yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/journal/2021-04-16--12-27-13Z--iroh_auth_presentation.org
Yann Esposito (Yogsototh) 2b9edd02af
journal/2021-04-16--12-27-13Z--iroh_auth_presentation.org
2021-04-16 14:58:42 +02:00

2.4 KiB
Raw Blame History

IROH Auth Presentation

tags
Cisco

IROH Auth Presentation

Yann Esposito <yaesposi@cisco.com>

When did you interacted with IROH-Auth?

  • Login in SecureX
  • Login in CTR
  • Login in Orbital
  • Authorized the Ribbon
  • Cross Launch with SSE
  • Invited someone to your Org
  • Changed the role of some user
  • When you investigate in CTR (via CTIA's module)
  • Created an OAuth2 client

What is IROH-Auth? (overview)

This is a software subcomponent of IROH taking care of:

  • Authentication

    • provide a user unique identifier

  • Authorization

    • decide what user can or cannot do
  • User Data Model
  • Tenancy (Org) Management
  • API Clients Management
  • OAuth2, OpenID Connect provider (half of IROH-Auth dedicated to this)

What is IROH-Auth? (technical)

IROH-Auth is a set of Services within IROH some of them exposing HTTP APIs.

  • Login

    • Login (core service + web API)
    • Org (service)
    • User (service + web API)
    • Scopes (service)
    • Auth Management (core service)
    • Invite (core service + web API)
    • Session (web API)
    • Profile (web API, /whoami)
    • SCIM Client (service)
    • IdP Migrate (core service + web API) deprecated a few months ago
    • Provision (service + web API) used instead of IdP Migrate

  • OAuth2

    • OAuth2 (core service + web API)
    • OAuth2 Clients (core service + web API)
    • OAuth2 Clients Presets (service)
    • Grant Service (User's client authorizations)

  • Admin

    • Auth Management (web API)
    • OAuth2 Clients Management (web API)

History (1/?)   ATTACH

Login using AMP SAML (generate JWT)

SAML

Worked with Guillaume.

No DB of users!

History (2/?)

2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect)

Become both an OAuth2 client and provider.

Need Clients/Users/Orgs in DB!!!

OAuth2 RFC => OAuth2 GRANTS

  • Authorization Code Grant (the classic)
  • Client Grant (for scripts)
  • Implicit Grant (for Single Page Applications, now deprecated)

4rd goal: Support Account Activation => SCIM Client

  • Become an OpenID Connect provider, made before the start of SecureX.
  • OpenID Connect with SSE (we are the IdP now)

Internal User Structure

Cisco specificity