Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Single Sign-On und User Self Service für den Ha...
Search
fraosug
November 19, 2019
Technology
0
150
Single Sign-On und User Self Service für den Hausgebrauch
Single Sign-On und User Self Service für den Hausgebrauch, Vortrag von Christopher J. Ruwe
fraosug
November 19, 2019
Tweet
Share
More Decks by fraosug
See All by fraosug
SAMFS-Vortrag von Carsten Grzemba
fraosug
0
270
DKIM Vortrag Dr. Erwin Hoffmann
fraosug
0
190
SmartOS Homerouter
fraosug
0
170
Zeit, Schaltsekunden, Neujahr und ntp, Vortrag von Erwin Hoffmann
fraosug
0
160
Virtual Datacenter Cloud Framework
fraosug
0
200
pkgsrc bulk-builds für illumos SmartOS
fraosug
0
130
Login mit signierten ssh-Schlüsseln
fraosug
0
73
cloud-init mit SmartOS
fraosug
0
220
(Private) Cloud auf SmartOS
fraosug
0
200
Other Decks in Technology
See All in Technology
開発生産性を測る前にやるべきこと - 組織改善の実践 / Before Measuring Dev Productivity
kaonavi
9
4.3k
PO初心者が考えた ”POらしさ”
nb_rady
0
210
Connect 100+を支える技術
kanyamaguc
0
200
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
250
Lazy application authentication with Tailscale
bluehatbrit
0
210
SaaS型なのに自由度の高い本格CMSでサイト構築と運用のコスパ&タイパUP! MovableType.net の便利機能とユーザー事例のご紹介
masakah
0
110
敢えて生成AIを使わないマネジメント業務
kzkmaeda
2
440
生成AI時代の開発組織・技術・プロセス 〜 ログラスの挑戦と考察 〜
itohiro73
1
460
整頓のジレンマとの戦い〜Tidy First?で振り返る事業とキャリアの歩み〜/Fighting the tidiness dilemma〜Business and Career Milestones Reflected on in Tidy First?〜
bitkey
2
16k
ネットワーク保護はどう変わるのか?re:Inforce 2025最新アップデート解説
tokushun
0
210
ビズリーチが挑む メトリクスを活用した技術的負債の解消 / dev-productivity-con2025
visional_engineering_and_design
3
7.5k
20250705 Headlamp: 專注可擴展性的 Kubernetes 用戶界面
pichuang
0
270
Featured
See All Featured
How to Ace a Technical Interview
jacobian
278
23k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.5k
Raft: Consensus for Rubyists
vanstee
140
7k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Scaling GitHub
holman
460
140k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
950
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Practical Orchestrator
shlominoach
189
11k
Transcript
SSO für den Hausgebrauch Christopher J. Ruwe <
[email protected]
> selbstständiger IT-Consultant
Problem • mehrere Services sollen dem gleichen Nutzerkreis zur Verfügung
gestellt werden • die Services sollen nicht öffentlich sein • Berechtigungen sollen nicht separat gepflegt werden (müssen)
Lösungsskizze • auf einer zentralen Instanz werden Nutzer und Berechtigungen
gepflegt • es existiert ein Vertrauensverhältnis von allen Services zu dieser zentralen Instanz • es existiert ein Mechanismus, Identitäten und/oder Berechtigungen zu transportieren
Protokolle (Auswahl) • SAML v2.0 (Security Assertion Markup Languange): authn
/ authz • OAuth v2.0 (Open Authorization): authz • OIDC (OpenIF Connect): authn
Lingo • Resource Owner • Client • Authorization Server •
Resource Server • Realm • Relying Party • OpenID Provider • End-User • User Agent • Resource Server
Authorization Code Grant: OAuth2, § 4.1 (three-legged) Anwendung: • Authentifizierung
und Zugriffssteuerung Wann / Wer?: • Web-Applikationen mit Server Komponente • Desktop / Mobile App (PKCE) • time-scoped with refresh Resource Owner Resource Owner User Agent User Agent Client App Client App Authorization Server Authorization Server Resource Server Resource Server 1 access 2 redirect + params 3 authenticates 4 validates 5 auth code + redirect 6 auth code 7 auth code + redirect 8 validates 9 access (+ refresh) token 10 access token 11 validates 12 resource 13 whatever
auth endpoint GET /authorize ?response_type=code &client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
HTTP/1.1 302 Found Location: https://client.example.com/cb ?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz
token endpoint POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
token endpoint HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma:
no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
Resource Owner Resource Owner User Agent User Agent Client App
Client App Authorization Server Authorization Server Resource Server Resource Server 1 access 2 redirect + params 3 authenticates 4 validates 5 access token + redirect 6 extract access token 7 access token 8 access token 9 validates 10 resource 11 whatever Implicit Grant: OAuth2, § 4.2 (two-legged) Anwendung: • Authentifizierung und Zugriffssteuerung Wann / Wer?: • Single Page App Caveat: • Exfiltrierung von Tokens • deprecated!
