SlideShare una empresa de Scribd logo

CIS14: Authorization: It's What's for Dessert

CloudIDSummit
CloudIDSummit

Gil Kirkpatrick, ViewDS The basic concepts of authorization, the continuum of “graininess” of access, various authorization architectures, and the advantages of controlling authorization with some sort of policy mechanism, along with discussion of the modern authorization protocols XACML and OAuth2 and how you can use them in your environment.

Tecnología
1 de 48
Descargar para leer sin conexión
nmelbournensydneynsantacruz www.viewds.com n e w Cookies and Hash: Basic Identity and Access Management Recipes Authorization Gil Kirkpatrick gil.kirkpatrick@viewds.com
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 2  h#p://www.twistedoak.com/assets/client/File/chix/mary-­‐jean-­‐stclaire-­‐Take-­‐a-­‐Chicken-­‐to-­‐Dinner-­‐Tahoefull.jpg  
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #0 3 No f*cking passwords!
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #1 4 § Develop your identity strategy starting with your authorization and audit requirements §  Identify your most critical/sensitive data, applications, and apis §  What attributes do you need to decide who is allowed to do what? §  Where do those attributes come from? §  How do you trust those attributes? §  What is their lifecycle? §  Who owns them?
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #2 5 § Separate authorization code from the application § Manageability § Auditability § Security § Maintainability § Convenience § Efficiency
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Externalizing Identity and Access Management IdenBty   LDAP directories Cloud identity stores AuthenBcaBon   Kerberos SAML OpenID Connect Audit   Syslog Windows event log AuthorizaBon   XACML OAuth 2 UMA
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #3 7 § Have resource owners define authorization policy § Otherwise you get Surprise du Chef § App devs and IT can’t say what the authorization policy should be
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #4 8 § Authorization policy, not authorization code § Remove developers from the authZ policy loop § Give resource owners the tools to manage who gets access to their stuff
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #5 9 § Authorization has to be fast and scalable § Mobile friendly § Web friendly § API friendly
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #6 10 § Accommodate different authorization models §  User consent §  Role-based Access Control (RBAC) §  Attribute-based Access Control (ABAC) §  Context-based Access Control (CBAC)
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Authorization Technologies 11 XACMLOAuth 2 UMA
OAuth 2
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m OAuth 2 § The motivation – eliminate the “Password Anti-Pattern” on the web §  Giving my FB password to Twitter so my tweets show up on my timeline §  Giving my FB password to Instagram so my photos show up on my timeline §  Giving my FB pass…. You get the idea § Answers the question “How to I allow this program I am using controlled access to my stuff?” §  Authorizing an application, used by the resource owner §  Substantially different scenario than XACML
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m The Fundamental Idea § Instead of giving my FB password to Twitter I will make FB give Twitter a token § Twitter can use the token instead of my password § The token will only let Twitter do certain things (scope) that I say it can do, like access my pictures § The token only works for a certain amount of time in case it gets stolen so Twitter has to periodically renew the token
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Canonical OAuth2 Roles 15 Resource Owner (RO) Client Authorization Server (AS) Resource Server (RS) Entity that can make authorization decisions about a resource Program that needs to access a protected resource on behalf of the resource owner Program that issues tokens after authenticating the owner and getting authorization Server that implements the protected resource
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m OAuth2 Tokens 16 Access Access token – presented to the resource server to get access to a particular scope AuthZ Grant   AuthZ grant – Represents the owners consent to access with a particular scope Refres h Refresh token - Used to generate another access token without requiring the resource owner to reauthorize the request
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 17 Canonical OAuth2 Flow AuthZ  Request AuthZ  Grant AuthZ  Grant Access  Token (Refresh  Token) Refresh  Token Protected  Resource Access  Token Protected  Resource Access  Token Access  Token Access  Token Protected  Resource Authenticate
