Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity as Code

Andy March
June 18, 2019
Programming
0
280

Identity as Code

Users now have more complex identities than ever before; federated accounts, second-factor authentication, and multiple devices all these conditions need to be tested, but how? This talk will examine the minefield of identity and authentication in your pipeline and how your team can traverse this to ensure that you are managing identity as an architectural component without resorting to manual steps.

Andy March

June 18, 2019
Tweet

More Decks by Andy March

See All by Andy March
OAuth by Example - Workshop
andymarch
1
160
Securing APIs
andymarch
0
29
Customers in the Crosshairs
andymarch
1
180
TLDR - OAuth
andymarch
0
58

Other Decks in Programming

See All in Programming
sync.Mutexの仕組みを理解する
ffjlabo
1
600
Modern and Lightweight Cloud Application Development with Jakarta EE 10
ivargrimstad
0
740
The Adventure of RedAmber - A data frame library in Ruby
heronshoes
0
870
研究の場においてのRust 製ソフトウェアのバージョン管理について
puripuri2100
0
250
未経験からエンジニアになった私のこれまでとこれから
ayaka1230
0
140
CloudWatchLogsが個人情報保護の盲点になっていませんか?
shoheihosaka
0
170
Composing a Design System
stewemetal
0
200
Evolving a microservice architecture: how to right-size your services
cer
PRO
0
790
AndroidにもSelect Photosがやってきた
akatsuki174
0
150
Github CopilotとChatGPTを使って感じた使い分けの糸口 / JavaDo #22
gishi_yama
0
180
ゲームの抽選ロジックにGenericsを使ってみたら開発が楽になった話
qualiarts
0
120
ランニングコストやっべぇぞ!ECS/FargateでECRへのアクセスについて
honma12345
0
860

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.6k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
780
YesSQL, Process and Tooling at Scale
rocio
158
13k
Designing for humans not robots
tammielis
245
24k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Git: the NoSQL Database
bkeepers
PRO
420
60k
Side Projects
sachag
450
39k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
1k
How GitHub (no longer) Works
holman
299
140k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k

Transcript

  1. Identity
    as
    Code
    Photo by Carson Arias on Unsplash

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Senior Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. Information wants to be free.
    Stewart Brand

    View Slide

  4. View Slide

  5. View Slide

  6. Information wants to be free.
    Information also wants to be expensive.
    Stewart Brand

    View Slide

  7. Name: Batman
    Role: Private
    Name: Superman
    Role: Major
    Name: Wonder Woman
    Role: Colonel

    View Slide

  8. Name: Batman
    Role: Private
    Name: Superman
    Role: Major
    Name: Wonder Woman
    Role: Colonel
    Reports
    to
    Reports
    to

    View Slide

  9. Name: Batman
    Role: Private
    Name: Batman
    Role: Major
    Name: Batman
    Role: Colonel
    Reports
    to
    Reports
    to

    View Slide

  10. Name: Batman
    Role: Colonel/Major/Private
    Reports
    to

    View Slide

  11. View Slide

  12. Don’t roll
    your own
    identity

    View Slide

  13. Login
    Password
    Sign In
    Remember Me
    Forgot Password?
    Don’t have an account? Sign up

    View Slide

  14. Login
    Password
    Sign In
    Remember Me
    Forgot Password?
    Don’t have an account? Sign up
    Check for code injection
    Hash, salt, compare
    Common password
    Compromised password
    Account presence exposure
    Secure reset procedure
    Federation
    Data mapping
    Account linking
    Account duplication
    Email verification
    Consent gathering

    View Slide

  15. Custom code is responsible for
    93%
    of app vulnerabilities
    Source contrastsecurity.com/state-of-application-security-libraries

    View Slide

  16. Identification and Authentication Failures
    #7
    Broken Access Control
    #1
    Web Application Security Risks

    View Slide

  17. View Slide

  18. The OAuth 2.0 Authorization Framework
    RFC 6749
    The OAuth 2.0 Authorization Framework: Bearer
    Token Usage
    RFC 6750
    OAuth 2.0 Token Revocation
    RFC 7009
    JSON Web Token (JWT)
    RFC 7519
    Proof Key for Code Exchange by OAuth Public Clients
    RFC 7636
    * these are just the ones that fit on the slide! *

    View Slide

  19. View Slide

  20. Authenticate
    Authorize
    Register
    Account Recovery
    Identity as a Service

    View Slide

  21. View Slide

  22. JSON Web Token Best Current Practices
    RFC 8725
    OAuth 2.0 Security Best Current Practice
    draft-ietf-oauth-security-topics-18

    View Slide

  23. Divide your
    architecture,
    divide your
    responsibility

    View Slide

  24. Business Logic
    Monolith
    AuthN
    AuthZ
    AuthN
    AuthZ
    User Identity
    Database / Persistence
    User Identity
    Business Logic
    Database / Persistence
    Service Oriented
    User/Role
    Request/Permission

    View Slide

  25. AuthN
    AuthZ
    User Identity
    Business Logic
    Database / Persistence
    User/Role
    Request/Permission
    userid: 12345
    role: auditor
    userid: 12345
    permission: read.*
    Identification
    userid: [email protected]
    application: customer-data

