Tweet
Tweet

Slide 1

Slide 1 text

Identity as Code Photo by Carson Arias on Unsplash

Slide 2

Slide 2 text

10+ years working in secure systems Hi! Senior Platform Specialist at Okta Software Developer (.NET / Java / JS) @andymarch

Slide 3

Slide 3 text

Information wants to be free. Stewart Brand

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Information wants to be free. Information also wants to be expensive. Stewart Brand

Slide 7

Slide 7 text

Name: Batman Role: Private Name: Superman Role: Major Name: Wonder Woman Role: Colonel

Slide 8

Slide 8 text

Name: Batman Role: Private Name: Superman Role: Major Name: Wonder Woman Role: Colonel Reports to Reports to

Slide 9

Slide 9 text

Name: Batman Role: Private Name: Batman Role: Major Name: Batman Role: Colonel Reports to Reports to

Slide 10

Slide 10 text

Name: Batman Role: Colonel/Major/Private Reports to

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Don’t roll your own identity

Slide 13

Slide 13 text

Login Password Sign In Remember Me Forgot Password? Don’t have an account? Sign up

Slide 14

Slide 14 text

Login Password Sign In Remember Me Forgot Password? Don’t have an account? Sign up Check for code injection Hash, salt, compare Common password Compromised password Account presence exposure Secure reset procedure Federation Data mapping Account linking Account duplication Email verification Consent gathering

Slide 15

Slide 15 text

Custom code is responsible for 93% of app vulnerabilities Source contrastsecurity.com/state-of-application-security-libraries

Slide 16

Slide 16 text

Identification and Authentication Failures #7 Broken Access Control #1 Web Application Security Risks

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

The OAuth 2.0 Authorization Framework RFC 6749 The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 OAuth 2.0 Token Revocation RFC 7009 JSON Web Token (JWT) RFC 7519 Proof Key for Code Exchange by OAuth Public Clients RFC 7636 * these are just the ones that fit on the slide! *

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Authenticate Authorize Register Account Recovery Identity as a Service

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

JSON Web Token Best Current Practices RFC 8725 OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-18

Slide 23

Slide 23 text

Divide your architecture, divide your responsibility

Slide 24

Slide 24 text

Business Logic Monolith AuthN AuthZ AuthN AuthZ User Identity Database / Persistence User Identity Business Logic Database / Persistence Service Oriented User/Role Request/Permission

Slide 25

Slide 25 text

AuthN AuthZ User Identity Business Logic Database / Persistence User/Role Request/Permission userid: 12345 role: auditor userid: 12345 permission: read.* Identification userid: [email protected] application: customer-data

Slide 26

Slide 26 text

Don’t test what you don’t control

Slide 27

Slide 27 text

Capture Mock / Replay Validate

Slide 28

Slide 28 text

Sign-in Page Mock (AuthN) Login (user, password) MFA_Required MFA_Response(secret) Accepted

Slide 29

Slide 29 text

…except when you must

Slide 30

Slide 30 text

Define Use / Reuse Initialize Cleanup

Slide 31

Slide 31 text

Dev Mostly unit tests Individual environment Integration Integration tests Shared environment QA Complex tests Single environment Prod Real users Production config

Slide 32

Slide 32 text

Snowflake Environments

Slide 33

Slide 33 text

Infrastructure as Code

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

Engine API Engine Client resource "aws_api_gateway_rest_api" "TabAPI" { name = "TabulationEngineAPI" description = "Tabulation Engine" } resource "aws_lambda_function" "perform" { function_name = "perform" s3_bucket = s3_bucket.lambda_bucket.id s3_key = s3_bucket.lambda_perform.key handler = "perform.handler" }

Slide 36

Slide 36 text

API.tf Terraform plan Terraform apply

Slide 37

Slide 37 text

provider "okta" { org_name = “babbage” base_url = “okta.com” api_token = “isthisarealtoken” } resource "okta_user_schema" "role_extension" { index = "analytical_engine_role" title = "Analytical Engine Role" type = "string" master = "PROFILE_MASTER" } Identity Provider Engine API Engine Client

Slide 38

Slide 38 text

resource "okta_auth_server" "analytical_engine" { audiences = ["babbage.local"] description = "General purpose computing." name = "Analytical Engine API" } resource "okta_auth_server_scope" "tabulate" { description = "tabulate logarithm" name = "tabulate:perform" auth_server_id = "${okta_auth_server.analytical_engine.id}" } AuthZ Server Identity Provider Engine API Engine Client

Slide 39

Slide 39 text

resource "okta_app_oauth" ”engine_client" { label = “Engine Client” type = "web” grant_types = [“authorization_code”] redirect_uris = [“${var.client_callback}”] response_types = ["code"] } resource "okta_app_oauth" ”engine_api" { label = “Engine API” type = ”service” grant_types = [“client_credentials”] } AuthZ Server Identity Provider Engine API Engine Client

Slide 40

Slide 40 text

API.tf Identity.tf Terraform apply Terraform plan

Slide 41

Slide 41 text

API.tf Identity.tf 12c28fb1888dbb64e0ce8e7c5250f621814c3c8b

Slide 42

Slide 42 text

Engine.tf Prod.auto.tfvars Identity.tf Terraform plan Terraform apply AuthZ Server Identity Provider Engine API Engine Client

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

Engine.tf Dev.auto.tfvars Identity.tf Terraform plan Terraform apply Dev AuthZ Server Dev Identity Provider Dev Engine API Dev Engine Client

Slide 48

Slide 48 text

Engine.tf QA.auto.tfvars Identity.tf Terraform plan Terraform apply QA AuthZ Server QA Identity Provider QA Engine API QA Engine Client

Slide 49

Slide 49 text

resource “okta_user” “Ada” { login = “Ada” email = “[email protected]” first_name = “Ada” last_name = “Lovelace” custom_profile_attributes = { analytical_engine_role = "Lead Programmer" } depends_on = ["okta_user_schema.role_extension"] } QA AuthZ Server QA Identity Provider QA Engine API QA Engine Client

Slide 50

Slide 50 text

Engine.tf QA.auto.tfvars Identity.tf Terraform plan Terraform apply QA AuthZ Server QA Identity Provider QA Engine API QA Engine Client TestAccounts.tf

Slide 51

Slide 51 text

Integration QA Default

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

data "okta_group" "devs" { name = "Devs" } resource "okta_policy_signon" "devSignOn" { name = "Developer policy" status = "ACTIVE" description = "Meet compliance for devs." groups_included = ["${data.okta_group.devs.id}"] } resource "okta_policy_rule_signon" "MFA60" { policyid = "${okta_policy_signon.devSignOn.id}" name = "MFA every hour" status = "ACTIVE" mfa_required = true mfa_prompt = "SESSION" mfa_lifetime = 60 } Identity Provider Engine API Engine Client

Slide 56

Slide 56 text

Engine.tf QA.auto.tfvars Identity.tf Terraform destroy TestAccounts.tf QA AuthZ Server QA Identity Provider QA Engine API QA Engine Client

Slide 57

Slide 57 text

Okta Directory Security Hardening using Terraform Managing Multiple Okta Instances with Terraform Cloud

Slide 58

Slide 58 text

● Don’t roll your own, standards are guardrails. ● Architect for identity. ● Test within a boundary, reach beyond when you must. ● Define as much environment as you can in code. Recap

Slide 59

Slide 59 text

developer.okta.com [email protected] @andymarch Slides: speakerdeck.com/andymarch/identity-as-code