IAM - IAMaaS
To secure your app and mange user identities you can either build your own secuirty (which is bad practice unless you are a security startup that sees it advantage in build novel and better security), use a existing solution like keycloak and integrate it into your application or use a SaaS solution that provides you Identitymanagement.
Products
SaaS
AWS Cognito: AWS specific, not good for multi cloud
Auth0: large community
Bitium: Bought by google
Tasks to build a MVP that shows you the different Aspects of building an Identity Plattform:
Register with IAMaaS
Build Sample App that authenticated via SSO with your IaaS
Configure the provider so it integrates with your domain - so that it looks like your own webpage
Create Backend API and protect it with IAM
Integrate API Gateway with IAM
Expose API on API Gateway
Build Developer Portal and Integrate it with IAM for Signup, Management of Clients and Signup of APIs
Eigene APIs ? In CISL?
Architecture diagram: multicloud ... what security (IP ranges ... as Apigee what they suggest)
As Auth0 is currently most established in the community and AWS Cognito is AWS specific: Auth0 is currently the best option - Bitium is currently integrated into the Google Platform and it will be interesting to see i which direction Google will go.
Cognito
Create User Pool in Cognito with Pool name
`notes-user-pool
and choose username attributes and select email adress or phone numbers and allow email addresses. Finish and note the Pool ID and Pool ARN.Create App clients in the Cognito User Pool with App client name
notes-app
and refresh token expiration30
and Generate client secretdeselected
and Enable sign-in API server-based authenticationselected
. Finish and note the App client id.
# create user
aws cognito-idp sign-up --region eu-central-1 --client-id YOUR_CLIENTID --username admin@yourmail.com --password passw0rD
# verfiy user
aws cognito-idp admin-confirm-sign-up --region eu-central-1 --user-pool-id YOUR_USERPOOL_ID --username admin@yourmail.com
Register with IAMaaS
Signup with Auth0
Build Sample App that authenticated via SSO with your IaaS
Instead of building your own login page - we will redirect to a Auth0 Login Page, then readirect back to our app with an id token attached that included the identity of the user. This token is stored on the local storage of the device and our application will use this token to sign the user in otherwise redirect him to the login page.
Tutorials:
Test With Postmen - Bearer Token: https://stackoverflow.com/questions/24709944/jwt-token-in-postman-header
Developer Portal:
Integrate Auth0 with AWS: https://aws.amazon.com/blogs/apn/how-to-integrate-rest-apis-with-single-page-apps-and-secure-them-using-auth0-part-1/
Secure the API:
Integrate API Gateway with Auth0:
Delegated Access Control and Multiple APIs "Audiances":
{
"issued_to": "407408718192.apps.googleusercontent.com",
"audience": "407408718192.apps.googleusercontent.com",
"scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/gmail.readonly https://www.googleapis.com/auth/tasks",
"expires_in": 3441,
"access_type": "offline"
}
access control sollte fühest möglich in der kette statt finden daher neuer token für jeden call
React Tutorial: https://auth0.com/docs/quickstart/spa/react/01-login
npm install --save auth0-js
Configure a hosted page with auth0: https://auth0.com/docs/quickstart/spa/react/01-login#add-authentication-with-auth0
JWT vs opaque tokens
Google uses a central system
Design the system:
What type of access:
functional (bring your own data) - is normally only restricted by utilization (in some case also by a role)
self access - is normally done with a 3 legged oauth at login time and later in the background with the refresh token?
delegated access (there might be a solution with user managed access.
what information does a service need to make a decision in what kind of cenario it is?
functional access can be decide at build time:
identity: this needs to be compared if it is the same - then self access
in the token
in the payload
role, group, permission, delegation:
Last updated