SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computing Environment
Security in the Context of
Who am I?
Based in our Cape Town office
A practical view based on our experience with distributed computing
► A look at modern distributed systems
► Creating a seamless experience
► Leveraging Social login
► Additional factors
► Identity Management
► A single view
► Personal data and consent
► Rate limiting or throttling
An evolution in component size
Source: Tiempo Development
Traditional monolithic authentication
Typical application level
implementation of role base
Traditional approach cause duplication
Legacy User DB
We still see many examples of this!
Traditional approach cause duplication
This is much better.
Authentication as a service
Use a “Trusted 3rd
Central authentication mechanism
Provide a single mechanism
for identity management
Integrate applications with
the Identity server.
Benefits of this approach
► A single mechanism for authentication
► Common and shared across all application
► User information in one place
► Easy to maintain
► Can leverage proven security standards
Using an Identity Server provides;
► Central login mechanism
► Customised registration flow
► Customised approval flows
► Advanced authentication techniques
Single Sign-On application have the following characteristics;
► Static, well known URL – i.e. http://logon.acme.com
► Authentication session is maintained at this URL;
► Using cookies to identify the session
► Redirect mechanisms are used to redirect to and from this app
► This enables the authentication session to span multiple application.
► Login once for a range of applications.
► Users and Groups now become a
► Roles remain an application
► Share information via API or
How do we separate the various identity objects?
Social Login – Use cases
► End-users – Removes the risk to create yet another account
► Occasional or temporary workers – i.e. contractors, not requiring the benefits
corporate-wide access control groups / roles
What is POPI
► Protection of Personal Information Act will regulate the Processing of
► Personal Information broadly means any information relating to an
identifiable, living natural person or juristic person (companies, CC’s etc.)
and includes, but is not limited to:
► contact details: email, telephone, address etc.
► demographic information: age, gender, race, birth date, ethnicity etc.
► history: employment, financial, educational, criminal, medical history
► biometric information: blood type etc.
► opinions of and about the person
► private correspondence etc.
► Processing means broadly anything that can be done with the Personal
Information, including collection, usage, storage, dissemination, etc.
Personal information as a service
► We can access personal data from a central source
► Information is stored once.
► Easy to add, change or remove in one place.
► Central access control
► Provide a customer self-help portal to view or change data.
► Get user content to determine who can use it.
Personal information capture
► Initial user / customer information is
captured as part of the registration
► Additional user information can also be
stored here over time.
Personal information distribution
Obtaining the user consent is one
of the fundamental requirements
of personal information
WSO2 Identity Server facilitates
this through its Consent
Support in WSO2 Identity Server
► Provides self-help profile creation, user provisioning to other systems, sharing
of user attributes through SSO, and identity federation are fully based on user
► Users can review, modify, and revoke previously given consent via the
self-care user portal or RESTful Consent API
► Consent API can also be used to integrate WSO2 IS consent management
capabilities with existing applications
► WSO2 IS can be used to manage consent of any 3rd party application via the
RESTful Consent API
OAuth to the rescue
WSO2 Identity Server includes
support for the popular OAuth
API Manager as a first line of defence
API Manager help offloads checking tokens at the point of ingress.
Who is this? – Access tokens
When using Access Tokens…
We might want to check who is using this token;
► For display of user name perhaps
► For additional authorization decisions
► Per operation, per business record, etc.
Access token lookup
► Use API to validate/lookup
► Cache token for the validity
► Store principle and claims as
part of cache.
Access Token or JWT?
► Small, simple
► Ideal for smaller number of
sessions and “chatty” interfaces.
► Require lookup
► Mitigated through caching
► Self contained, stateless
► Verification can be self contained,
or via lookup (remember to cache)
► Large (sometimes larger than
payload). Not ideal for;
► “Chatty” APIs
► Expensive networks, i.e. Mobile,
Trust your services
It is vital to verify the communication path and authenticity of your identity /
Identity your infrastructure;
► Use HTTPS!
► Check the certificates!
Consider using certificate chains:
Which OAuth flow / grant type?
Use the online decision tree to determine which OAuth flow
is best for your application;
Rate limiting – Why and how
► Limit access to APIs using the
various rate limiting filters.
► Absolute limits or support for burst
► API manager continuously monitors
the traffic and limits.
► API suspension is implemented
when limits are reached.
► Rather stop them at the gate than
try to deal with load while under
► Suspension returns pre-defined
error codes (customisable)
► API auto resume after predefined
► Authentication as a service
► A seamless experience for the user,
across multiple applications
► Identity as a service
► User/customer information in one
► Controlled access to that
► A mechanism to provide access to
► Rate limiting
► To protect our systems from
over-use and abuse.