esquema de pasos de ejecución idm
DESCRIPTION
Secuencia de pasos para usar el IdM y el pepProxy para ofrecer autenticación a nivel de oAuth (v2.0) para tus aplicaciones.TRANSCRIPT
Open APIs for Open Minds
Example of IdM authentication through use cases
Fernando López Aguilar([email protected], @flopezaguilar)
Content
1. Objectives of this presentation.
2. Scenario 1: Authenticate a Portal Web using the IdM and knowing user credentials.
3. Scenario 2: Authenticate a Portal Web using the IdM and unknowing user credentials.
4. Reference Information.
2
Objectives of this presentation
3
Objectives of this presentation
Purpose: develop via 2 Use Cases the management of the IdM which allows users familiarizing with it.
All the steps was checked internally and work properly.
Change the IP addresses for your own instance of IdM in order to translate to the presentation to your instance.
At the end of the presentation, you can find references to more documentation.
Other scenario? Translate it to us and we will try to help you.
4
Scenario 1:
Authenticate a Portal Web using the IdM and knowing user credentials.
5
Scenario 1: definition
We want to create a web application in order to access to an application.
We want that the portal could be authenticated using the IdM.
We want that the application receive a token of the portal and we want to validate it before make any other operation.
The application wants to get also the roles associated to the user.
It is not needed to translate to the IdM portal in order to introduce the user/password of the user. The web site knows this data and send them to the IdM.
Web Applications and GEs
Core Application
5) R
eque
st +
acce
ss-to
ken
1) Redirect, Get Access Code
3) request access-token
4) access-token
6) Validate token
7) OK + user info
2) access-code
IdM
Web AppOA
uth
Libra
ry
IP: a.b.c.dIP: e.f.g.h
Previous steps with IdM portal1) Create User
Previous steps with IdM portal2) Add an application with roles
Previous steps with IdM portal2) Add an application with roles
Previous steps with IdM portal2) Add an application with roles
Previous steps with IdM portal2) Add an application with roles
1) Redirect
First time, we have to redirect (go) to the IdM web site in order to authorize the access to the new application.
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
1) Redirect
2) Access code
After clicking the “Accept” button, the browser redirect us to a page of our application:
http://e.f.g.h/login?code=gW6mpb4Ncfa22YHEf7g6RLqIUyWP_Xwl3IWmr2QgtXoPZmGDb_ZJud1qfoY2m1CCZAhndKtYpmZAKQAUBBZIdg
This is the callback URL specified in the registry of the application (Cloud Portal).
We get the “code” value. In this Scenario, we do not need to recover the details of it.
3) Request Access token
Para pedir un token de acceso conociendo el user/password desde tu aplicación web:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d grant_type=password&[email protected]&password=prueba
Donde Authorization es:
Base64(Client_ID:Client_Secret)
En este caso los valores de la slide 8
4) Access token
La llamada previa te devolverá el siguiente mensaje:
HTTP/1.1 200 OKContent-Type: application/json
{ "access_token": "RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no-Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}
5) Request + access-token
La llamada que se le quiera mandar a la aplicación pero tiendo en el HEADER el siguiente campo:
X-Auth-Token: RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no-Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw
Este se obtiene de la llamada anterior “access_token”
6) Validate X-Auth-Token
Lo primero que tendremos que hacer es generar un token de administrador (24h de duración) para poder lanzar las peticiones.
curl -vv -s -d '{"auth": {"passwordCredentials": {"username":"pepProxy", "password": "pepProxy"}}}' -H "Content-type: application/json" http://a.b.c.d:4730/v2.0/tokens
Ojo de momento esos serían los datos de usuario/password que usa el PEP Proxy para generar el token, en un futuro se podría evaluar mantener un registos de PEP Proxy para que no haya un único dato.
6) Validate X-Auth-Token
La llamada anterior os devolverá el siguiente mensaje
{ "access": { "token": { "expires": "2015-07-09T15:16:07Z", "id": "5b2177e7e1e6592cb7ea168ce9c0e87f" }, "user": { "id": "pepProxy", "name": "pepProxy", "roles_links": [], "username": "pepProxy" } }}
6) Validate X-Auth-Token
Una vez que tenemos el token de administrador (una cada 24h) procedemos a validar el access_token que hemos recibido.
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/RzE6PnLq6WfAD3okMuO5AwNUiSWbKbeyE6kMcQ3sX2Dk8no-Fqu8VEzAFcmFAPjUnZzHFEj-VSo6CTSniT5gxw
X-Auth-Token es el que hemos obtenido en la slide 16 y el access-tokens procede de la slide 13.
