Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IDaaS - Modern Security for your Web Apps and APIs

Identity and access management are a core part of any solution design. Your web, mobile and rich client applications require a user login experience that typically involves a single sign-on (SSO) experience, APIs are called from client-facing applications, from background workers, and through multiple application tiers. And then, of course, there is the need for fine-grained authorization to control access to application areas, APIs, and other resources. This session will give you a top to bottom tour for implementing a secure solution based on standards like OAuth2 and OpenID Connect, in addition to showing you a permissions model after which you can pattern authorization checks throughout the code. In the process we’ll also look at recommended practices for each step from user login, session management, secure token flow across tiers. Code demonstrations will be based on ASP.NET but relevant to other platforms in practice.

IDaaS - Modern Security for your Web Apps and APIs

  1. 1. IDaaS - Modern Security for your Web Apps and APIs Michele Leroux Bustamante Cofounder, Solliance Cloud / Security Architect michelebusta@solliance.net
  2. 2. Example Solution Topology Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API API Gateway Partner Web API Queues Third Party Apps
  3. 3. Example Solution Topology Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API LOGIN API Gateway Partner Web API LOGIN Queues Authorization Server Third Party Apps LOGIN
  4. 4. Concepts • Authentication • User, application / service • Token Flow • Authentication, front end APIs, back end APIs • Token validation, delegation, lifetime management • Protocols • OpenID Connect, OAuth2, JSON Web Token (JWT) • Types of Tokens • ID token • Access token • Refresh token • Reference token
  5. 5. OAuth2 Concepts • Separate role of client and resource owner • Resource owner (end-user) • Resource server (protects resource, requires token) • Client (makes requests for resource owner) • Authorization Server (issues token after authenticating resource owner and getting authorization for the client)
  6. 6. Authorization Grants • Implicit • Code • Resource Owner • Client Credentials • Custom
  7. 7. Authorization Server Trust • Client is registered with AS first • Client usually has • Id • Secret • Allowed callback URLs • Allowed scopes
  8. 8. Web User Login • Redirect to Login page at AS • From web application server • From Browser • From iframe
  9. 9. OIDC / Implicit Passive Redirect Browser 1 27 OIDC Request 4 3 POST Credentials Set Cookie 6 Web Site AS Authenticate Issue Token 5 Login Page
  10. 10. DEMO
  11. 11. Browser OIDC request 3 2 POST credentials 5 Web App AS Login Page token (hash fragment) Java Script Web API 4 1 Implicit Flow / Access Token (SPA)
  12. 12. JavaScript to APIs • Token available to Browser • Retrieved during login • Returned with page security context • Watch the PII • Calls back to APIs • Within web application • CORS
  13. 13. 2 OIDC Request 4 3 POST credentials AS Login Page Browser 16 set Cookie Render token 5 Web App Web API JavaScript calls to Web API (1)
  14. 14. JavaScript calls to Web API (2) Browser Web API HTML /JS token is passed in the Authorization header 1 Validate Token / Authorize Access 2 token is embedded in the page
  15. 15. DEMO
  16. 16. Browser IODC request 3 2 POST credentials Web App AS Login Page Java Script Web API 1 Implicit Flow / Access Token (SPA) 5 4
  17. 17. Web Application / API to Web API • Have a token (user login) • Passed to Web API • Written to cookie (for pages) • Request new token (delegation) • Options • ID token for ID token • ID token for access token • Access token for access token • … • Act As • Not an official specification (in progress)
  18. 18. 2 Delegation Request 3 AS 1 Backend Web API 4 Browser Java Script Web App Web API Calling APIs / Act-As
  19. 19. DEMO
  20. 20. Background Workers • No user login, unattended • Alternative to token exchange • Trusted subsystem model • Client credentials (client id and secret)
  21. 21. 2 OAuth2 Client Credentials 3 AS 1 Server Process / App Web API Client Credentials Flow / Trusted Subsystem
  22. 22. DEMO
  23. 23. Mobile Apps • Native login (same for rich clients) • Resource Owner flow • User provides credentials • Web View • Implicit flow • Creates SSO session with AS • Hybrid models
  24. 24. Mobile Use Case (Web View) Mobile App 1 OAuth2 Implicit Flow 3 2 POST Credentials AS Authenticate Issue Claims 4 Login Page Java Script 5 Mobile Web API 6 7
  25. 25. Mobile Use Case (Native) Mobile App 2 Resource Owner Flow 1 4 POST Credentials AS Authenticate Issue Token 3 Login Page 5 Mobile Web API
  26. 26. Tokens Types • ID tokens • Access Tokens • Reference Tokens • Refresh Tokens
  27. 27. Login / Web Session 78 Id Token (15 mins) Web Site AS Login Page Access Token (1 day) App Cookie User navigates to protected page {…} Access Token (1 day) 1 OIDC request 2 6 3 4 User Credentials (15 mins) SSO Cookie (1 day) 6
  28. 28. JS to API Browser / SPA 1 JS JS API AT1 AS (AT1) Session Cookie
  29. 29. API to API / pre-cache Browser/SPA 1 2 34 JS JS API AS (AT1) Session API Token Cache (15 mins) (AT1) (AT2) (AT2) (15 mins) Client id + secret Back End API 5 (AT2)
  30. 30. API to API / post-cache Browser/SPA 1 2 JS JS API AS (AT1) Session API Token Cache (15 mins) (AT2) Back End API 3 (AT2)
  31. 31. Trusted Sub 1 23 Client App AS API Token Cache (15 mins) (AT3) (AT3) (15 mins) Client id + secret Back End API 4 (AT3)
  32. 32. Permissions Management • Permission Tables • Resource Authorization • Keeping logic in a single place • Entire app prevention • Controller Attributes • Inline demands
  33. 33. Claims and Permissions AS Claims App AS Claims IdP Identity Claims Permissions Additional Claims User Identity - Roles - User ID - Email - Username … Linked Claims IdP Claims - UPN - Email - Username … Roles Permissions Claims AS
  34. 34. Permissions Model Role Permission Resource Action
  35. 35. DEMO
  36. 36. Example Solution Topology Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API LOGIN API Gateway Partner Web API LOGIN Queues Authorization Server Third Party Apps LOGIN
  37. 37. How to reach me… Michele Leroux Bustamante michelebusta@solliance.net @michelebusta Solliance Cofounder Cloud / Security Architect Microsoft Regional Director since 2003 Microsoft MVP – Microsoft Azure Azure Elite, Azure Insider
  38. 38. Glöm inte att utvärdera sessionen direkt i Microsoft TechDays-appen!

×