FI-WARE Testbed Access Control temporary solution

Introduction

We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI-WARE Testbed

The medium term solution will evolve as to incorporate components developed in the FI-WARE Security chapter for the 2nd Release of FI-WARE

Basic ingredients of the solution

Oauth v2.0 Keystone

User Profile Management

Multi-tenancy

Management and access to FI-WARE GE

Authentication

Authorization and Trust Management

Single Sign-On (SSO) among services/apps

Web/JavaScript/APIs access • Client Apps: Web Apps, Server

Apps or Desktop Apps.

MEDIUM TERM Solution

Scenarios to be covered

Client Apps may run on:•Web Servers

•Web Browsers (user agents)

•On top of an Operating Systems (Native apps)

Client Apps running on Web Servers

Three-tier Web applications

Clients that invoke FI-WARE GE APIs run on web servers (e.g., servlets)

Users authenticate via IdM web page

The IdM maintains the confidentiality

FI-WARE Testbed IdM

Client App (WS backend) Keystone FI-Ware GE

InstanceIdM Web

Portal

Access App

Login via Fi-Ware

Login to WebApp via IdM

Send redirect URI with authentication code

Access Redirect URLSend authentication code,

client_id, client_secret

Return access tokenUser logged in

FI-WARE GE API request with token

KeystoneMiddleware

Validate token

OkFI-WARE GE API request

App URL (interaction)

Create Token

User-agent-based Application

It is a public Client App

Downloadable from Web Servers

It runs in a user-agent (e.g., javascript in a web browser)

Users authenticate via IdM web page

Confidentiality is not maintained (Downloaded Client App assumes your identity)

FI-WARE Testbed IdM

KeystoneIdM Web Portal

Access App

Login via Fi-WARE

Login to ClientApp via IdM

Send redirect URI with access token

Create Token

Access Redirect URL

Client App loads token from fragment

Client App (User Agent)

Validate token

OkFI-WARE GE API request

FI-WARE GE API requests with token

KeystoneMiddleware

FI-Ware GE Instance

Native Application

Native apps, scripts, etc.

Credentials are sent via the Client App

User gives credentials to the Client App

Confidentiality is not maintained (Downloaded Client App assumes your identity)

FI-WARE Testbed IdM

Client App KeystoneIdM Web

Portal

Create Token

Return access token

Access with token

KeystoneMiddleware

Validate token

Ok Access

FI-Ware GE Instance

SHORT TERM Solution

FI-WARE Testbed IdM

Client App (WS backend) Keystone FI-Ware GE

InstanceIdM Web

Portal

Access App

Login web page

FI-WARE GE API requests

App URL (interaction)

FI-WARE TestbedFirewall

Registration of IP a.b.c.d

FI-WARE Testbed Admin

Fixed IP: a.b.c.d

Login to ClientApp

ValidationUser Logged In

(1) Validation via request using Keystone API

Validation(1)

FI-WARE Testbed IdM

KeystoneIdM Web Portal

Access App

Login via Fi-WARE

Login to ClientApp via IdM(1)

Validation

Client App (User Agent)

FI-WARE GE API requestsFI-WARE TestbedFirewall

first (temporal) IP: a1.b1.c1.d1

a1.b1.c1.d1

FI-Ware GE Instance

User Logged In

(1) Login via request using Keystone API or via javascript library provided by FI-WARE

(re-login, a2.b2.c2.d2)

FI-WARE Testbed IdM

KeystoneIdM Web Portal

Access App

Client App (User Agent)

FI-WARE GE API requestsFI-WARE TestbedFirewall

first (temporal) IP: a1.b1.c1.d1

(new a2.b2.c2.d2 assigned)

a2.b2.c2.d2

FI-Ware GE Instance

IdM Web Portal functionality in the short term

Every UC project will be associated to an “Organization”

Every UC project will have an admin user account

Using the IdM Web Portal, admin users will be able to create new user accounts linked to the same Organization

MORE DETAILS

IDM Web Portal

Provides Identity Management

Provides OAuth 2 modes

API with Keystone to manage GE tokens• Interface with Keystone to manage tokens and provide them via

OAuth

Keystone

It provides management of•Users, roles and organizations

•Only one Keystone admin

Credentials: username and password

Tuples <user, organization, role>

Tokens associate to <user, organization>

Many roles per user and organization

GEs establish permissions per role

Keystone

Provides management of GE (Services)

Each GE owns a list of endpoint URLs•Users access to these URLs