AuthN & AuthZ with distributed systems

Transcript

1. AuthN & AuthZ with distributed systems By Thanh Nguyen

2. What authentication & authorization

3. Why do you need authenticate and authorize ? - About

   user: - Protect your data (sensitive data) with user identity (authentication) - Ensure that your business operate in security way - About system: - Data don’t affect each other between tenants in application - Each user type have behaviours differently perspective roles - Interact service-to-service, user-to-service in security way ...

4. Available solution - Self-built as a service or apart of

   software - Pros: full control - Cons: waste time - Using 3rd party such as Facebook, google+, … - Pros: quickly development - Cons: dependent to external organization - Buy enterprise solution: cisco, ibm, oracle, ... - Pros: full support, utility - Cons: high cost - Self-host open source based authorization server: keycloak, ory/hydra, … - Pros: can customize - Cons: have complexity to develop and operate

5. Technical requirements - Single sign on (SSO) such as google,

   gitlab, sentry, … - Basic authentication - Authorize webs, apps

6. Appropriate solution - Keycloak as IAM services - Keycloak support

   for integrate for kong api gateway, app, ... - Keycloak support for Single Sign-On with google for gitlab, sentry, mastermost, …

7. Multi-factor authentication

8. Centrally user management

9. Single Sign-On

10. Use case: Keycloak + kong api gateway

11. None

12. Demo - Demo authN with Single Sign-On - Sequence diagram

    - Login gitlab with basic authentication (username / password) - Login gitlab with 3rd party (google) - Demo authZ - Sequence diagram - Designing roles - Assign user to role - Call api with postman

13. Demo authN with SSO

14. Login gitlab

15. Redirect to keycloak login

16. Authenticate with username / password

17. Return dashboard of kong user

18. Authenticate with google

19. None
20. None
21. None

22. Demo authZ

23. Designing roles for demo project in keycloak

24. Assign user1 to admin role in keycloak

25. Assign user2 to user role in keycloak

26. Get access token of admin role

27. Call api with admin role access token

28. Get access token of user role

29. Call api with user role access token

30. Bonus: OAuth 2.0 pattern - Authorization code grant flow -

    Implicit grant flow - Resource owner password credentials grant flow - Client credentials grant flow

31. Authorization code grant

32. Implicit grant flow

33. Resource owner password credentials grant flow

34. Client credentials grant flow

35. References https://www.keycloak.org/getting-started/getting-started-docker https://www.jerney.io/secure-apis-kong-keycloak-1/ https://github.com/d4rkstar/kong-konga-keycloak

36. THANK FOR LISTENING