2.6 KiB
2.6 KiB
IROH Auth Presentation
- IROH Auth
- When did you interacted with IROH-Auth?
- What is IROH-Auth? (overview)
- What is IROH-Auth? (technical)
- History (1/?)
- History (2/?)
- Internal User Structure
- Cisco specificity
- tags
- Cisco
IROH Auth ATTACH
attachment:_20210416_150439Screenshot%202021-04-16%20at%2015.04.30.png
Yann Esposito <yaesposi@cisco.com>
When did you interacted with IROH-Auth?
- Login in SecureX
- Login in CTR
- Login in Orbital
- Authorized the Ribbon
- Cross Launch with SSE
- Invited someone to your Org
- Changed the role of some user
- When you investigate in CTR (via CTIA's module)
- Created an OAuth2 client
What is IROH-Auth? (overview)
This is a software subcomponent of IROH taking care of:
-
Authentication
- provide a user unique identifier
-
Authorization
- decide what user can or cannot do
- User Data Model
- Tenancy (Org) Management
- API Clients Management
- OAuth2, OpenID Connect provider (half of IROH-Auth dedicated to this)
What is IROH-Auth? (technical)
IROH-Auth is a set of Services within IROH some of them exposing HTTP APIs.
-
Login
- Login (core service + web API)
- Org (service)
- User (service + web API)
- Scopes (service)
- Auth Management (core service)
- Invite (core service + web API)
- Session (web API)
- Profile (web API,
/whoami
) - SCIM Client (service)
- IdP Migrate (core service + web API) deprecated a few months ago
- Provision (service + web API) used instead of IdP Migrate
-
OAuth2
- OAuth2 (core service + web API)
- OAuth2 Clients (core service + web API)
- OAuth2 Clients Presets (service)
- Grant Service (User's client authorizations)
-
Admin
- Auth Management (web API)
- OAuth2 Clients Management (web API)
History (1/?) ATTACH
Login using AMP SAML (generate JWT)
Worked with Guillaume.
No DB of users!
History (2/?)
2nd goal: Support OAuth2 (become an OAuth2 provider) 3rd goal: Support AMP and Threatgrid login (OpenID Connect)
Become both an OAuth2 client and provider.
Need Clients/Users/Orgs in DB!!!
OAuth2 RFC => OAuth2 GRANTS
- Authorization Code Grant (the classic)
- Client Grant (for scripts)
- Implicit Grant (for Single Page Applications, now deprecated)
4rd goal: Support Account Activation => SCIM Client
…
- Become an OpenID Connect provider, made before the start of SecureX.
- OpenID Connect with SSE (we are the IdP now)