$30 off During Our Annual Pro Sale. View Details »

Identity as Code

Andy March
June 18, 2019
Programming
0
330

Identity as Code

Users now have more complex identities than ever before; federated accounts, second-factor authentication, and multiple devices all these conditions need to be tested, but how? This talk will examine the minefield of identity and authentication in your pipeline and how your team can traverse this to ensure that you are managing identity as an architectural component without resorting to manual steps.

Andy March

June 18, 2019
Tweet

More Decks by Andy March

See All by Andy March
OAuth by Example - Workshop
andymarch
1
170
Securing APIs
andymarch
0
37
Customers in the Crosshairs
andymarch
1
200
TLDR - OAuth
andymarch
0
68

Other Decks in Programming

See All in Programming
Microservices: what does good look like? (Nov 2023)
cer
PRO
0
810
TypeScript_コンパイラの内側に片足を入れる
ryounasso
1
220
Expert Tech Talk!〜ニフティスペシャリスト対談〜 - NIFTY Tech Day 2023
niftycorp
0
130
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.7k
「価値」あるものを作るためにエンジニアができること - NIFTY Tech Day 2023
niftycorp
0
140
Second-System Syndrome: A tale of power-assert
twada
PRO
9
3.6k
君たちはどうプログラミングするか
tanakahisateru
7
930
JavaScript なしで動作するモダンなコードの書き方
azukiazusa1
15
9.7k
JSConfjp2023 Storybook駆動開発の再現性と効率化
kinocoboy2
1
2k
フロントエンドエンジニアも知っておきたい HTTP/3 で変わること
yahiru
17
9.8k
エンジニアだけでスポンサーブースを出したら大変なことになった
zakky21
1
480
[Helvetic Ruby 2023] Profiling Ruby tests with Swiss precision
palkan
0
350

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
453
32k
Code Review Best Practice
trishagee
53
14k
In The Pink: A Labor of Love
frogandcode
135
21k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Fireside Chat
paigeccino
18
2.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
How to Ace a Technical Interview
jacobian
272
22k
Faster Mobile Websites
deanohume
296
29k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
53
33k

Transcript

  1. Identity
    as
    Code
    Photo by Carson Arias on Unsplash

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Senior Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. Information wants to be free.
    Stewart Brand

    View Slide

  4. View Slide

  5. View Slide

  6. Information wants to be free.
    Information also wants to be expensive.
    Stewart Brand

    View Slide

  7. Name: Batman
    Role: Private
    Name: Superman
    Role: Major
    Name: Wonder Woman
    Role: Colonel

    View Slide

  8. Name: Batman
    Role: Private
    Name: Superman
    Role: Major
    Name: Wonder Woman
    Role: Colonel
    Reports
    to
    Reports
    to

    View Slide

  9. Name: Batman
    Role: Private
    Name: Batman
    Role: Major
    Name: Batman
    Role: Colonel
    Reports
    to
    Reports
    to

    View Slide

  10. Name: Batman
    Role: Colonel/Major/Private
    Reports
    to

    View Slide

  11. View Slide

  12. Don’t roll
    your own
    identity

    View Slide

  13. Login
    Password
    Sign In
    Remember Me
    Forgot Password?
    Don’t have an account? Sign up

    View Slide

  14. Login
    Password
    Sign In
    Remember Me
    Forgot Password?
    Don’t have an account? Sign up
    Check for code injection
    Hash, salt, compare
    Common password
    Compromised password
    Account presence exposure
    Secure reset procedure
    Federation
    Data mapping
    Account linking
    Account duplication
    Email verification
    Consent gathering

    View Slide

  15. Custom code is responsible for
    93%
    of app vulnerabilities
    Source contrastsecurity.com/state-of-application-security-libraries

    View Slide

  16. Identification and Authentication Failures
    #7
    Broken Access Control
    #1
    Web Application Security Risks

    View Slide

  17. View Slide

  18. The OAuth 2.0 Authorization Framework
    RFC 6749
    The OAuth 2.0 Authorization Framework: Bearer
    Token Usage
    RFC 6750
    OAuth 2.0 Token Revocation
    RFC 7009
    JSON Web Token (JWT)
    RFC 7519
    Proof Key for Code Exchange by OAuth Public Clients
    RFC 7636
    * these are just the ones that fit on the slide! *

    View Slide

  19. View Slide

  20. Authenticate
    Authorize
    Register
    Account Recovery
    Identity as a Service

    View Slide

  21. View Slide

  22. JSON Web Token Best Current Practices
    RFC 8725
    OAuth 2.0 Security Best Current Practice
    draft-ietf-oauth-security-topics-18

    View Slide

  23. Divide your
    architecture,
    divide your
    responsibility

    View Slide

  24. Business Logic
    Monolith
    AuthN
    AuthZ
    AuthN
    AuthZ
    User Identity
    Database / Persistence
    User Identity
    Business Logic
    Database / Persistence
    Service Oriented
    User/Role
    Request/Permission

