#+TITLE: IROH Auth Presentation #+Author: Yann Esposito #+Date: [2021-04-16] - tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]] * IROH Auth Presentation Yann Esposito * When did you interacted with IROH-Auth? - Login in SecureX - Login in CTR - Login in Orbital - Authorized the Ribbon - Cross Launch with SSE - Invited someone to your Org - Changed the role of some user - When you investigate in CTR (via CTIA's module) - Created an OAuth2 client * What is IROH-Auth? (overview) This is a software subcomponent of /IROH/ taking care of: + /Authentication/ - provide a user unique identifier + /Authorization/ - decide what user can or cannot do + /User Data Model/ + /Tenancy (Org) Management/ + /API Clients Management/ + /OAuth2/, /OpenID Connect/ provider (half of IROH-Auth dedicated to this) * What is IROH-Auth? (technical) /IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing HTTP APIs. - Login + Login (core service + web API) + Org (service) + User (service + web API) + Scopes (service) + Auth Management (core service) + Invite (core service + web API) + Session (web API) + Profile (web API, =/whoami=) + SCIM Client (service) + IdP Migrate (core service + web API) /deprecated a few months ago/ + Provision (service + web API) /used instead of IdP Migrate/ - OAuth2 + OAuth2 (core service + web API) + OAuth2 Clients (core service + web API) + OAuth2 Clients Presets (service) + Grant Service (User's client authorizations) - Admin + Auth Management (web API) + OAuth2 Clients Management (web API) * History 1st goal: Login using AMP SAML (generate JWT) No DB of users! 2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect) Become both an OAuth2 client and provider. Need Clients/Users/Orgs in DB!!! OAuth2 RFC => OAuth2 GRANTS - Authorization Code Grant (the classic) - Client Grant (for scripts) - Implicit Grant (for Single Page Applications, now deprecated) 4rd goal: Support Account Activation => SCIM Client ... - Become an OpenID Connect provider, made before the start of SecureX. - OpenID Connect with SSE (we are the IdP now) * Internal User Structure * Cisco specificity