Identity as Code

Identity as Code

Users now have more complex identities than ever before; federated accounts, second-factor authentication, and multiple devices all these conditions need to be tested, but how? This talk will examine the minefield of identity and authentication in your pipeline and how your team can traverse this to ensure that you are testing all the conditions without resorting to manual steps.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

June 18, 2019
Tweet

Transcript

  1. Identity as Code

  2. 10 years working in secure systems Hi! Senior Platform Specialist

    at Okta Software Developer (.NET / Java / JS) @andymarch
  3. Information wants to be free. Stewart Brand

  4. None
  5. None
  6. Information wants to be free. Information also wants to be

    expensive. Stewart Brand
  7. Name: Batman Rank: Private Name: Superman Rank: Major Name: Thor

    Rank: Colonel
  8. Name: Batman Rank: Private Name: Superman Rank: Major Name: Thor

    Rank: Colonel Reports to Reports to
  9. Name: Batman Rank: Private Name: Batman Rank: Major Name: Batman

    Rank: Colonel Reports to Reports to
  10. Name: Batman Rank: Colonel/Major/Private Reports to

  11. None
  12. Don’t roll your own identity

  13. None
  14. None
  15. Divide your architecture, divide your responsibility

  16. Business Logic Monolith AuthN AuthZ AuthN AuthZ User Identity Database

    User Identity Business Logic Database Service Oriented User/Role Request/Permission
  17. Don’t test what you don’t control

  18. Capture Mock / Replay Validate

  19. Sign-in Page Mock(AuthN) Login (user, password) MFA_Required MFA_Response(secret) Accepted

  20. …except when you must

  21. Define Use / Reuse Initialize Cleanup

  22. Dev Mostly unit tests Individual Environment Integration Integration tests Shared

    Environment QA Complex tests Single Environment Prod Real users Production config
  23. Snowflake Environments

  24. Infrastructure as Code

  25. None
  26. Api.tf Dev.auto.tfvars Identity.tf Terraform plan Terraform destroy Terraform apply

  27. Api.tf Identity.tf 12c28fb1888dbb64e0ce8e7c5250f621814c3c8b

  28. None
  29. Engine API Engine Client

  30. provider "okta" { org_name = “babbage” base_url = “okta.com” api_token

    = “isthisarealtoken” } data "okta_group" ”devs" { name = ”Devs" } resource "okta_user_schema" "role_extension" { index = "analytical_engine_role" title = "Analytical Engine Role" type = "string" master = "PROFILE_MASTER" } Engine API Identity Provider Engine Client
  31. resource okta_policy_signon devSignOn { name = "Developer policy" status =

    "ACTIVE" description = "Meet our compliance for developers." groups_included = ["${data.okta_group.devs.id}"] } resource okta_policy_rule_signon test { policyid = "${okta_policy_signon.devSignOn.id}" name = "MFA every hour" status = "ACTIVE" mfa_required = true mfa_prompt = "SESSION" mfa_lifetime = 60 } Engine API Identity Provider Engine Client
  32. resource "okta_auth_server" “analytical_engine” { audiences = [“babbage.local”] description = “General

    purpose computing.” name = “Analytical Engine API” } resource “okta_auth_server_scope” “tabulate” { description = “tabulate logarithm” name = “tabulate:perform” auth_server_id = “${okta_auth_server.analytical_engine.id}” } Engine API Identity Provider AuthZ Server Engine Client
  33. resource "okta_app_oauth" ”engine_client" { label = “Engine Client” type =

    "web” grant_types = [“authorization_code”] redirect_uris = [“${var.client_callback}”] response_types = ["code"] } resource "okta_app_oauth" ”engine_api" { label = “Engine API” type = ”service” grant_types = [“client_credentials”] } Engine API Identity Provider AuthZ Server Engine Client
  34. Engine API Identity Provider AuthZ Server Engine Client Engine.tf Prod.auto.tfvars

    Identity.tf Terraform plan Terraform apply
  35. Engine API Identity Provider AuthZ Server Engine Client Engine.tf QA.auto.tfvars

    Identity.tf Terraform plan Terraform apply
  36. resource “okta_user” “Ada” { login = “Ada” email = “ada.lovelace@babbage.local”

    first_name = “Ada” last_name = “Lovelace” custom_profile_attributes = { analytical_engine_role = "Lead Programmer" } depends_on = ["okta_user_schema.role_extension"] }
  37. Engine API Identity Provider AuthZ Server Engine Client Engine.tf QA.auto.tfvars

    Identity.tf Terraform plan Terraform apply TestAccounts.tf
  38. Engine API Identity Provider AuthZ Server Engine Client Engine.tf QA.auto.tfvars

    Identity.tf Terraform destroy TestAccounts.tf
  39. Don’t roll your own. Architect for identity. Test within a

    boundary, reach beyond when you must. Define as much environment as you can in code. Recap
  40. developer.okta.com andy.march@okta.com @andymarch