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Grant: Authorization Code 18 Notes: •  Client pre-registers return URI and obtains credentials from AS •  Client authenticates with AS when redeeming access code •  Access token optionally includes a refresh token 3  AuthZ request 5  AuthZ Grant 4  AuthN/AuthZ 6  AuthZ Grant 7  Access Token 1  Access  with no  token 2  Access denied 10  Protected resource 8  Access  with token 9  Validate token
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 19 Grant: Implicit Notes: 1.  Client pre-registers return URI and obtains an identifier 2.  Client does not authenticate with AS 3.  Client is typically supported by Javascript running in browser to parse out token 4.  Refresh tokens are not supported 3  AuthZ request 4  AuthN/AuthZ 5  Access Token 1  Access  with no  token 2  Access denied 7  Protected resource 6  Access  with token JS
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 20 Grant: Client Credentials 3  AuthZ request 4  Access Token 1  Access  with no  token 2  Access denied 6  Protected resource 5  Access  with token Notes: 1.  No resource owner involvement in authorization flow 2.  Client authenticates with AS 3.  Authorization policy determined by prior configuration 4.  Refresh tokens are not supported
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 21 Grant: Resource Owner Credentials 4  AuthZ request 3  Username  and   password 5  Access Token 1  Access  with no  token 2  Access denied 7  Protected resource 6  Access  with token Notes: 1.  Resource owner provides resource credentials to client 2.  Client authenticates with AS and provides RO’s credentials 3.  Refresh tokens are supported
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Scopes 22
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Scopes § What they are §  Set of space-delimited strings § What they mean §  ACL? Permission? Claims? Policy identifier? Operation? § Problem §  Creates coupling between authorization server, resource server, and client application 23
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m OAuth 2 Pros § Externalizes authZ from application § Integrates user authentication, app authorization and user consent § Fits well with web architecture § Easy-ish to implement § Performance should be excellent Cons § Policies? We don’t need no stinkin’ policies. § Deprovisioning timing subject to token lifetime constraints § Design of scopes is left to the reader §  Coupling between client, AS and RS § Not really oriented to enterprise scenarios, but… 24
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Architectural Differences between Oauth and XACML §  In Oauth and UMA, you authz once to get a token, then use the token for many transactions §  Efficient §  But unauthorization is not immediate and depends on token lifetime §  Makes contextual authorization problematic §  In XACML, the PDP evaluates every single transaction §  Relatively inefficient, promotes complexity with caching, etc. §  But you can deaut §  In Oauth, the authorization process happens in two places: the AS and the RS §  In XACML the AS makes the authorization decision §  In UMA you §  Client, AS, and RS all have to have a common understanding of scopes, and scopes are left to the reader §  An unfortunate coupling between components that should evolve separately §  In XACML, RS and AS work at arm’s length §  The RS provides a minimal set of attributes to identify the policy §  The Context Handler fills in the blanks §  The PDP says yes or no 25
XACML
~ } Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML is dead. Andras Cser, Forrester May 2013 http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead 27
~ } Copyright © 2014 ViewDS Identity Solutions www.viewds.co m The rumours of XACML’s death are greatly exaggerated. Dave Wilson, ViewDS 2013 With a tip of the hat to Samuel Clemens aka Mark Twain
~ } Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML isn’t dead, it just smells funny. Gil Kirkpatrick, ViewDS 2014 With a tip of the hat to Frank Zappa
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML § eXtensible Access Control Markup Language § Architecture for application authorization § Standardized XML-based policy language §  Attribute-based §  Fine-grained §  Extensible § Standardized authorization request protocols §  SOAPy §  RESTful § Programmatic APIs (OpenAZ and EzAz)
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Data Flow 31 Context  handler   Policy  decision   point   Policy   administraBon   point   Policy   enforcement   point   ObligaBon   service   Policy   informaBon  point   Subjects   Policy   ObligaBons  Access  request   Request  noBficaBon   Request   A#ribute  queries   Response   A#ributes   Response  context   Environment   Resources   Access  requestor   A#ribute  query   A#ributes   Resource  content   Resource  a#ributes   Environment  a#ributes   Subject  a#ributes  
