adding identity management and access control to your application - exersices
TRANSCRIPT
Adding Identity Management and Access Control to your Application - ExercisesÁlvaro AlonsoUPM – DITSecurity Chapter. [email protected], @larsonalonso
Exercises index (I)
• Sec-1. Creating a FIWARE account
• Sec-2. Managing organizations
• Sec-3. Authorize a friend in your Cloud Org
• Sec-4. Registering an application
• Sec-5. Adding OAuth2 to your application (based on our Node.js template)
Exercises index (I)
• Sec-6. Adding OAuth2 to your application (using an OAuth2 library)
• Sec-7. Adding OAuth2 to your application (Resource Owner Password Credentials Grant)
• Sec-8. Securing your backendAuthentication
• Sec-9. Securing your backend Basic Authorization
• Sec-10. Securing your backend Advanced Authorization
Sec-1. Creating a FIWARE account
• Prerequisite
– To have an Internet connection
• Steps
– Go to https://account.lab.fiware.org
– Click in “Sign Up”
– Fill your data
– Confirm your account from the email confirmation
• Hints
– If you don’t receive the email confirmation… check your spam
Easy
Sec-2. Managing organizations
• Prerequisite
– To have a FIWARE account
• Steps
– Go to https://account.lab.fiware.org
– Sign In
– Create an Organization
– Add members to it
• Hints
– To manage an organization you have to switch to it using the dropdown in the upper right corner.
Easy
Sec-3. Authorize a friend in your Cloud Org
• Prerequisite
– To have a FIWARE account (Trial or Community)
• Steps
– Go to https://account.lab.fiware.org
– Sign In
– Follow the instructions explained in the workshop
• Hints
– To manage an organization you have to switch to it using the dropdown in the upper right corner.
Easy
Sec-4. Registering an application
• Prerequisite
– To have a FIWARE account
• Steps
– Go to https://account.lab.fiware.org
– Sign In
– Register an application
• Hints
– You have to set: • URL: the url where your app will run
• Callback URL: the url where Account Portal will redirect your users once authenticated
Easy
Sec-5 (1). Adding OAuth2 to your application (based on our Node.js template)
• Prerequisites
– To have an application registered in the Account Portal
– To learn how OAuth2 works
• Steps
– Clone our demo example:
• https://github.com/ging/oauth2-example-client
– Follow the instructions in the README
• You will find client_secret and client_id in the application detail:
Easy
Sec-5 (2). Adding OAuth2 to your application (based on our Node.js template)
• Hints
– Learn about OAuth2:
• http://oauth.net/2/
– FIWARE Account flows:
• http://es.slideshare.net/alvaroalonsogonzalez/id-m-andac
– FIWARE Account OAuth2 docs
• https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance
– Advanced courses:
• http://edu.fi-ware.org/course/view.php?id=79
• http://edu.fi-ware.org/course/view.php?id=63
Easy
Sec-6. Adding OAuth2 to your application (using an OAuth2 library)
• Prerequisite
– To have an application registered in the Account Portal
– To have your own application
• Steps
– Include an OAuth2 library in your app
– Configure it using the OAuth credentials generated in the Account Portal
– Follow the library instructions to use it
• Hints
– OAuth2 libraries• http://oauth.net/2/
Medium
Sec-7. Adding OAuth2 to your application (Resource Owner Password Credentials Grant)
• Prerequisite
– To have an application registered in the Account Portal
• Steps
– Include an OAuth2 library in your app
– Configure it using the OAuth credentials generated in the Account Portal
– Follow the library instructions to use it with this grant type
• Hints
– OAuth2 libraries• http://oauth.net/2/
– FIWARE Account OAuth2 docs• https://github.com/ging/fi-ware-idm/wiki/Using-the-FI-LAB-instance
Medium
Sec-8. Securing your backendAuthentication
• Prerequisite
– To have a frontend app using OAuth and FIWARE Account
– To have a REST-based backend service
• Steps
– Clone our PEP-Proxy Wilma• https://github.com/ging/fi-ware-pep-proxy
– Configure it following the README• app_host and app_port are the coordinates of your backend REST API
– Now your requests to your backend• Has to be sent to the proxy
• Has to include “X-Auth-Token” header with the OAuth2 access token
• Hints
– Wilma docs• http://catalogue.fiware.org/enablers/pep-proxy-wilma
Medium
Sec-9. Securing your backendBasic Authorization
• Prerequisite
– To have a Wilma deployed on top of your backend
• Steps
– Enable the “check_permissions” option in Wilma’s config
– Edit your application in Account Portal• Create a new role
• Create a new permission with – HTTP action – GET, POST, PUT, DELETE
– REST resource – the url of your resource
• Assign the role to a user
• Check the request in your App
• Hints
– AuthZForce docs• http://catalogue.fiware.org/enablers/authorization-pdp-authzforce
Hard
Sec-10. Securing your backendAdvanced Authorization
• Prerequisite
– To have a Wilma deployed on top of your backend
• Steps
– Modify Wilma in order to manage XACML Requests• You can check request params such as body, headers…
– Edit your application in Account Portal• Create a new role
• Create a new permission with an advanced rule (XACML)
• Assign the role to a user
• Check the request in your App
• Hints
– AuthZForce docs• http://catalogue.fiware.org/enablers/authorization-pdp-authzforce
– XACML• https://www.oasis-open.org/committees/xacml/
Hard
Adding Identity Management and Access Control to your Application - ExercisesÁlvaro AlonsoUPM – DITSecurity Chapter. [email protected], @larsonalonso