SlideShare une entreprise Scribd logo

Complex architectures for authentication and authorization on AWS

Boyan Dimitrov
Boyan Dimitrov

In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth. In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution in a microservices environment based on fine-grained permissions and end to end automation.

Technologie
1  sur  35
Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel July 2019
Our Focus Today Service ? Authenticate & Authorize • Key patterns for authentication and authorization - Client to service - Service to service - Service to Infra • Focusing on the application and more complex microservices environments
Our Focus Today Service ? Authenticate & Authorize Service Service Autenticate & Authorize Service Service Service IDM Autenticate & Authorize
Before we begin: The Foundations OIDC ( OpenID Connect ) - a protocol for Authentication built on top of OAuth 2.0 OAUTH 2.0 – a protocol for Authorization
Before we begin: AWS Cognito AWS Cognito User Pools AWS Cognito Federated Identities Identity providers Social Identity Providers Other Identity Providers SAML OIDC AWS Cloud S3 EC2 Federate AuthorizeFederate
Tip #1If you are starting a new project on AWS involving auth and you need IdP, Use Cognito
Client to service auth
Auth primer Mobile Client Amazon API Gateway Custom Authorizer Amazon Cognito 1. Authenticate via credentials Service 2. Receive JWT 3. Invoke API with JWT 4. Validate JWT 6a. Check token scope 5. Return validity 6b. Invoke custom auth function Auth Service 7. Forward request
We live in a complex world Amazon API Gateway Amazon Cognito Service Service Service Service Service Service Service Service Service On-Prem auth auth auth auth auth auth auth Elastic Load Balancer
Auth challenges in complex architectures • I already a / multiple IdPs, how to integrate all of that ? • Where do we do authentication & token validation in a heterogeneous environment with various ingress points ? • How do we do authorization and on what level ? • What about service to service auth? • What about infrastructure auth ?
Tip #2Consider IDP Federation to simplify your problem
Authentication: Common Identity Format Amazon Cognito Internal Perimeter SAML OIDC federate Standard Access Token External Perimeter Service Service Service Service Authenticate
Define your authorization strategy ACL MAC DAC RBAC ADAC PBAC …
Tip #3 If Authorization requirements are unclear, start with RBAC and complicate as needed
Authorization Service Service Service Service Amazon Cognito Internal Perimeter SAML OIDC External Perimeter { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"] … } If role ==„finance_controller“... X Amazon API Gateway
Tip #4 Do not embed volatile business roles into your applications – implement access controls around service capabilities instead
Delegate auth to a central auth service User Service POST /users GET /users/<id> PUT /users/<id> DELETE /users/<id> API Contract Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], “user_id": 343242, … } Auth Service GET /users/343242 finance_controller -> users:read:own Role Permission Authorised?
Centralised Auth Service User Service Auth Service Advantages • Externalied auth decisions and business roles management • Easier to manage and change • Single source of truth Disadvantages • Another synchronous dependency • Additional latency • Single point of failure? • Manual effort in keeping permissions up to date
Centralised Auth Service Optimisations: automate permission discovery User ServiceAuth Service Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any Register permissions on startup Service:Permissions Map com.x.service.user users:create:any com.x.service.user users:read:any com.x.service.user users:read:own com.x.service.user users:update:any com.x.service.user users:update:all com.x.service.user users:delete:own com.x.service.user users:delete:any
Centralised Auth Service Optimisations: caching associated roles Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any User ServiceAuth Service finance_controller -> com.x.service.user users:read:own Role Permission
Centralised Auth Service Optimisations: caching associated roles Associated Permissions and Roles users:create:any users:read:any finance_controller -> users:read:own users:update:any users:update:all users:delete:own users:delete:any finance_controller ALLOW com.x.service.user users:read:own Role Permission 1. On Startup user service caches relevant roles for its permissions 2. Receive live updates during runtime User ServiceAuth Service
Centralised Auth Service Optimisations: caching auth result User Service Auth Service Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], “user_id": 343242, “jti“: 21312e1d123 … }
User Service Auth Service 1. Authorize operation 2. Cache authorization response with TTL Permissions and Cached Policy Result users:create:any users:read:any 21312e1d123 -> users:read:own users:update:any users:update:all users:delete:own users:delete:any { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], “user_id": 343242, “jti“: 21312e1d123 … } Centralised Auth Service Optimisations: caching auth result
Bonus: Local token validation User Service Cache the access token JWK for local validation Amazon Cognito { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], … “kid": "5689example" } { “keys": [{ “kid": "5689example", “alg": "RS256" }, { … }]}
Authorization Service Service Service Service Amazon Cognito Internal Perimeter SAML OIDC External Perimeter Auth Service “Decentralised“ authorisation
Centralised Auth Service User Service Auth Service Advantages • Externalised auth decisions and business roles management • Easier to manage and change • Single source of truth • Decentralised token validation and auth Disadvantages • Another synchronous dependency • Additional latency • Single point of failure? • Manual effort in keeping permissions up to date
So far we covered… Service ? Authenticate & Authorize Service Service Autenticate & Authorize Service Service Service IDP Autenticate & Authorize
Service 2 Service Auth
Tip #5 Give identity to your applications
Service to service auth User Service Amazon Cognito Email Service 1. Auth using creds { “service":“com.x.service.user, … } Auth Service com.x.service.user ALLOW com.x.service.email email:send:any Service Permission 2. Get an identitiy 3. Send identity token with requests
Authorization Service Service Service Service Amazon Cognito Internal Perimeter SAML OIDC External Perimeter Auth Service S3 ?
(AWS) Infra Auth
Cognito Federated Identities to the rescue User Service Amazon Cognito User Pool Amazon Cognito Identity Federation 1. Get Identity Token 2. Exchange Token for IAM Creds 3. Access AWS Services
That’s all Service ? Authenticate & Authorize Service Service Autenticate & Authorize Service Service Service IDP Autenticate & Authorize
Thank you!