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 32 Policy Allow Deny I don’t know XACML: A machine that turns attributes and policies into decisions +  ObligaBons  and   Advice  
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Flow 33 AuthZ  Request AuthZ  Response LDAP  request LDAP  reposnse SAML/XML or REST/JSON
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 34 <Request> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue>gil@gilkirkpatrick.com</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http:// www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http:// app.example.com/projects/docs/pricelist2014.html</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/ 2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> </Request>
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 35 { "Request" : { ”Subject” : { ”Attribute”: { ”Id” : ”subject-id”, ”Value” : ”gil@gilkirkpatrick.com” }, }, ”Action” : { ”Attribute”: { ”Id” : ”action-id”, ”Value” : ”read” } }, ”Resource” : { ”Attribute”: { ”Id” : ”resource-id”, ”Value” : ” http://app.example.com/projects/docs/pricelist2014.html” }, } }
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Policy Model § Policy Set §  Policy combining algorithm §  Policies § Policy §  Target §  Rules §  Rule combining algorithm §  Obligations §  Advice 36 § Target §  Resource §  Subject §  Operation § Rule §  Condition §  Effect §  Allow §  Deny
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Pros §  Externalizes authZ §  Standardized policy language §  Well thought out §  Flexible and extensible §  XML-based §  Instantaneous deprovisioning §  Can work with pretty much any application §  Plenty of vendors §  Incorporates application and user Cons § Over-elaborated for many scenarios § Does not address passwords, user authentication or consent § Every access implies IPC 37
UMA
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m User-Managed Authorization 39 § Described as a new profile of OAuth 2 § But starts with some different fundamental assumptions § Not fully baked…
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Different Assumptions Than OAuth2 § Controls access by people who are not the resource owner § Defines access using resource sets and scopes (“nouns and verbs”) § Formalizes the relationship between resource servers and authorization servers § Explicit recognition of responsible parties as part of the “Binding Obligations” spec 40
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m UMA Roles 41 Client An application making resource requests on the requesting party's behalf Requesting Party The entity that seeks to access a resource using a client Service that provides access to resources through APIs Resource Server Entity that can make authorization decisions about a resource Resource Owner Authorization Server (AS) Service that governs access to resources by creating tokens
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m UMA Tokens 42 RPT Requesting Party Token – token that represents the authorization status of the requesting party and client aka “the user”. PAT   Protection API Token – OAuth2 token used to register resource server and resource sets AAT Authorization API Token – OAuth2 token used to protect access to the authorization API of the authorization server. It associates the requesting party, the client, and the authorization server
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Canonical UMA Flow 43 2  Register RS 4  Register resource  set 1  Register application 4  Authenticate client 6  Authenticate 7  AAT 12  Request  RPT 10  Register permission 13  Protected resource 7  Operate client 9  Request resource 11  Grant  perm ticket 3  PAT
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Responsibility for Authorization Decision 44 AuthorizaBon   Server   Resource   Server  
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m UMA Pros § Externalizes authZ from application § Fits well with web architecture § Accommodates policy-based authorization § Supports user and application authN and authZ § Puts resource owner in control § Leverages OAuth2 Cons § Not fully baked § Appears complex § No definition of policy § No major adopters… early days yet 45
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 46 Reduces   password   use   Separates   authZ   code   from  app   Resource   owners   define   policy   Policy   instead  of   code   Mobile,   web,  and   API   friendly   RBAC   ABAC   CBAC   Scalable   and  fast   XACML   OAuth2   UMA   ?
Copyright © 2014 ViewDS Identity Solutions www.viewds.co m The Chef Recommends § Use OAuth2 to externalize web authN and authZ § Use XACML as the authorization policy engine behind the authorization server § Keep an eye on UMA – it formalizes a lot of things people are doing with OAuth2 on an ad hoc basis 47
Q&A 4