auth endpoint GET /authorize ?response_type=token &client_id=s6BhdRkqt3 &state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host:
server.example.com HTTP/1.1 302 Found Location: http://example.com/cb #access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz &token_type=example &expires_in=3600
Resource Owner Password Credentials Grant: OAuth2, § 4.3 Anwendung: •
Authentifizierung und Zugriffssteuerung Wann / Wer?: • trusted clients Resource Owner Resource Owner Client App Client App Authorization Server Authorization Server Resource Server Resource Server 1 access 2 prompt creds 3 provide creds 4 pass creds and params 5 validates 6 pass access token 7 send access token 8 validates 9 resource 10 whatever
Client Credentials Grant: OAuth2, § 4.4 Anwendung: • Authentifizierung und
Zugriffssteuerung von autnomen Apps Wann / Wer?: • trusted clients non interactive Client App Client App Authorization Server Authorization Server Resource Server Resource Server 1 pass creds and params 2 validates 3 pass access token 4 send access token 5 validates 6 whatever
OIDC Authorization Code Flow OIDC v1.0, § 3.1 Anwendung: •
User-Authentifizierung • RP Authentifizierung • SSO auf RP • Authorisierung • verschiedene Scopes Resource Owner User Agent Client App (Relying Party) OpenID Provider Resource Server 1 access 2 redirect + params 3 authenticate at authorization endpoint 4 validate 5 auth code + redirect 6 auth code 7 auth code to token endpoint 8 validate 9 ID, access, (opt. refresh) token 10 validate ID 11 validate access 12 opt. request from userinfo endpoint) 13 validate access 14 additional claims
OIDC Authorization Code Flow OIDC v1.0, § 3.1 Anwendung: •
User-Authentifizierung • RP Authentifizierung • SSO auf RP • Authorisierung • verschiedene Scopes Resource Owner User Agent Client App (Relying Party) OpenID Provider Resource Server 8 validate 9 ID, access, (opt. refresh) token 10 validate ID 11 validate access 12 opt. request from userinfo endpoint) 13 validate access 14 additional claims 15 access token 16 validates 17 req add clains from user endpoint 18 validate access 19 return claims 20 resource 21 whatever
OIDC token { "sub" : "alice", "iss" : "https://openid.c2id.com", "aud"
: "client-12345", "nonce" : "n-0S6_WzA2Mj", "auth_time" : 1311280969, "acr" : "c2id.loa.hisec", "iat" : 1311280970, "exp" : 1311281970 } subject issuer audience authentication context class ref issued_at expires
Token eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRw Oi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiw KICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIi wKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ 1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP9 9Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccM g4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKP XfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvR YLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0
nx7RkKU8NXNHq-rvKMzqg
Auslassungen • OIDC Implicit Flow (§ 3.2) • OIDC Hybrid
Flow (§ 3.3)
Anwendung • Vertrauensverhältnis von Ressourcen- Konsument zu Authorization Server /
Identity Provider • sichere Kommunikation zwischen den Komponenten
Funktionen für ein SSO auf Basis von OAuth/OIDC IDP: Keycloak
Web u. SSL: nginx Zertifikate: Let‘s Encrypt Zert-Mgmt: cert-manager Mailer: mailu Cluster-Manager: k8s
cert-manager $ kubectl get clusterissuers.certmanager.k8s.io cruwe-le-prod --output=yaml apiVersion: certmanager.k8s.io/v1alpha1 kind:
ClusterIssuer metadata: name: cruwe-le-prod spec: acme: email:
[email protected]
http01: {} privateKeySecretRef: name: issuer-cruwe-le-prod server: https://acme-v02.api.letsencrypt.org/directory
cert-manager apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: certmanager.k8s.io/cluster-issuer: cruwe-le-prod kubernetes.io/ingress.class:
nginx name: www-cruwe-de namespace: www-cruwe-de spec: tls: - hosts: - www.cruwe.de secretName: www-cruwe-de-le-prod-certificate
keycloak
zum Einlesen • RFC 6749: The OAuth 2.0 Authorization Framework
• https://medium.com/@robert.broeckelmann/saml-v2-0-vs- jwt-series-550551f4eb0d • https://medium.com/@darutk/diagrams-and-movies-of-all- the-oauth-2-0-flows-194f3c3ade85 (Tahiko Kawasaki) • https://openid.net/developers/specs/ • https://connect2id.com/learn/openid-connect • RFC 7519: JSON Web Token (JWT) • https://medium.com/@darutk/understanding-id-token- 5f83f50fa02e