Recommandé

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architectureKarl Ots
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 

Recommandé

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architectureKarl Ots
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)☁️Seyfallah Tagrerout☁ [MVP]
 
Amazon Managed Blockchain and Quantum Ledger Database QLDB
Amazon Managed Blockchain and Quantum Ledger Database QLDBAmazon Managed Blockchain and Quantum Ledger Database QLDB
Amazon Managed Blockchain and Quantum Ledger Database QLDBJohn Yeung
 
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationOracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationDelivery Centric
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesClint Edmonson
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfBenAissaTaher1
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity ManagementEng Teong Cheah
 
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...Lucas Jellema
 
AWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationAWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationDhaval Soni
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to AzureRobert Crane
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express RouteMustafa
 
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Amazon Web Services
 
Cloud ops
Cloud opsCloud ops
Cloud opsjayaradhaa
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Microsoft Cloud Adoption Framework for Azure: Governance ConversationMicrosoft Cloud Adoption Framework for Azure: Governance Conversation
Microsoft Cloud Adoption Framework for Azure: Governance ConversationNicholas Vossburg
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Training AWS: Module 6 - Storage S3 in AWS
Training AWS: Module 6 - Storage S3 in AWSTraining AWS: Module 6 - Storage S3 in AWS
Training AWS: Module 6 - Storage S3 in AWSBùi Quang Lâm
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure ADNew Horizons Ireland
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 

Contenu connexe

Tendances

Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Amazon Managed Blockchain and Quantum Ledger Database QLDB
Amazon Managed Blockchain and Quantum Ledger Database QLDBAmazon Managed Blockchain and Quantum Ledger Database QLDB
Amazon Managed Blockchain and Quantum Ledger Database QLDBJohn Yeung
 
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationOracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationDelivery Centric
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual MachinesClint Edmonson
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfBenAissaTaher1
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity ManagementEng Teong Cheah
 
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...Lucas Jellema
 
AWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationAWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationDhaval Soni
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to AzureRobert Crane
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express RouteMustafa
 
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Amazon Web Services
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Microsoft Cloud Adoption Framework for Azure: Governance ConversationMicrosoft Cloud Adoption Framework for Azure: Governance Conversation
Microsoft Cloud Adoption Framework for Azure: Governance ConversationNicholas Vossburg
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Training AWS: Module 6 - Storage S3 in AWS
Training AWS: Module 6 - Storage S3 in AWSTraining AWS: Module 6 - Storage S3 in AWS
Training AWS: Module 6 - Storage S3 in AWSBùi Quang Lâm
 

Tendances (20)

Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)Présentation AzureAD ( Identité hybrides et securité)
Présentation AzureAD ( Identité hybrides et securité)
 
Amazon Managed Blockchain and Quantum Ledger Database QLDB
Amazon Managed Blockchain and Quantum Ledger Database QLDBAmazon Managed Blockchain and Quantum Ledger Database QLDB
Amazon Managed Blockchain and Quantum Ledger Database QLDB
 
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationOracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer Presentation
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
 
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
Microservices, Apache Kafka, Node, Dapr and more - Part Two (Fontys Hogeschoo...
 
AWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customizationAWS Control Tower introduces Terraform account provisioning and customization
AWS Control Tower introduces Terraform account provisioning and customization
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express Route
 
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
Visualize your data in Data Lake with AWS Athena and AWS Quicksight Hands-on ...
 
