Identity Management: Using OIDC to Empower the Next-Generation Apps
-
Upload
tom-freestone -
Category
Internet
-
view
70 -
download
0
Transcript of Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-
Generation of Applications
Tom FreestoneLDS Church
© 2016 by Intellectual Reserve, Inc. All rights reserved.
The future computing platforms are MOBILE and CLOUD!
Mobile Computing - present and the future2.4 billion mobile devices in 2013 and 2.5 billion in 2014. 81+ billion apps downloaded in 2013. There are 6.8 billion people on the planet at present. 4 billion own mobile phones. Gartner Group - World Wide Devices Shipments
Internet of ThingsIn the Cloud EVERYTHING is an API. APIs are an integral part of what are arguably the three major forces currently transforming the Web and IT landscape —Mobile, Social and Cloud Computing.
API
© 2016 by Intellectual Reserve, Inc. All rights reserved.
• How do we design and develop solutions that meet the growth and the diversity of a global user base?
• How do we move large enterprise solutions and systems to embrace mobile and cloud computing?
• How do we maximize our past investments in technology solutions and embrace new and evolving industry technology advancements?
• How do we significantly reduce costs and encourage greater reuse of core systems and services across the enterprise?
Preparing for the future - MOBILE and CLOUD!
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Legacy Applications& Systems
Mon
olith
icAp
plic
ation
-cen
tric
DB-c
oupl
edComponent & Services
Architecture
Web ServicesIntegrations
Mobile/WebComponents
Mobile – Web - Device
Platform as a Service
Hybrid CloudData Center
AWS Azure
Cloud Mobile Application Architecture
© 2016 by Intellectual Reserve, Inc. All rights reserved.
IdentityIdentity
?
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Identity
?
AuthorizationAuthentication
© 2016 by Intellectual Reserve, Inc. All rights reserved.
?Who is the user?
Entity Claims Attributes
Identity is a set of claims.© 2016 by Intellectual Reserve, Inc. All rights reserved.
Entity
Attributes
https://www.flickr.com/photos/74373690@N00/13949707621/ via Compfight (License: https://creativecommons.org/licenses/by-nc/2.0/)
What is the user allowed to do?
Who
What Why
WhenHow
Attributes Policy
© 2016 by Intellectual Reserve, Inc. All rights reserved.
What is the user allowed to do?
AuthenticatedUsers
Users thatwork for …
Users thatbelong to WebAccess Mgmt.
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Reverse Proxies• Passes Headers• Protects URL’s• Manages SSO
Session• Data Center Co-
location
The Traditional Solution: Authorization/Authentication?
© 2016 by Intellectual Reserve, Inc. All rights reserved.
The world of reverse proxies … protected, but ...
https://www.flickr.com/photos/13748147@N02/2070083736/ via Compfight (License: https://creativecommons.org/licenses/by-nc-nd/2.0/)
The real world is complex and interconnected.
http://steffondavis.com/visualizing-taste-in-art-with-big-data-curation-analysis-curalytics-and-curiator/
Enterprise
SaaS
Private Cloud
PaaS (Cloud foundry)
Development Stacks
Web Services
PaaSWeb Services
Public CloudPublic CloudHybrid Cloud
Cloud ApproachHybrid Cloud:A cloud computing service that is composed of some combination of private, public, and community cloud services, from different service providers, for capacity or capability
Cloud Mobile Integration• Must support existing systems (legacy) = Hybrid• Everything moving to “Services” (APIs)• Mobile/Web Development (Open Standards)• Services Oriented Architecture (SOA)• Migration/On Ramp (Security, SaaS, etc.)
© 2016 by Intellectual Reserve, Inc. All rights reserved.
How do we move to the cloud and still authenticate our users?
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Federation
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Traditional vs. Federated
Reverse Proxies• Passes Headers• Protects URL’s• Manages SSO
Session• Data Center
Colocation
Application• Consumes attributes• Protects its own URL’s• Manages its own
session• Data Center
Independence
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Icon design by Paomedia and Ivan Boyko
Interoperable Flexible Secure Simple
OIDC Benefits
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Basic OIDC ProtocolEnd UserOIDC
ProviderClient
1. AuthN Request
2. AuthN & AuthZ
3. AuthN Response
4. UserInfo Request
5. UserInfo Response
Abstract OIDC Protocol: 1.2 OIDC-Core Spec
Client application requiring End-User
Authentication and Claims from an OIDC Provider.