    View Slide

  25. AuthN
    AuthZ
    User Identity
    Business Logic
    Database / Persistence
    User/Role
    Request/Permission
    userid: 12345
    role: auditor
    userid: 12345
    permission: read.*
    Identification
    userid: [email protected]
    application: customer-data

    View Slide

  26. Don’t test what
    you don’t
    control

    View Slide

  27. Capture
    Mock / Replay
    Validate

    View Slide

  28. Sign-in
    Page
    Mock
    (AuthN)
    Login (user, password)
    MFA_Required
    MFA_Response(secret)
    Accepted

    View Slide

  29. …except
    when you
    must

    View Slide

  30. Define
    Use / Reuse
    Initialize
    Cleanup

    View Slide

  31. Dev
    Mostly unit tests
    Individual environment
    Integration
    Integration tests
    Shared environment
    QA
    Complex tests
    Single environment
    Prod
    Real users
    Production config

    View Slide

  32. Snowflake
    Environments

    View Slide

  33. Infrastructure as Code

    View Slide

  34. View Slide

  35. Engine
    API
    Engine
    Client
    resource "aws_api_gateway_rest_api" "TabAPI" {
    name = "TabulationEngineAPI"
    description = "Tabulation Engine"
    }
    resource "aws_lambda_function" "perform" {
    function_name = "perform"
    s3_bucket = s3_bucket.lambda_bucket.id
    s3_key = s3_bucket.lambda_perform.key
    handler = "perform.handler"
    }

    View Slide

  36. API.tf
    Terraform plan
    Terraform apply

    View Slide

  37. provider "okta" {
    org_name = “babbage”
    base_url = “okta.com”
    api_token = “isthisarealtoken”
    }
    resource "okta_user_schema" "role_extension" {
    index = "analytical_engine_role"
    title = "Analytical Engine Role"
    type = "string"
    master = "PROFILE_MASTER"
    }
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  38. resource "okta_auth_server"
    "analytical_engine" {
    audiences = ["babbage.local"]
    description = "General purpose computing."
    name = "Analytical Engine API"
    }
    resource "okta_auth_server_scope" "tabulate" {
    description = "tabulate logarithm"
    name = "tabulate:perform"
    auth_server_id =
    "${okta_auth_server.analytical_engine.id}"
    }
    AuthZ
    Server
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  39. resource "okta_app_oauth" ”engine_client" {
    label = “Engine Client”
    type = "web”
    grant_types = [“authorization_code”]
    redirect_uris = [“${var.client_callback}”]
    response_types = ["code"]
    }
    resource "okta_app_oauth" ”engine_api" {
    label = “Engine API”
    type = ”service”
    grant_types = [“client_credentials”]
    }
    AuthZ
    Server
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  40. API.tf
    Identity.tf
    Terraform apply
    Terraform plan

    View Slide

  41. API.tf
    Identity.tf
    12c28fb1888dbb64e0ce8e7c5250f621814c3c8b

    View Slide

  42. Engine.tf
    Prod.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    AuthZ
    Server
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  43. View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. Engine.tf
    Dev.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    Dev
    AuthZ
    Server
    Dev
    Identity
    Provider
    Dev Engine
    API
    Dev Engine
    Client

    View Slide

  48. Engine.tf
    QA.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client

    View Slide

  49. resource “okta_user” “Ada” {
    login = “Ada”
    email = “[email protected]
    first_name = “Ada”
    last_name = “Lovelace”
    custom_profile_attributes = {
    analytical_engine_role = "Lead Programmer"
    }
    depends_on =
    ["okta_user_schema.role_extension"]
    }
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client

    View Slide

  50. Engine.tf
    QA.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client
    TestAccounts.tf

    View Slide

  51. Integration
    QA
    Default

    View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. data "okta_group" "devs" {
    name = "Devs"
    }
    resource "okta_policy_signon" "devSignOn" {
    name = "Developer policy"
    status = "ACTIVE"
    description = "Meet compliance for devs."
    groups_included =
    ["${data.okta_group.devs.id}"]
    }
    resource "okta_policy_rule_signon" "MFA60" {
    policyid =
    "${okta_policy_signon.devSignOn.id}"
    name = "MFA every hour"
    status = "ACTIVE"
    mfa_required = true
    mfa_prompt = "SESSION"
    mfa_lifetime = 60
    }
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  56. Engine.tf
    QA.auto.tfvars
    Identity.tf
    Terraform destroy
    TestAccounts.tf
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client

    View Slide

  57. Okta Directory Security
    Hardening using Terraform
    Managing Multiple Okta
    Instances with Terraform Cloud

    View Slide

  58. ● Don’t roll your own, standards are guardrails.
    ● Architect for identity.
    ● Test within a boundary, reach beyond when you must.
    ● Define as much environment as you can in code.
    Recap

    View Slide

  59. developer.okta.com
    [email protected]
    @andymarch
    Slides: speakerdeck.com/andymarch/identity-as-code

    View Slide