Cloud ops
Cloud opsCloud ops
Cloud ops
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Microsoft Cloud Adoption Framework for Azure: Governance ConversationMicrosoft Cloud Adoption Framework for Azure: Governance Conversation
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Training AWS: Module 6 - Storage S3 in AWS
Training AWS: Module 6 - Storage S3 in AWSTraining AWS: Module 6 - Storage S3 in AWS
Training AWS: Module 6 - Storage S3 in AWS
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 

Similaire à Complex architectures for authentication and authorization on AWS

Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Amazon Web Services
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
 
Azure AD B2C An Introduction - DogFoodCon 2018
Azure AD B2C An Introduction - DogFoodCon 2018Azure AD B2C An Introduction - DogFoodCon 2018
Azure AD B2C An Introduction - DogFoodCon 2018Jeremy Gray
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAmazon Web Services
 
Simplify user application authentication using Microsoft Identity Platform
Simplify user application authentication using Microsoft Identity PlatformSimplify user application authentication using Microsoft Identity Platform
Simplify user application authentication using Microsoft Identity PlatformManoj Mittal
 

Similaire à Complex architectures for authentication and authorization on AWS (20)

Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 
Azure AD B2C An Introduction - DogFoodCon 2018
Azure AD B2C An Introduction - DogFoodCon 2018Azure AD B2C An Introduction - DogFoodCon 2018
Azure AD B2C An Introduction - DogFoodCon 2018
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon Cognito
 
Simplify user application authentication using Microsoft Identity Platform
Simplify user application authentication using Microsoft Identity PlatformSimplify user application authentication using Microsoft Identity Platform
Simplify user application authentication using Microsoft Identity Platform
 

Plus de Boyan Dimitrov

Building Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWSBuilding Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWSBoyan Dimitrov
 
Observability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architecturesObservability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architecturesBoyan Dimitrov
 
Anatomy of the modern application stack
Anatomy of the modern application stackAnatomy of the modern application stack
Anatomy of the modern application stackBoyan Dimitrov
 
Microservices: next-steps
Microservices: next-stepsMicroservices: next-steps
Microservices: next-stepsBoyan Dimitrov
 
Moving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journeyMoving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journeyBoyan Dimitrov
 
Patterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWSPatterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWSBoyan Dimitrov
 
Microservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container ServiceMicroservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container ServiceBoyan Dimitrov
 
Monitoring microservices platform
Monitoring microservices platformMonitoring microservices platform
Monitoring microservices platformBoyan Dimitrov
 
Scaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWSScaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWSBoyan Dimitrov
 
Scaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - HailoScaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - HailoBoyan Dimitrov
 

Plus de Boyan Dimitrov (10)

Building Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWSBuilding Highly Sophisticated Environments for Security and Compliance on AWS
Building Highly Sophisticated Environments for Security and Compliance on AWS
 
Observability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architecturesObservability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architectures
 
Anatomy of the modern application stack
Anatomy of the modern application stackAnatomy of the modern application stack
Anatomy of the modern application stack
 
Microservices: next-steps
Microservices: next-stepsMicroservices: next-steps
Microservices: next-steps
 
Moving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journeyMoving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journey
 
Patterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWSPatterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWS
 
Microservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container ServiceMicroservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container Service
 
Monitoring microservices platform
Monitoring microservices platformMonitoring microservices platform
Monitoring microservices platform
 
Scaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWSScaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWS
 
Scaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - HailoScaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - Hailo
 

Dernier

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Dernier (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Complex architectures for authentication and authorization on AWS

