AuthN & AuthZ with distributed systems

Slide 1

Slide 1 text

AuthN & AuthZ with distributed systems By Thanh Nguyen

Slide 2

Slide 2 text

What authentication & authorization

Slide 3

Slide 3 text

Why do you need authenticate and authorize ? - About user: - Protect your data (sensitive data) with user identity (authentication) - Ensure that your business operate in security way - About system: - Data don’t affect each other between tenants in application - Each user type have behaviours differently perspective roles - Interact service-to-service, user-to-service in security way ...

Slide 4

Slide 4 text

Available solution - Self-built as a service or apart of software - Pros: full control - Cons: waste time - Using 3rd party such as Facebook, google+, … - Pros: quickly development - Cons: dependent to external organization - Buy enterprise solution: cisco, ibm, oracle, ... - Pros: full support, utility - Cons: high cost - Self-host open source based authorization server: keycloak, ory/hydra, … - Pros: can customize - Cons: have complexity to develop and operate

Slide 5

Slide 5 text

Technical requirements - Single sign on (SSO) such as google, gitlab, sentry, … - Basic authentication - Authorize webs, apps

Slide 6

Slide 6 text

Appropriate solution - Keycloak as IAM services - Keycloak support for integrate for kong api gateway, app, ... - Keycloak support for Single Sign-On with google for gitlab, sentry, mastermost, …

Slide 7

Slide 7 text

Multi-factor authentication

Slide 8

Slide 8 text

Centrally user management

Slide 9

Slide 9 text

Single Sign-On

Slide 10

Slide 10 text

Use case: Keycloak + kong api gateway

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Demo - Demo authN with Single Sign-On - Sequence diagram - Login gitlab with basic authentication (username / password) - Login gitlab with 3rd party (google) - Demo authZ - Sequence diagram - Designing roles - Assign user to role - Call api with postman

Slide 13

Slide 13 text

Demo authN with SSO

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Redirect to keycloak login

Slide 16

Slide 16 text

Authenticate with username / password

Slide 17

Slide 17 text

Return dashboard of kong user

Slide 18

Slide 18 text

Authenticate with google

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Demo authZ

Slide 23

Slide 23 text

Designing roles for demo project in keycloak

Slide 24

Slide 24 text

Assign user1 to admin role in keycloak

Slide 25

Slide 25 text

Assign user2 to user role in keycloak

Slide 26

Slide 26 text

Get access token of admin role

Slide 27

Slide 27 text

Call api with admin role access token

Slide 28

Slide 28 text

Get access token of user role

Slide 29

Slide 29 text

Call api with user role access token

Slide 30

Slide 30 text

Bonus: OAuth 2.0 pattern - Authorization code grant flow - Implicit grant flow - Resource owner password credentials grant flow - Client credentials grant flow

Slide 31

Slide 31 text

Authorization code grant

Slide 32

Slide 32 text

Implicit grant flow

Slide 33

Slide 33 text

Resource owner password credentials grant flow

Slide 34

Slide 34 text

Client credentials grant flow

Slide 35

Slide 35 text

References https://www.keycloak.org/getting-started/getting-started-docker https://www.jerney.io/secure-apis-kong-keycloak-1/ https://github.com/d4rkstar/kong-konga-keycloak

Slide 36

Slide 36 text

THANK FOR LISTENING