application / client’s job ! grants are provided via token tokens expire ! 
 
 We want to limit the duration / validity of the grant token
  • 20. The Client Application has no record of the user How he logged in When he logged-in or logged-out 
 
 Only the authorization server u with the resource owner ! OAuth = Authorization (a.k.a access)
  • 21. OIDC Purpose: Identity & Authentication layer for OAuth Method: 
 1. Dedicated Service Endpoints 2. JWT - Json Web Token AuthExpereince
  • 22. OIDC FLOWS Purpose: Identity & Authentication layer for OAuth Method: 
 1. Dedicated Service Endpoints 2. JWT - Json Web Token AuthExpereince
  • 23. Haggai Philip Zagury | DevOps Group & Tech Lead | 2021 OpenID Connect Adding the Identity Layer to OAuth
  • 24. OpenIDC - OpenID Connect Resource Owner (You!) Endpoints Scopes Claims ID Token
  • 25. Resource Owner (You!) Client / Application 
 Relaying Party Authorization Server Authorization 
 endpoint 1 2 3 Token 
 endpoint
  • 28.
  • 29. Goal 1 Goal 2 Goal 3 Goal 4
  • 30.
  • 32. Resource Owner (You!) Client / Application Content Server
  • 33. Authorization Server (IDP) Resource Owner (You!) Client / Application Content Server { Token } { Scopes }
  • 34. Kiryat Atidim, Building 7 , 3rd Floor POB 5826 9 Tel Aviv 6158102 IsraeL (+972) 3 6488618 info@tikalk.co m
  • 35. Goal Infographics Marketing is the study and management of exchange relationships. Marketing is the business process of creating relationships with and satisfying customers. To get your company’s name out there, you need to make sure to get your company’s name out there. Goal 1 To get your company’s name out there, you need to make sure to get your company’s name out there. Goal 2 To get your company’s name out there, you need to make sure to get your company’s name. Goal 3 To get your company’s name out there, you need to make sure to get. Goal 4