Recomendados

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsAlvaro Sanchez-Mariscal
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017Kevin Cody
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication ConceptsCharles Southerland
 

Recomendados

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsAlvaro Sanchez-Mariscal
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017Kevin Cody
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication ConceptsCharles Southerland
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HousePrabath Siriwardena
 
Skyrocketing Web APIs
Skyrocketing Web APIsSkyrocketing Web APIs
Skyrocketing Web APIsDaniel Cerecedo
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101Dasith Wijesiriwardena
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41
 
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...ForgeRock
 
Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps
Securing the Unsecured: Using SSO and XACML to Protect Your Web AppsSecuring the Unsecured: Using SSO and XACML to Protect Your Web Apps
Securing the Unsecured: Using SSO and XACML to Protect Your Web AppsWSO2
 

Más contenido relacionado

La actualidad más candente

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101Dasith Wijesiriwardena
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...WilliamJohn41
 

La actualidad más candente (20)

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
 
Skyrocketing Web APIs
Skyrocketing Web APIsSkyrocketing Web APIs
Skyrocketing Web APIs
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...Design and Implementation of an IP based authentication mechanism for Open So...
Design and Implementation of an IP based authentication mechanism for Open So...
 

Destacado

Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...ForgeRock
 
Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps
Securing the Unsecured: Using SSO and XACML to Protect Your Web AppsSecuring the Unsecured: Using SSO and XACML to Protect Your Web Apps
Securing the Unsecured: Using SSO and XACML to Protect Your Web AppsWSO2
 
XACML 3.0 (Partial) Concept Map
XACML 3.0 (Partial) Concept MapXACML 3.0 (Partial) Concept Map
XACML 3.0 (Partial) Concept MapJie Bao
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsForgeRock
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Extending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAExtending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAkantarainitiative
 

Destacado (6)

Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usabili...
 
Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps
Securing the Unsecured: Using SSO and XACML to Protect Your Web AppsSecuring the Unsecured: Using SSO and XACML to Protect Your Web Apps
Securing the Unsecured: Using SSO and XACML to Protect Your Web Apps
 
XACML 3.0 (Partial) Concept Map
XACML 3.0 (Partial) Concept MapXACML 3.0 (Partial) Concept Map
XACML 3.0 (Partial) Concept Map
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract ContextsUser-Managed Access: Why and How? - Access Control in Digital Contract Contexts
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
Extending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMAExtending the Power of Consent with User-Managed Access & OpenUMA
Extending the Power of Consent with User-Managed Access & OpenUMA
 

Similar a CIS14: Authorization: It's What's for Dessert

Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...PECB
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2 Sean Whitesell
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM ComponentsFIWARE
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Digital Identity
Digital IdentityDigital Identity
Digital IdentityZendCon
 
SaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessSaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessTenchi Security
 
SaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessSaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessAlexandre Sieira
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funSSIMeetup
 

Similar a CIS14: Authorization: It's What's for Dessert (20)

.NET MAUI + Azure AD B2C
.NET MAUI + Azure AD B2C.NET MAUI + Azure AD B2C
.NET MAUI + Azure AD B2C
 
Integrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.FormsIntegrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.Forms
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Introduction to OAuth2
Introduction to OAuth2 Introduction to OAuth2
Introduction to OAuth2
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM Components
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Digital Identity
Digital IdentityDigital Identity
Digital Identity
 
SaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessSaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account Access
 
SaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessSaaSpocalypse - The Complexity and Power of AWS Cross Account Access
SaaSpocalypse - The Complexity and Power of AWS Cross Account Access
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials fun
 

Más de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Más de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