  • 1. Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel July 2019
  • 2. Our Focus Today Service ? Authenticate & Authorize • Key patterns for authentication and authorization - Client to service - Service to service - Service to Infra • Focusing on the application and more complex microservices environments
  • 3. Our Focus Today Service ? Authenticate & Authorize Service Service Autenticate & Authorize Service Service Service IDM Autenticate & Authorize
  • 4. Before we begin: The Foundations OIDC ( OpenID Connect ) - a protocol for Authentication built on top of OAuth 2.0 OAUTH 2.0 – a protocol for Authorization
  • 5. Before we begin: AWS Cognito AWS Cognito User Pools AWS Cognito Federated Identities Identity providers Social Identity Providers Other Identity Providers SAML OIDC AWS Cloud S3 EC2 Federate AuthorizeFederate
  • 6. Tip #1If you are starting a new project on AWS involving auth and you need IdP, Use Cognito
  • 8. Auth primer Mobile Client Amazon API Gateway Custom Authorizer Amazon Cognito 1. Authenticate via credentials Service 2. Receive JWT 3. Invoke API with JWT 4. Validate JWT 6a. Check token scope 5. Return validity 6b. Invoke custom auth function Auth Service 7. Forward request
  • 9. We live in a complex world Amazon API Gateway Amazon Cognito Service Service Service Service Service Service Service Service Service On-Prem auth auth auth auth auth auth auth Elastic Load Balancer
  • 10. Auth challenges in complex architectures • I already a / multiple IdPs, how to integrate all of that ? • Where do we do authentication & token validation in a heterogeneous environment with various ingress points ? • How do we do authorization and on what level ? • What about service to service auth? • What about infrastructure auth ?
  • 11. Tip #2Consider IDP Federation to simplify your problem
  • 12. Authentication: Common Identity Format Amazon Cognito Internal Perimeter SAML OIDC federate Standard Access Token External Perimeter Service Service Service Service Authenticate
  • 13. Define your authorization strategy ACL MAC DAC RBAC ADAC PBAC …
  • 14. Tip #3 If Authorization requirements are unclear, start with RBAC and complicate as needed
  • 15. Authorization Service Service Service Service Amazon Cognito Internal Perimeter SAML OIDC External Perimeter { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"] … } If role ==„finance_controller“... X Amazon API Gateway
  • 16. Tip #4 Do not embed volatile business roles into your applications – implement access controls around service capabilities instead
  • 17. Delegate auth to a central auth service User Service POST /users GET /users/<id> PUT /users/<id> DELETE /users/<id> API Contract Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], “user_id": 343242, … } Auth Service GET /users/343242 finance_controller -> users:read:own Role Permission Authorised?
  • 18. Centralised Auth Service User Service Auth Service Advantages • Externalied auth decisions and business roles management • Easier to manage and change • Single source of truth Disadvantages • Another synchronous dependency • Additional latency • Single point of failure? • Manual effort in keeping permissions up to date
  • 19. Centralised Auth Service Optimisations: automate permission discovery User ServiceAuth Service Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any Register permissions on startup Service:Permissions Map com.x.service.user users:create:any com.x.service.user users:read:any com.x.service.user users:read:own com.x.service.user users:update:any com.x.service.user users:update:all com.x.service.user users:delete:own com.x.service.user users:delete:any
  • 20. Centralised Auth Service Optimisations: caching associated roles Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any User ServiceAuth Service finance_controller -> com.x.service.user users:read:own Role Permission
  • 21. Centralised Auth Service Optimisations: caching associated roles Associated Permissions and Roles users:create:any users:read:any finance_controller -> users:read:own users:update:any users:update:all users:delete:own users:delete:any finance_controller ALLOW com.x.service.user users:read:own Role Permission 1. On Startup user service caches relevant roles for its permissions 2. Receive live updates during runtime User ServiceAuth Service
  • 22. Centralised Auth Service Optimisations: caching auth result User Service Auth Service Associated Permissions users:create:any users:read:any users:read:own users:update:any users:update:all users:delete:own users:delete:any { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], “user_id": 343242, “jti“: 21312e1d123 … }
  • 23. User Service Auth Service 1. Authorize operation 2. Cache authorization response with TTL Permissions and Cached Policy Result users:create:any users:read:any 21312e1d123 -> users:read:own users:update:any users:update:all users:delete:own users:delete:any { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], “user_id": 343242, “jti“: 21312e1d123 … } Centralised Auth Service Optimisations: caching auth result
  • 24. Bonus: Local token validation User Service Cache the access token JWK for local validation Amazon Cognito { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], … “kid": "5689example" } { “keys": [{ “kid": "5689example", “alg": "RS256" }, { … }]}
  • 25. Authorization Service Service Service Service Amazon Cognito Internal Perimeter SAML OIDC External Perimeter Auth Service “Decentralised“ authorisation
  • 26. Centralised Auth Service User Service Auth Service Advantages • Externalised auth decisions and business roles management • Easier to manage and change • Single source of truth • Decentralised token validation and auth Disadvantages • Another synchronous dependency • Additional latency • Single point of failure? • Manual effort in keeping permissions up to date
  • 27. So far we covered… Service ? Authenticate & Authorize Service Service Autenticate & Authorize Service Service Service IDP Autenticate & Authorize
  • 29. Tip #5 Give identity to your applications
  • 30. Service to service auth User Service Amazon Cognito Email Service 1. Auth using creds { “service":“com.x.service.user, … } Auth Service com.x.service.user ALLOW com.x.service.email email:send:any Service Permission 2. Get an identitiy 3. Send identity token with requests
  • 31. Authorization Service Service Service Service Amazon Cognito Internal Perimeter SAML OIDC External Perimeter Auth Service S3 ?
  • 33. Cognito Federated Identities to the rescue User Service Amazon Cognito User Pool Amazon Cognito Identity Federation 1. Get Identity Token 2. Exchange Token for IAM Creds 3. Access AWS Services
  • 34. That’s all Service ? Authenticate & Authorize Service Service Autenticate & Authorize Service Service Service IDP Autenticate & Authorize

Notes de l'éditeur

  1. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…
  2. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…
  3. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…
  4. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…
  5. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…
  6. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…
  7. Picture -> John is trying to access a service through the API GW which might be a container or Lambda Show the complexity with RBAC / ABAC / PBAC…