    View Slide

  26. Don’t test what
    you don’t
    control

    View Slide

  27. Capture
    Mock / Replay
    Validate

    View Slide

  28. Sign-in
    Page
    Mock
    (AuthN)
    Login (user, password)
    MFA_Required
    MFA_Response(secret)
    Accepted

    View Slide

  29. …except
    when you
    must

    View Slide

  30. Define
    Use / Reuse
    Initialize
    Cleanup

    View Slide

  31. Dev
    Mostly unit tests
    Individual environment
    Integration
    Integration tests
    Shared environment
    QA
    Complex tests
    Single environment
    Prod
    Real users
    Production config

    View Slide

  32. Snowflake
    Environments

    View Slide

  33. Infrastructure as Code

    View Slide

  34. View Slide

  35. Engine
    API
    Engine
    Client
    resource "aws_api_gateway_rest_api" "TabAPI" {
    name = "TabulationEngineAPI"
    description = "Tabulation Engine"
    }
    resource "aws_lambda_function" "perform" {
    function_name = "perform"
    s3_bucket = s3_bucket.lambda_bucket.id
    s3_key = s3_bucket.lambda_perform.key
    handler = "perform.handler"
    }

    View Slide

  36. API.tf
    Terraform plan
    Terraform apply

    View Slide

  37. provider "okta" {
    org_name = “babbage”
    base_url = “okta.com”
    api_token = “isthisarealtoken”
    }
    resource "okta_user_schema" "role_extension" {
    index = "analytical_engine_role"
    title = "Analytical Engine Role"
    type = "string"
    master = "PROFILE_MASTER"
    }
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  38. resource "okta_auth_server"
    "analytical_engine" {
    audiences = ["babbage.local"]
    description = "General purpose computing."
    name = "Analytical Engine API"
    }
    resource "okta_auth_server_scope" "tabulate" {
    description = "tabulate logarithm"
    name = "tabulate:perform"
    auth_server_id =
    "${okta_auth_server.analytical_engine.id}"
    }
    AuthZ
    Server
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  39. resource "okta_app_oauth" ”engine_client" {
    label = “Engine Client”
    type = "web”
    grant_types = [“authorization_code”]
    redirect_uris = [“${var.client_callback}”]
    response_types = ["code"]
    }
    resource "okta_app_oauth" ”engine_api" {
    label = “Engine API”
    type = ”service”
    grant_types = [“client_credentials”]
    }
    AuthZ
    Server
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  40. API.tf
    Identity.tf
    Terraform apply
    Terraform plan

    View Slide

  41. API.tf
    Identity.tf
    12c28fb1888dbb64e0ce8e7c5250f621814c3c8b

    View Slide

  42. Engine.tf
    Prod.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    AuthZ
    Server
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  43. View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. Engine.tf
    Dev.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    Dev
    AuthZ
    Server
    Dev
    Identity
    Provider
    Dev Engine
    API
    Dev Engine
    Client

    View Slide

  48. Engine.tf
    QA.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client

    View Slide

  49. resource “okta_user” “Ada” {
    login = “Ada”
    email = “[email protected]
    first_name = “Ada”
    last_name = “Lovelace”
    custom_profile_attributes = {
    analytical_engine_role = "Lead Programmer"
    }
    depends_on =
    ["okta_user_schema.role_extension"]
    }
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client

    View Slide

  50. Engine.tf
    QA.auto.tfvars
    Identity.tf
    Terraform plan
    Terraform apply
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client
    TestAccounts.tf

    View Slide

  51. Integration
    QA
    Default

    View Slide

  52. View Slide

  53. View Slide

  54. View Slide

  55. data "okta_group" "devs" {
    name = "Devs"
    }
    resource "okta_policy_signon" "devSignOn" {
    name = "Developer policy"
    status = "ACTIVE"
    description = "Meet compliance for devs."
    groups_included =
    ["${data.okta_group.devs.id}"]
    }
    resource "okta_policy_rule_signon" "MFA60" {
    policyid =
    "${okta_policy_signon.devSignOn.id}"
    name = "MFA every hour"
    status = "ACTIVE"
    mfa_required = true
    mfa_prompt = "SESSION"
    mfa_lifetime = 60
    }
    Identity
    Provider
    Engine
    API
    Engine
    Client

    View Slide

  56. Engine.tf
    QA.auto.tfvars
    Identity.tf
    Terraform destroy
    TestAccounts.tf
    QA
    AuthZ
    Server
    QA
    Identity
    Provider
    QA Engine
    API
    QA Engine
    Client

    View Slide

  57. Okta Directory Security
    Hardening using Terraform
    Managing Multiple Okta
    Instances with Terraform Cloud

    View Slide

  58. ● Don’t roll your own, standards are guardrails.
    ● Architect for identity.
    ● Test within a boundary, reach beyond when you must.
    ● Define as much environment as you can in code.
    Recap

    View Slide

  59. developer.okta.com
    [email protected]
    @andymarch
    Slides: speakerdeck.com/andymarch/identity-as-code

    View Slide