CIS14: Authorization: It's What's for Dessert

  • 1. nmelbournensydneynsantacruz www.viewds.com n e w Cookies and Hash: Basic Identity and Access Management Recipes Authorization Gil Kirkpatrick gil.kirkpatrick@viewds.com
  • 2. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 2  h#p://www.twistedoak.com/assets/client/File/chix/mary-­‐jean-­‐stclaire-­‐Take-­‐a-­‐Chicken-­‐to-­‐Dinner-­‐Tahoefull.jpg  
  • 3. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #0 3 No f*cking passwords!
  • 4. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #1 4 § Develop your identity strategy starting with your authorization and audit requirements §  Identify your most critical/sensitive data, applications, and apis §  What attributes do you need to decide who is allowed to do what? §  Where do those attributes come from? §  How do you trust those attributes? §  What is their lifecycle? §  Who owns them?
  • 5. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #2 5 § Separate authorization code from the application § Manageability § Auditability § Security § Maintainability § Convenience § Efficiency
  • 6. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Externalizing Identity and Access Management IdenBty   LDAP directories Cloud identity stores AuthenBcaBon   Kerberos SAML OpenID Connect Audit   Syslog Windows event log AuthorizaBon   XACML OAuth 2 UMA
  • 7. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #3 7 § Have resource owners define authorization policy § Otherwise you get Surprise du Chef § App devs and IT can’t say what the authorization policy should be
  • 8. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #4 8 § Authorization policy, not authorization code § Remove developers from the authZ policy loop § Give resource owners the tools to manage who gets access to their stuff
  • 9. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #5 9 § Authorization has to be fast and scalable § Mobile friendly § Web friendly § API friendly
  • 10. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Ingredient #6 10 § Accommodate different authorization models §  User consent §  Role-based Access Control (RBAC) §  Attribute-based Access Control (ABAC) §  Context-based Access Control (CBAC)
  • 11. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Authorization Technologies 11 XACMLOAuth 2 UMA
  • 13. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m OAuth 2 § The motivation – eliminate the “Password Anti-Pattern” on the web §  Giving my FB password to Twitter so my tweets show up on my timeline §  Giving my FB password to Instagram so my photos show up on my timeline §  Giving my FB pass…. You get the idea § Answers the question “How to I allow this program I am using controlled access to my stuff?” §  Authorizing an application, used by the resource owner §  Substantially different scenario than XACML
  • 14. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m The Fundamental Idea § Instead of giving my FB password to Twitter I will make FB give Twitter a token § Twitter can use the token instead of my password § The token will only let Twitter do certain things (scope) that I say it can do, like access my pictures § The token only works for a certain amount of time in case it gets stolen so Twitter has to periodically renew the token
  • 15. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Canonical OAuth2 Roles 15 Resource Owner (RO) Client Authorization Server (AS) Resource Server (RS) Entity that can make authorization decisions about a resource Program that needs to access a protected resource on behalf of the resource owner Program that issues tokens after authenticating the owner and getting authorization Server that implements the protected resource
  • 16. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m OAuth2 Tokens 16 Access Access token – presented to the resource server to get access to a particular scope AuthZ Grant   AuthZ grant – Represents the owners consent to access with a particular scope Refres h Refresh token - Used to generate another access token without requiring the resource owner to reauthorize the request
  • 17. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 17 Canonical OAuth2 Flow AuthZ  Request AuthZ  Grant AuthZ  Grant Access  Token (Refresh  Token) Refresh  Token Protected  Resource Access  Token Protected  Resource Access  Token Access  Token Access  Token Protected  Resource Authenticate
  • 18. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Grant: Authorization Code 18 Notes: •  Client pre-registers return URI and obtains credentials from AS •  Client authenticates with AS when redeeming access code •  Access token optionally includes a refresh token 3  AuthZ request 5  AuthZ Grant 4  AuthN/AuthZ 6  AuthZ Grant 7  Access Token 1  Access  with no  token 2  Access denied 10  Protected resource 8  Access  with token 9  Validate token
