DeveloperPlayBook
Python
Python
  • Introduction
  • Architecture
    • Technology Stack
    • ADR Records
  • Design
  • Bootstraping
  • Development Environment
    • Accounts (AWS, GCP, CircleCI)
  • Services/API
    • Serverless
    • Containers
    • Python
    • Firebase
    • Chatbots
    • Testing
  • Frontend
    • Serverless
    • Containers
    • Chatbot
  • Plattform
  • IAM - IAMaaS
  • Persistance - DBaaS
    • Serverless
    • Container
  • Event Driven / Streaming aaS
    • Kinesis
  • AI - AIaaS
  • Production / Reliability Engineering
  • create-k8s-secrets
  • VI
  • Tools
Powered by GitBook
On this page
  • Products
  • Cognito
  • Register with IAMaaS
  • Build Sample App that authenticated via SSO with your IaaS
  • JWT vs opaque tokens

IAM - IAMaaS

PreviousPlattformNextPersistance - DBaaS

Last updated 7 years ago

To secure your app and mange user identities you can either build your own secuirty (which is bad practice unless you are a security startup that sees it advantage in build novel and better security), use a existing solution like keycloak and integrate it into your application or use a SaaS solution that provides you Identitymanagement.

Products

  • Host your own:

  • SaaS

    • : AWS specific, not good for multi cloud

    • : large community

    • : Bought by google

Tasks to build a MVP that shows you the different Aspects of building an Identity Plattform:

  • Register with IAMaaS

  • Build Sample App that authenticated via SSO with your IaaS

  • Configure the provider so it integrates with your domain - so that it looks like your own webpage

  • Create Backend API and protect it with IAM

  • Integrate API Gateway with IAM

  • Expose API on API Gateway

  • Build Developer Portal and Integrate it with IAM for Signup, Management of Clients and Signup of APIs

Eigene APIs ? In CISL?

Architecture diagram: multicloud ... what security (IP ranges ... as Apigee what they suggest)

As Auth0 is currently most established in the community and AWS Cognito is AWS specific: Auth0 is currently the best option - Bitium is currently integrated into the Google Platform and it will be interesting to see i which direction Google will go.

Cognito

  1. Create User Pool in Cognito with Pool name `notes-user-pool and choose username attributes and select email adress or phone numbers and allow email addresses. Finish and note the Pool ID and Pool ARN.

  2. Create App clients in the Cognito User Pool with App client name notes-app and refresh token expiration 30 and Generate client secret deselected and Enable sign-in API server-based authentication selected. Finish and note the App client id.

# create user
aws cognito-idp sign-up --region eu-central-1 --client-id YOUR_CLIENTID --username admin@yourmail.com --password passw0rD
# verfiy user
aws cognito-idp admin-confirm-sign-up --region eu-central-1 --user-pool-id YOUR_USERPOOL_ID --username admin@yourmail.com

Register with IAMaaS

Build Sample App that authenticated via SSO with your IaaS

Instead of building your own login page - we will redirect to a Auth0 Login Page, then readirect back to our app with an id token attached that included the identity of the user. This token is stored on the local storage of the device and our application will use this token to sign the user in otherwise redirect him to the login page.

Tutorials:

Developer Portal:

  • Management API:

Secure the API:

Integrate API Gateway with Auth0:

Delegated Access Control and Multiple APIs "Audiances":

  • Google Sample

{
 "issued_to": "407408718192.apps.googleusercontent.com",
 "audience": "407408718192.apps.googleusercontent.com",
 "scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/gmail.readonly https://www.googleapis.com/auth/tasks",
 "expires_in": 3441,
 "access_type": "offline"
}

access control sollte fühest möglich in der kette statt finden daher neuer token für jeden call

npm install --save auth0-js

JWT vs opaque tokens

  • Google uses a central system

Design the system:

  • What type of access:

    • functional (bring your own data) - is normally only restricted by utilization (in some case also by a role)

    • self access - is normally done with a 3 legged oauth at login time and later in the background with the refresh token?

  • what information does a service need to make a decision in what kind of cenario it is?

    • functional access can be decide at build time:

    • identity: this needs to be compared if it is the same - then self access

      • in the token

      • in the payload

    • role, group, permission, delegation:

Signup with

Test With Postmen - Bearer Token:

Integrate Auth0 with AWS:

Playground:

React Tutorial:

Configure a hosted page with auth0:

JWT:

delegated access (there might be a solution with .

Keycloak
Forgerock
AWS Cognito
Auth0
Bitium
Auth0
https://github.com/auth0-samples/auth0-react-samples
https://auth0.com/blog/build-a-chat-app-with-react/
https://github.com/auth0-blog/reactjs-authentication-tutorial
https://auth0.com/blog/reactjs-authentication-tutorial/?utm_source=medium&utm_medium=sc&utm_campaign=reactjs_authentication
https://www.udemy.com/complete-react-js-course/
https://stackoverflow.com/questions/24709944/jwt-token-in-postman-header
https://auth0.com/docs/api/management/v2/tokens
https://auth0.com/docs/api/management/v2#!/Client_Grants/post_client_grants
https://aws.amazon.com/blogs/apn/how-to-integrate-rest-apis-with-single-page-apps-and-secure-them-using-auth0-part-1/
https://auth0.com/docs/architecture-scenarios/application/spa-api
https://github.com/swilliams11/apigee-auth0-external-authorization
https://community.apigee.com/articles/43082/auth0-with-apigee-external-authorization.html
https://community.apigee.com/articles/42269/auth0-with-apigee.html
https://community.apigee.com/questions/32498/how-to-register-a-third-party-access-token-obtaine.html
https://community.auth0.com/questions/4420/webauth-audience-multiple-apis-and-scopes
https://community.auth0.com/questions/7539/how-to-handle-multiple-apis-using-audience-token
https://auth0.com/docs/api-auth/tutorials/represent-multiple-apis
https://community.auth0.com/questions/4907/token-exchange-multiple-audiences
https://developers.google.com/oauthplayground/?error=access_denied#
https://stackoverflow.com/questions/359472/how-can-i-verify-a-google-authentication-api-access-token
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.GltQBaDL5XGrEinAjYr_E7WPPvzrHqahgyr5SaglbA6opHQ_dgy-2WYKcr3sGFePre0zsBN91FjCdQqiko4dl6yvlIep2IVnhyIANT6NA7d7hGp8ETjhax-FEr-w
https://auth0.com/docs/quickstart/spa/react/01-login
https://auth0.com/docs/quickstart/spa/react/01-login#add-authentication-with-auth0
https://jobs.zalando.com/tech/blog/the-purpose-of-jwt-stateless-authentication/
user managed access