Si esta operación nos devolviera:• 404 el access_token no es válido • 401 el X-Auth-Token no es válido (no autorizado)• 403 el X-Auth-Token no es válido (caducado)
6) Validate X-Auth-Token
Si no hay error devolverá:
{ "actorId": 1, "displayName": "prueba", "email": "[email protected]", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member"…
6) Validate X-Auth-Token
… } ] } ], "roles": [ { "id": 5, "name": "Provider" } ]}
Dónde se pueden observar los roles del usuario asociados a la organización (en rojo) y asociados a la aplicación (en azul).
Scenario 2:
Authenticate a Portal Web using the IdM and unknowing user credentials.
24
Scenario 2: definition
It is the same that the previous scenario.
• From slide 7 to 14, they are the same operations.
BUT the portal does not now the credentials of the users.
• Need to redirect to the IdM portal in order to introduce them.
• The IdM portal send the authorization to the portal.
Web Applications and GEs
Core Application
5) R
eque
st +
acce
ss-to
ken
1) Redirect, Get Access Code
3) request access-token
4) access-token
6) Validate token
7) OK + user info
2) access-code
IdM
Web AppOA
uth
Libra
ry
IP: a.b.c.dIP: e.f.g.h
1) Redirect
First time, we have to redirect (go) to the IdM web site in order to authorize the access to the new application.
https://a.b.c.d/oauth2/authorize?response_type=code&client_id=2
1) Redirect
2) Access code
After clicking the “Accept” button, the browser redirect us to a page of our application:
http://e.f.g.h/login?code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg
This is the callback URL specified in the registry of the application (Cloud Portal).
We get the “code” value, which will be used in order to authenticate user.
3) Request Access token
In order to request an access-token, without the knowledge of the credentials of the user:
curl -v --insecure -X POST https://a.b.c.d/oauth2/token -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic MjowYjE5MmUwZDlmMDFkOTgyNjdmMjM2NTM4YzZhNDlmODMxMGNhNmJlNTA2ODg4OTc2MDJhODk1ODVhYmQ2YTYyODRiMGU0MDY4MTBkMjc2YTYzNmE2Yzg1NTg2MjJhZGFjZjIyYmM3ZDg5MjNiNWVkYWQ2ZmU0ODhlNmZhOGRjZg==" -d "grant_type=authorization_code&code=ZNYy2HpyO1oMzalQ9-N2T1AIc0tnhTCuCziEG91PiPZPZYkJotzIBfZZlImfw4U7QpAwsgEGw4iakEL0n2FHlg&redirect_uri=http://localhost/login”
Where Authorization es:
Base64(Client_ID:Client_Secret)
3) Request Access token
Where Authorization es:
Base64(Client_ID:Client_Secret)
From the slide 8
And code is the value obtained in slide 27
4) Access token
The previous request will return the following information:
HTTP/1.1 200 OKContent-Type: application/json
{ "access_token": "3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA", "expires_in": 2591999, "refresh_token": "vEUA4j5oie7DCAzYy9PpXxgV4UsGJZx1B0ooEB-ewumULG_D2DdRs5dAtau-GXWeziWsvAQLEv9OIfG2DXP9lg", "token_type": "bearer"}
5) Request + access-token
The next request should be done with this X-Auth-Token value:
X-Auth-Token: 3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
From the access-token field from the precious request.
6) Validate X-Auth-Token
Assuming that you have a vaild token (see slides 18 &19, remember that it is 24 hour vaild only), we can validate the token that we have received in the X-Auth-Token.
curl --insecure -H "X-Auth-Token:5b2177e7e1e6592cb7ea168ce9c0e87f" http://a.b.c.d:4731/v2.0/access-tokens/3-EoxEo3tUas9tQJvxnDsAqkUEi38Ftmy5Ou_vPWNAtA9qyusJdP1LCB835b4WOB80_XLUziWOFdCs7qSHELlA
X-Auth-Token corresponds to the token obtained in slide 18 & 19 and access-token comes from slide 30.
It could return the following messages is something is wrong:• 404 Access_token not valid • 401 X-Auth-Token not valid (unauthorized)• 403 X-Auth-Token not valid (expired)
6) Validate X-Auth-Token
Si no hay error devolverá:
{ "actorId": 1, "displayName": "prueba", "email": "[email protected]", "id": 1, "nickName": "prueba", "organizations": [ { "id": 1, "name": "prueba", "roles": [ { "id": "8db87ccbca3b4d1ba4814c3bb0d63aab", "name": "Member"…
6) Validate X-Auth-Token
… } ] } ], "roles": [ { "id": 5, "name": "Provider" } ]}
In the same way that was shown in slides 5 & 6.
http://fi-ppp.eu
http://fi-ware.eu
Follow @Fiware on Twitter !
Thanks !
39