Provides identity as a service using OIDC through the Token endpoint,
UserInfo endpoint, & Authorization
endpoint.
Also referred to as the “User Agent,”
meaning the browser.
© 2016 by Intellectual Reserve, Inc. All rights reserved.
AntiPattern #1LDAP Service Accounts
Application / Client
GetUse
Protected API (Resource Server)
LDAP
1. Request (Basic Auth username: password)
2. LDAP Bind username:password
3. Data
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Pattern #1 Service Account
using OIDCApplication / Client
GetUse
1. Request Token (Client_id / userId)
Token
Token
2.
3. Make Request
Protected API
Authorization Server
4. Validate Token
5. Valid Token
7. Return Data
Token
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Pattern #1 Service Account – Getting Tokens
curl https://openam.example.com:8443/openam/.well-known/openid-configuration { "response_types_supported": [ "token id_token", "code token", "code token id_token", "token", "code id_token", "code", "id_token" ], "registration_endpoint": "https://ident.example.com:8443/openam/oauth2/connect/register", "token_endpoint": "https://ident.example.com:8443/openam/oauth2/access_token", "end_session_endpoint": "https://ident.example.com:8443/openam/oauth2/connect/endSession", "version": "3.0", "userinfo_endpoint": "https://ident.example.com:8443/openam/oauth2/userinfo", "subject_types_supported": [ "public" ], "issuer": "https://ident.example.com:8443/openam", "jwks_uri": "https://ident.example.com:8443/openam/oauth2/connect/jwk_uri?realm=/", "id_token_signing_alg_values_supported": [ "HS256", "HS512", "RS256", "HS384" ], "check_session_iframe": "https://ident.example.com:8443/openam/oauth2/connect/checkSession", "claims_supported": [ "phone", "email", "address", "openid", "profile" ], "authorization_endpoint": "https://ident.example.com:8443/openam/oauth2/authorize" }
curl \ --request POST \ --user "masterClient:password" \ --data "grant_type=password&username=someUser&password=password" \ https://ident.example.com:8443/openam/oauth2/access_token { "expires_in": 59, "token_type": "Bearer", "refresh_token": "26938cd0-6870-4e31-ade9-df31afc37ee1", "access_token": "515d6551-4512-4279-98b6-c0ef3f03a722" }
Authorization, Bearer 515d6551-4512-4279-98b6-c0ef3f03a722
© 2016 by Intellectual Reserve, Inc. All rights reserved.
1. Using AppClient Login Page
Owner
3. Post User/password to login page4. Get cookies
5. Request Data
6. Data
2. Collect User/Password
GetUse
AntiPattern #2Session Hijack
© 2016 by Intellectual Reserve, Inc. All rights reserved.
1. Using AppClient Authorization Server
Owner
3.Authorize
4. Authorization Code5. Authorization Code
Token6.
Resource ServerToken Token7. Request Data
8. Validate Token
9. Valid Token10. Data
2. Redirect to Login
GetUse
Pattern #2Service Provider
Access Using OIDC
[1]R. Boyd, Getting started with Oauth 2.0. Sebastopol, CA: O’Reilly, 2012.c
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Pattern #2 Service Provider Access -- Responses
[2] Backstage.forgerock.com, ‘ForgeRock BackStage’, 2015. [Online]. Available: https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-opened-connect. [Accessed: 08- Oct- 2015].
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Legacy Applications& Systems
Mon
olith
icAp
plic
ation
-cen
tric
DB-c
oupl
edComponent & Services
Architecture
Web ServicesIntegrations
Mobile/WebComponents
Mobile – Web - Device
Platform as a Service
Hybrid CloudProvo/ChurchData Center
AWS Azure
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Cloud Mobile Application Architecture
The future computing platforms are MOBILE and CLOUD!
Mobile Computing - present and the future2.4 billion mobile devices in 2013 and 2.5 billion in 2014. 81+ billion apps downloaded in 2013. There are 6.8 billion people on the planet at present. 4 billion own mobile phones. Gartner Group - World Wide Devices Shipments
Internet of ThingsIn the Cloud EVERYTHING is an API. APIs are an integral part of what are arguably the three major forces currently transforming the Web and IT landscape —Mobile, Social and Cloud Computing.
API
© 2016 by Intellectual Reserve, Inc. All rights reserved.
Questions?
© 2016 by Intellectual Reserve, Inc. All rights reserved.