$30 off During Our Annual Pro Sale. View Details »

Just Enough OpenID Connect @ MPUG

Just Enough OpenID Connect @ MPUG

Presented to Melbourne Python User Group

Rory Hart

July 02, 2018
Tweet

More Decks by Rory Hart

Other Decks in Technology

Transcript

  1. JUST ENOUGH OPENID CONNECT
    A SECURITY PROTOCOL IN 3 ACTS

    View Slide

  2. About Me
    @falican

    View Slide

  3. The Scenario
    Talking OIDC
    Token Expiration
    More Using Client Credentials
    @falican

    View Slide

  4. GRACE & HER ML MODEL
    @falican
    THE SCENARIO

    View Slide

  5. GRACE HOOPER
    DATA SCIENTIST
    Grace has a strong maths & stats background and recently joined Rail Corp,
    working in their fledgling data science department.
    EXPERIENCE
    § Matlab
    § R
    § Power BI
    § Excel
    § Tableau
    @falican

    View Slide

  6. When Will A Wagon Need Maintenance?
    @falican
    THE SCENARIO

    View Slide

  7. Hand Cranking the Predictions
    1. Export a CSV from data warehouse via Power BI.
    2. Run the model overnight.
    3. Upload CSV via Power BI to data warehouse.
    4. Generate the PDF report with Power BI.
    5. Email report to stakeholders.
    @falican
    THE SCENARIO

    View Slide

  8. The Automation Plan
    1. Use Python to download the data from the data warehouse.
    2. Use Python to upload the predictions to the data warehouse.
    3. Run the model on a server.
    @falican
    THE SCENARIO

    View Slide

  9. HERE ARE YOUR CLIENT CREDENTIALS
    @falican
    TALKING OPENID CONNECT (OIDC)

    View Slide

  10. Off to a Slow Start
    @falican
    From: Grace Hooper
    To: Avery Adams
    Subject: accessing the warehouse with python
    Hi Avery, I need to download & upload data to the warehouse using python. Can you help? - Grace
    From: Avery Adams
    To: Grace Hooper
    Subject: RE: accessing the warehouse with Python
    Hi Grace, the warehouse documentation says you can use http & "openid connect" and that I need to
    give you some client credentials. I've generated you some credentials and included them below
    along with some other data the docs say you will need.
    You are the first person to do this so can you let me know how you get on?
    Here are your client credentials:
    Client id: gracehooper
    Client secret: eca4368d5b92c3ae5f46a5404b5bd47f
    Grant type: password
    Token url: https://dwh.railcorp.com/oidc/token
    TALKING OPENID CONNECT

    View Slide

  11. OpenID Connect?
    OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to
    verify the identity of the end-user based on the authentication performed by an authorization server,
    as well as to obtain basic profile information about the end-user in an interoperable and rest-like
    manner.
    Authentication? So something like HTTP Basic Auth?
    @falican
    TALKING OPENID CONNECT

    View Slide

  12. So Something Like HTTP Basic Auth?
    1) Source: http://docs.python-requests.org/en/master/user/authentication/
    @falican
    TALKING OPENID CONNECT

    View Slide

  13. Grant Type?
    Client id: gracehooper
    Client secret: eca4368d5b92c3ae5f46a5404b5bd47f
    Grant type: password
    Token url: https://dwh.railcorp.com/oidc/token
    @falican
    TALKING OPENID CONNECT

    View Slide

  14. Resource Owner Password Grant
    Source: https://github.com/FrankHassanabad/Oauth2orizeRecipes (MIT License)
    @falican
    TALKING OPENID CONNECT

    View Slide

  15. Python (Batteries Included)
    1) Source: http://docs.python-requests.org/en/master/user/authentication/
    @falican
    TALKING OPENID CONNECT

    View Slide

  16. It Works!
    @falican
    TALKING OPENID CONNECT

    View Slide

  17. WHY IS THIS REQUEST FAILING?
    @falican
    REFRESH TOKENS

    View Slide

  18. This Should Work?!
    @falican
    TOKEN EXPIRATION

    View Slide

  19. TokenExpiredError?
    @falican
    TOKEN EXPIRATION

    View Slide

  20. That Fixed It
    @falican
    TOKEN EXPIRATION

    View Slide

  21. DON’T GIVE OUT YOUR PASSWORD
    @falican
    USING CLIENT CREDENTIALS

    View Slide

  22. What About Other Workflows?
    1) Source: https://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html#available-workflows
    @falican
    USING CLIENT CREDENTIALS

    View Slide

  23. Client Credentials Grant
    1) Source: http://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html#backend-application-flow
    @falican
    USING CLIENT CREDENTIALS

    View Slide

  24. Client Credentials Grant
    1) Source: https://github.com/FrankHassanabad/Oauth2orizeRecipes/wiki/Security-Scenarios (MIT)
    @falican
    USING CLIENT CREDENTIALS

    View Slide

  25. Well That is Simple!
    @falican
    USING CLIENT CREDENTIALS

    View Slide

  26. FURTHER READING
    @falican
    APPENDIX A

    View Slide

  27. Thanks
    • Auth0 OpenID Connect docs
    https://auth0.com/docs/protocols/oidc
    • Requests-OAuthlib: OAuth for Humans
    http://requests-oauthlib.readthedocs.io/en/latest/
    @falican

    View Slide