  • 19. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 19 Grant: Implicit Notes: 1.  Client pre-registers return URI and obtains an identifier 2.  Client does not authenticate with AS 3.  Client is typically supported by Javascript running in browser to parse out token 4.  Refresh tokens are not supported 3  AuthZ request 4  AuthN/AuthZ 5  Access Token 1  Access  with no  token 2  Access denied 7  Protected resource 6  Access  with token JS
  • 20. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 20 Grant: Client Credentials 3  AuthZ request 4  Access Token 1  Access  with no  token 2  Access denied 6  Protected resource 5  Access  with token Notes: 1.  No resource owner involvement in authorization flow 2.  Client authenticates with AS 3.  Authorization policy determined by prior configuration 4.  Refresh tokens are not supported
  • 21. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 21 Grant: Resource Owner Credentials 4  AuthZ request 3  Username  and   password 5  Access Token 1  Access  with no  token 2  Access denied 7  Protected resource 6  Access  with token Notes: 1.  Resource owner provides resource credentials to client 2.  Client authenticates with AS and provides RO’s credentials 3.  Refresh tokens are supported
  • 22. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Scopes 22
  • 23. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Scopes § What they are §  Set of space-delimited strings § What they mean §  ACL? Permission? Claims? Policy identifier? Operation? § Problem §  Creates coupling between authorization server, resource server, and client application 23
  • 24. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m OAuth 2 Pros § Externalizes authZ from application § Integrates user authentication, app authorization and user consent § Fits well with web architecture § Easy-ish to implement § Performance should be excellent Cons § Policies? We don’t need no stinkin’ policies. § Deprovisioning timing subject to token lifetime constraints § Design of scopes is left to the reader §  Coupling between client, AS and RS § Not really oriented to enterprise scenarios, but… 24
  • 25. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Architectural Differences between Oauth and XACML §  In Oauth and UMA, you authz once to get a token, then use the token for many transactions §  Efficient §  But unauthorization is not immediate and depends on token lifetime §  Makes contextual authorization problematic §  In XACML, the PDP evaluates every single transaction §  Relatively inefficient, promotes complexity with caching, etc. §  But you can deaut §  In Oauth, the authorization process happens in two places: the AS and the RS §  In XACML the AS makes the authorization decision §  In UMA you §  Client, AS, and RS all have to have a common understanding of scopes, and scopes are left to the reader §  An unfortunate coupling between components that should evolve separately §  In XACML, RS and AS work at arm’s length §  The RS provides a minimal set of attributes to identify the policy §  The Context Handler fills in the blanks §  The PDP says yes or no 25
  • 26. XACML
  • 27. ~ } Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML is dead. Andras Cser, Forrester May 2013 http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead 27
  • 28. ~ } Copyright © 2014 ViewDS Identity Solutions www.viewds.co m The rumours of XACML’s death are greatly exaggerated. Dave Wilson, ViewDS 2013 With a tip of the hat to Samuel Clemens aka Mark Twain
  • 29. ~ } Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML isn’t dead, it just smells funny. Gil Kirkpatrick, ViewDS 2014 With a tip of the hat to Frank Zappa
  • 30. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML § eXtensible Access Control Markup Language § Architecture for application authorization § Standardized XML-based policy language §  Attribute-based §  Fine-grained §  Extensible § Standardized authorization request protocols §  SOAPy §  RESTful § Programmatic APIs (OpenAZ and EzAz)
  • 31. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Data Flow 31 Context  handler   Policy  decision   point   Policy   administraBon   point   Policy   enforcement   point   ObligaBon   service   Policy   informaBon  point   Subjects   Policy   ObligaBons  Access  request   Request  noBficaBon   Request   A#ribute  queries   Response   A#ributes   Response  context   Environment   Resources   Access  requestor   A#ribute  query   A#ributes   Resource  content   Resource  a#ributes   Environment  a#ributes   Subject  a#ributes  
  • 32. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 32 Policy Allow Deny I don’t know XACML: A machine that turns attributes and policies into decisions +  ObligaBons  and   Advice  
