Download - FIWARE ID Management
Pasquale VitaleEngineering Ingegneria Informatica
FIWARE Identity Management
Identity Management
An example
Account
Identity Management
In FIWARE
GE
GE
GE
GE
GE
GE
OAuth 2.0 for Identity Management
Examples …
OAuth 2.0 for Identity Management
… and FIWARE too! With Identity Management
Login with
OAuth 2.0
Messages flow
Web App IdM
1) redirect
3) request access‐token
4) access‐token
2) access‐codeO
Aut
h Li
brar
y
Request user info using access‐token
IP: a.b.c.dIP: e.f.g.h
OAuth 2.0
Client libraries for your application
http://oauth.net/2/
PHP, Cocoa, iOS, Java, Ruby, JavaScript, Python
Example using Node.js
https://github.com/ging/oauth2-example-client
Preliminary steps with IdM at FIWARE Account Portal
Add an application
Preliminary steps with IdM at FIWARE Account Portal
Set/create roles and permissions for application
Add new permissions if needed
Preliminary steps with IdM at FIWARE Account Portal
Result: OAuth credentials for the application
Preliminary steps with IdM at FIWARE Account Portal
OAuth 2.0 messages flow
1) RedirectFirst, we have to redirect user to the IdM web site in order to login and authorize the access to the new application (identified
by its client_id).
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2322
OAuth 2.0 messages flow
1) RedirectAuthorize
OAuth 2.0 messages flow
2) Access code
After introducing user/password to login and clicking the “Accept” button (needed only once), the browser redirect us back to the web page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
IdM uses the callback URL specified in the registration of the application.
We get the “code” value, which will be used in order to authenticate user.
OAuth 2.0 messages flow
3) Request access token
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"
Authorization is calculated as Base64(Client_ID:Client_Secret)
OAuth 2.0 messages flow
4) Access token
The previous request will return the following information:
HTTP/1.1 200 OKContent-Type: application/json
{"access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA","expires_in": 2591999,"refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg","token_type": "bearer"
}
Securing your backend
Level 1: Authentication
Check if a user has a FIWARE account
Level 2: Basic Authorization
Check if a user has permissions to access a resource
HTTP verb + resource path
Level 3: Advanced Authorization
Custom XACML policies
Level 1: Authentication
BackendApps
IdM
5) Req
uest +
access‐token
OAuth2 flows
6) access‐token
7) OK + user info (roles)
Web App
OA
uth
Libr
ary
4) access‐token
Level 1: Authentication
BackendApps
IdM5) Req
uest +
access‐token
Web App
OA
uth
Libr
ary
Proxy
6) access‐token
7) OK + user info (roles)
OAuth2 flows
4) access‐token
Level 1: Authentication
Request + access token (step 5)
The request from web application to the backend and GEs would look like:
GET https://{backend-apps-url} HTTP/1.1Host: {backend-apps-hostname}
X-Auth-Token: {access-token}
Request should include the X-Auth-Token header with the exact access token received at previous step 4:
3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Level 1: Authentication
Validate X-Auth-Token (step 6)
As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token.
curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens
KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.
Level 1: Authentication
Validate X-Auth-Token (step 6)
Previous call will return the following message:
{"access": {
"token": {"expires": "2015-07-09T15:16:07Z","id": "5b2177e7e1e6592cb7ea168ce9c0e87f"
},"user": {
"id": "pepProxy","name": "pepProxy","roles_links": [],"username": "pepProxy"
}}
}
Level 1: Authentication
Validate X-Auth-Token (step 6)
Assuming that you have a valid admin token (24 hours valid only), we can validate the access token included in the request (step 5):
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Please note X-Auth-Token header in this request is the admin token, while the access-token being validated is part of the resource path in URL.
This could return the following status codes if something is wrong:404 Access_token not valid 401 X-Auth-Token not valid (unauthorized)403 X-Auth-Token not valid (expired)
Level 2: Basic Authorization
BackendApps
IdM
Requ
est +
access‐token
Web App
OA
uth
Libr
ary
Proxy
6) access‐token + verb + path
7) OK + user info
Oauth2 flows
access‐token
AC GE
Access token + verb + path (step 6)
In this case you should call the API with the following information:
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content-Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
Where:- path is the URL of the resource to be accessed, e.g.:
/resource1/item2- verb is the HTTP verb associated to the request (GET, PUT, POST, DELETE)- X-Auth-Token is the admin token (FIWARE Proxy token)
As before, request URL includes the access-token being validated
Level 2: Basic Authorization
OK + user info (step 7)
200 Ok if all was OK, with the following user information:{
"actorId": 1,…"organizations": [
{"id": 1,"name": "prueba","roles": [
{"id": "8db87ccbca3b4d1ba4814c3bb0d63aab","name": "Member"
…"roles": [
{"id": 5,"name": "Provider"
}
Level 2: Basic Authorization
401 HTTP Unauthorized
Where you can see: • the roles associated to the organization (in red) • and the roles associated to the application (in blue).
BackendApps
IdM
Requ
est +
access‐token
Web App
OA
uth
Libr
ary
Proxy extension
XACML policy
OK + user info
Oauth2 flows
access‐token
AC GE
Level 3: Advanced Authorization
1) Edit application properties
Policies creation in IdM
2) Create new role
Policies creation in IdM
3) Add a new permission
Policies creation in IdM
4) Change to advanced mode
Policies creation in IdM
5) Fill in the rule field
Policies creation in IdM
Sample XACML rule contentPermissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:
<Rule RuleId="PR:Manage" Effect="Permit"><Description>Rule: Permission example</Description><Target>
<Resources><Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" /></ResourceMatch>
</Resource></Resources>
…
Policies creation in IdM
Sample XACML rule content…
<Actions><Action><ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue><ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" /></ActionMatch>
</Action></Actions>
</Target></Rule>
Policies creation in IdM
FIWARE IdM:
Source Code: https://github.com/ging/fi-ware-idm
Documentation: https://github.com/ging/fi-ware-idm/wiki
FIWARE Access Control:
http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/documentation
FIWARE OAuth2 Demo:
https://github.com/ging/oauth2-example-client
FIWARE Proxy:
https://github.com/ging/fi-ware-pep-proxy
Documentation
Thanks!Thanks!