fiware id management

Pasquale VitaleEngineering Ingegneria Informatica

FIWARE Identity Management

Identity Management

An example

Account

Identity Management

In FIWARE

GE

GE

GE

GE

GE

GE

OAuth 2.0 for Identity Management

Examples …

OAuth 2.0 for Identity Management

… and FIWARE too! With Identity Management

Login with

OAuth 2.0

Messages flow

Web App IdM

1) redirect

3) request access‐token

4) access‐token

2) access‐codeO

Aut

h Li

brar

y

Request user info using access‐token

IP: a.b.c.dIP: e.f.g.h

OAuth 2.0

Client libraries for your application

http://oauth.net/2/

PHP, Cocoa, iOS, Java, Ruby, JavaScript, Python

Example using Node.js

https://github.com/ging/oauth2-example-client

Preliminary steps with IdM at FIWARE Account Portal

Add an application


Set/create roles and permissions for application

Add new permissions if needed


Result: OAuth credentials for the application


OAuth 2.0 messages flow

1) RedirectFirst, we have to redirect user to the IdM web site in order to login and authorize the access to the new application (identified

by its client_id).

https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2322


1) RedirectAuthorize


2) Access code

After introducing user/password to login and clicking the “Accept” button (needed only once), the browser redirect us back to the web page of our application:

http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg

IdM uses the callback URL specified in the registration of the application.

We get the “code” value, which will be used in order to authenticate user.


3) Request access token

In order to request an access-token, without the knowledge of the credentials of the user:

curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://e.f.g.h/login"

Authorization is calculated as Base64(Client_ID:Client_Secret)


4) Access token

The previous request will return the following information:

HTTP/1.1 200 OKContent-Type: application/json

{"access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA","expires_in": 2591999,"refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg","token_type": "bearer"

}

Securing your backend

Level 1: Authentication

Check if a user has a FIWARE account

Level 2: Basic Authorization

Check if a user has permissions to access a resource

HTTP verb + resource path

Level 3: Advanced Authorization

Custom XACML policies


BackendApps

IdM

5) Req

uest +

access‐token

OAuth2 flows

6) access‐token

7) OK + user info (roles)

Web App

OA

uth

Libr

ary

4) access‐token


BackendApps

IdM5) Req

uest +

access‐token

Web App

OA

uth

Libr

ary

Proxy

6) access‐token

7) OK + user info (roles)

OAuth2 flows

4) access‐token


Request + access token (step 5)

The request from web application to the backend and GEs would look like:

GET https://{backend-apps-url} HTTP/1.1Host: {backend-apps-hostname}

X-Auth-Token: {access-token}

Request should include the X-Auth-Token header with the exact access token received at previous step 4:

3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA


Validate X-Auth-Token (step 6)

As a prerequisite, if we do not have it, a new admin token must be issued (expires in 24h) in order to request the validation of the auth token.

curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens

KEEP IN MIND this uses fixed password credentials for FIWARE Proxy to generate the admin token, but in a future a registry of users and passwords will be maintained.



Previous call will return the following message:

{"access": {

"token": {"expires": "2015-07-09T15:16:07Z","id": "5b2177e7e1e6592cb7ea168ce9c0e87f"

},"user": {

"id": "pepProxy","name": "pepProxy","roles_links": [],"username": "pepProxy"

}}

}



Assuming that you have a valid admin token (24 hours valid only), we can validate the access token included in the request (step 5):

curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA

Please note X-Auth-Token header in this request is the admin token, while the access-token being validated is part of the resource path in URL.

This could return the following status codes if something is wrong:404 Access_token not valid 401 X-Auth-Token not valid (unauthorized)403 X-Auth-Token not valid (expired)


BackendApps

IdM

Requ

est +

access‐token

Web App

OA

uth

Libr

ary

Proxy

6) access‐token + verb + path

7) OK + user info

Oauth2 flows

access‐token

AC GE

Access token + verb + path (step 6)

In this case you should call the API with the following information:

curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f” –H “Content-Type:application/json” –H “x-auth-resource:path” –H “x-auth-action:verb” http://a.b.c.d:4731/v2.0/access-tokens/authREST/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA

Where:- path is the URL of the resource to be accessed, e.g.:

/resource1/item2- verb is the HTTP verb associated to the request (GET, PUT, POST, DELETE)- X-Auth-Token is the admin token (FIWARE Proxy token)

As before, request URL includes the access-token being validated


OK + user info (step 7)

200 Ok if all was OK, with the following user information:{

"actorId": 1,…"organizations": [

{"id": 1,"name": "prueba","roles": [

{"id": "8db87ccbca3b4d1ba4814c3bb0d63aab","name": "Member"

…"roles": [

{"id": 5,"name": "Provider"

}


401 HTTP Unauthorized

Where you can see: • the roles associated to the organization (in red) • and the roles associated to the application (in blue).

BackendApps

IdM

Requ

est +

access‐token

Web App

OA

uth

Libr

ary

Proxy extension

XACML policy

OK + user info

Oauth2 flows

access‐token

AC GE

Level 3: Advanced Authorization

1) Edit application properties

Policies creation in IdM

2) Create new role


3) Add a new permission


4) Change to advanced mode


5) Fill in the rule field


Sample XACML rule contentPermissions in XACML format may include 1 or more resources and 1 or several actions, e.g.:

<Rule RuleId="PR:Manage" Effect="Permit"><Description>Rule: Permission example</Description><Target>

<Resources><Resource>

<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[PATH]</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

DataType="http://www.w3.org/2001/XMLSchema#string" /></ResourceMatch>

</Resource></Resources>

…


Sample XACML rule content…

<Actions><Action><ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[VERB]</AttributeValue><ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"

DataType="http://www.w3.org/2001/XMLSchema#string" /></ActionMatch>

</Action></Actions>

</Target></Rule>


FIWARE IdM:

Source Code: https://github.com/ging/fi-ware-idm

Documentation: https://github.com/ging/fi-ware-idm/wiki

FIWARE Access Control:

http://catalogue.fi-ware.org/enablers/access-control-tha-implementation/documentation

FIWARE OAuth2 Demo:

https://github.com/ging/oauth2-example-client

FIWARE Proxy:

https://github.com/ging/fi-ware-pep-proxy

Documentation

Thanks!Thanks!

fiware id management

Technology