  • 33. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Flow 33 AuthZ  Request AuthZ  Response LDAP  request LDAP  reposnse SAML/XML or REST/JSON
  • 34. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 34 <Request> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue>gil@gilkirkpatrick.com</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http:// www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http:// app.example.com/projects/docs/pricelist2014.html</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/ 2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> </Request>
  • 35. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 35 { "Request" : { ”Subject” : { ”Attribute”: { ”Id” : ”subject-id”, ”Value” : ”gil@gilkirkpatrick.com” }, }, ”Action” : { ”Attribute”: { ”Id” : ”action-id”, ”Value” : ”read” } }, ”Resource” : { ”Attribute”: { ”Id” : ”resource-id”, ”Value” : ” http://app.example.com/projects/docs/pricelist2014.html” }, } }
  • 36. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Policy Model § Policy Set §  Policy combining algorithm §  Policies § Policy §  Target §  Rules §  Rule combining algorithm §  Obligations §  Advice 36 § Target §  Resource §  Subject §  Operation § Rule §  Condition §  Effect §  Allow §  Deny
  • 37. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m XACML Pros §  Externalizes authZ §  Standardized policy language §  Well thought out §  Flexible and extensible §  XML-based §  Instantaneous deprovisioning §  Can work with pretty much any application §  Plenty of vendors §  Incorporates application and user Cons § Over-elaborated for many scenarios § Does not address passwords, user authentication or consent § Every access implies IPC 37
  • 38. UMA
  • 39. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m User-Managed Authorization 39 § Described as a new profile of OAuth 2 § But starts with some different fundamental assumptions § Not fully baked…
  • 40. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Different Assumptions Than OAuth2 § Controls access by people who are not the resource owner § Defines access using resource sets and scopes (“nouns and verbs”) § Formalizes the relationship between resource servers and authorization servers § Explicit recognition of responsible parties as part of the “Binding Obligations” spec 40
  • 41. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m UMA Roles 41 Client An application making resource requests on the requesting party's behalf Requesting Party The entity that seeks to access a resource using a client Service that provides access to resources through APIs Resource Server Entity that can make authorization decisions about a resource Resource Owner Authorization Server (AS) Service that governs access to resources by creating tokens
  • 42. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m UMA Tokens 42 RPT Requesting Party Token – token that represents the authorization status of the requesting party and client aka “the user”. PAT   Protection API Token – OAuth2 token used to register resource server and resource sets AAT Authorization API Token – OAuth2 token used to protect access to the authorization API of the authorization server. It associates the requesting party, the client, and the authorization server
  • 43. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Canonical UMA Flow 43 2  Register RS 4  Register resource  set 1  Register application 4  Authenticate client 6  Authenticate 7  AAT 12  Request  RPT 10  Register permission 13  Protected resource 7  Operate client 9  Request resource 11  Grant  perm ticket 3  PAT
  • 44. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m Responsibility for Authorization Decision 44 AuthorizaBon   Server   Resource   Server  
  • 45. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m UMA Pros § Externalizes authZ from application § Fits well with web architecture § Accommodates policy-based authorization § Supports user and application authN and authZ § Puts resource owner in control § Leverages OAuth2 Cons § Not fully baked § Appears complex § No definition of policy § No major adopters… early days yet 45
  • 46. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m 46 Reduces   password   use   Separates   authZ   code   from  app   Resource   owners   define   policy   Policy   instead  of   code   Mobile,   web,  and   API   friendly   RBAC   ABAC   CBAC   Scalable   and  fast   XACML   OAuth2   UMA   ?
  • 47. Copyright © 2014 ViewDS Identity Solutions www.viewds.co m The Chef Recommends § Use OAuth2 to externalize web authN and authZ § Use XACML as the authorization policy engine behind the authorization server § Keep an eye on UMA – it formalizes a lot of things people are doing with OAuth2 on an ad hoc basis 47
  • 48. Q&A 4