deft/journal/2021-04-16--12-27-13Z--iroh_auth_presentation.tmpmHUifb.org

# Created 2021-04-16 Fri 14:49
#+TITLE: IROH Auth Presentation
#+DATE: [2021-04-16 Fri]
#+AUTHOR: Yann Esposito
- tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]]

* IROH Auth Presentation

Yann Esposito <yaesposi@cisco.com>

* When did you interacted with IROH-Auth?

- Login in SecureX
- Login in CTR
- Login in Orbital
- Authorized the Ribbon
- Cross Launch with SSE
- Invited someone to your Org
- Changed the role of some user
- When you investigate in CTR (via CTIA's module)
- Created an OAuth2 client

* What is IROH-Auth? (overview)

This is a software subcomponent of /IROH/ taking care of:

- /Authentication/
  - provide a user unique identifier
- /Authorization/
  - decide what user can or cannot do
- /User Data Model/
- /Tenancy (Org) Management/
- /API Clients Management/
- /OAuth2/, /OpenID Connect/ provider (half of IROH-Auth dedicated to this)

* What is IROH-Auth? (technical)

/IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing
HTTP APIs.

- Login
  - Login (core service + web API)
  - Org (service)
  - User (service + web API)
  - Scopes (service)
  - Auth Management (core service)
  - Invite (core service + web API)
  - Session (web API)
  - Profile (web API, =/whoami=)
  - SCIM Client (service)
  - IdP Migrate  (core service + web API) /deprecated a few months ago/
  - Provision (service + web API) /used instead of IdP Migrate/

- OAuth2
  - OAuth2 (core service + web API)
  - OAuth2 Clients (core service + web API)
  - OAuth2 Clients Presets (service)
  - Grant Service (User's client authorizations)

- Admin
  - Auth Management (web API)
  - OAuth2 Clients Management (web API)

* History (1/?)                                                      :ATTACH:
Login using AMP SAML (generate JWT)

*SAML*


[[file:/Users/esposito/.org/.attach/da/b23b61-a766-4eda-a1e9-1d39258ef5c0/_20210416_144701IT%27s%20BAD%20IT%27s%20REALLY%20BAD.gif]]


Worked with Guillaume.

*No DB of users!*

* History (2/?)

2nd goal: Support OAuth2 (become an OAuth2 provider)
3rd goal: Support AMP and Threatgrid login (OpenID Connect)

Become both an OAuth2 client and provider.

Need Clients/Users/Orgs in DB!!!

OAuth2 RFC => OAuth2 GRANTS

- Authorization Code Grant (the classic)
- Client Grant (for scripts)
- Implicit Grant (for Single Page Applications, now deprecated)

4rd goal: Support Account Activation => SCIM Client

...

- Become an OpenID Connect provider, made before the start of SecureX.
- OpenID Connect with SSE (we are the IdP now)

* Internal User Structure
* Cisco specificity
journal/2021-04-16--12-27-13Z--iroh_auth_presentation.tmpmHUifb.org 2021-04-16 12:49:54 +00:00			`# Created 2021-04-16 Fri 14:49`
			`#+TITLE: IROH Auth Presentation`
			`#+DATE: [2021-04-16 Fri]`
			`#+AUTHOR: Yann Esposito`
			`- tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]]`

			`* IROH Auth Presentation`

			`Yann Esposito <yaesposi@cisco.com>`

			`* When did you interacted with IROH-Auth?`

			`- Login in SecureX`
			`- Login in CTR`
			`- Login in Orbital`
			`- Authorized the Ribbon`
			`- Cross Launch with SSE`
			`- Invited someone to your Org`
			`- Changed the role of some user`
			`- When you investigate in CTR (via CTIA's module)`
			`- Created an OAuth2 client`

			`* What is IROH-Auth? (overview)`

			`This is a software subcomponent of /IROH/ taking care of:`

			`- /Authentication/`
			`- provide a user unique identifier`
			`- /Authorization/`
			`- decide what user can or cannot do`
			`- /User Data Model/`
			`- /Tenancy (Org) Management/`
			`- /API Clients Management/`
			`- /OAuth2/, /OpenID Connect/ provider (half of IROH-Auth dedicated to this)`

			`* What is IROH-Auth? (technical)`

			`/IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing`
			`HTTP APIs.`

			`- Login`
			`- Login (core service + web API)`
			`- Org (service)`
			`- User (service + web API)`
			`- Scopes (service)`
			`- Auth Management (core service)`
			`- Invite (core service + web API)`
			`- Session (web API)`
			`- Profile (web API, =/whoami=)`
			`- SCIM Client (service)`
			`- IdP Migrate (core service + web API) /deprecated a few months ago/`
			`- Provision (service + web API) /used instead of IdP Migrate/`

			`- OAuth2`
			`- OAuth2 (core service + web API)`
			`- OAuth2 Clients (core service + web API)`
			`- OAuth2 Clients Presets (service)`
			`- Grant Service (User's client authorizations)`

			`- Admin`
			`- Auth Management (web API)`
			`- OAuth2 Clients Management (web API)`

			`* History (1/?) :ATTACH:`
			`Login using AMP SAML (generate JWT)`

			`SAML`


			`[[file:/Users/esposito/.org/.attach/da/b23b61-a766-4eda-a1e9-1d39258ef5c0/_20210416_144701IT%27s%20BAD%20IT%27s%20REALLY%20BAD.gif]]`


			`Worked with Guillaume.`

			`No DB of users!`

			`* History (2/?)`

			`2nd goal: Support OAuth2 (become an OAuth2 provider)`
			`3rd goal: Support AMP and Threatgrid login (OpenID Connect)`

			`Become both an OAuth2 client and provider.`

			`Need Clients/Users/Orgs in DB!!!`

			`OAuth2 RFC => OAuth2 GRANTS`

			`- Authorization Code Grant (the classic)`
			`- Client Grant (for scripts)`
			`- Implicit Grant (for Single Page Applications, now deprecated)`

			`4rd goal: Support Account Activation => SCIM Client`

			`...`

			`- Become an OpenID Connect provider, made before the start of SecureX.`
			`- OpenID Connect with SSE (we are the IdP now)`

			`* Internal User Structure`
			`* Cisco specificity`