100 lines
2.5 KiB
Org Mode
100 lines
2.5 KiB
Org Mode
# Created 2021-04-16 Fri 14:49
|
|
#+TITLE: IROH Auth Presentation
|
|
#+DATE: [2021-04-16 Fri]
|
|
#+AUTHOR: Yann Esposito
|
|
- tags :: [[file:2021-04-16--13-35-21Z--cisco.org][Cisco]]
|
|
|
|
* IROH Auth Presentation
|
|
|
|
Yann Esposito <yaesposi@cisco.com>
|
|
|
|
* When did you interacted with IROH-Auth?
|
|
|
|
- Login in SecureX
|
|
- Login in CTR
|
|
- Login in Orbital
|
|
- Authorized the Ribbon
|
|
- Cross Launch with SSE
|
|
- Invited someone to your Org
|
|
- Changed the role of some user
|
|
- When you investigate in CTR (via CTIA's module)
|
|
- Created an OAuth2 client
|
|
|
|
* What is IROH-Auth? (overview)
|
|
|
|
This is a software subcomponent of /IROH/ taking care of:
|
|
|
|
- /Authentication/
|
|
- provide a user unique identifier
|
|
- /Authorization/
|
|
- decide what user can or cannot do
|
|
- /User Data Model/
|
|
- /Tenancy (Org) Management/
|
|
- /API Clients Management/
|
|
- /OAuth2/, /OpenID Connect/ provider (half of IROH-Auth dedicated to this)
|
|
|
|
* What is IROH-Auth? (technical)
|
|
|
|
/IROH-Auth/ is a set of /Services/ within /IROH/ some of them exposing
|
|
HTTP APIs.
|
|
|
|
- Login
|
|
- Login (core service + web API)
|
|
- Org (service)
|
|
- User (service + web API)
|
|
- Scopes (service)
|
|
- Auth Management (core service)
|
|
- Invite (core service + web API)
|
|
- Session (web API)
|
|
- Profile (web API, =/whoami=)
|
|
- SCIM Client (service)
|
|
- IdP Migrate (core service + web API) /deprecated a few months ago/
|
|
- Provision (service + web API) /used instead of IdP Migrate/
|
|
|
|
- OAuth2
|
|
- OAuth2 (core service + web API)
|
|
- OAuth2 Clients (core service + web API)
|
|
- OAuth2 Clients Presets (service)
|
|
- Grant Service (User's client authorizations)
|
|
|
|
- Admin
|
|
- Auth Management (web API)
|
|
- OAuth2 Clients Management (web API)
|
|
|
|
* History (1/?) :ATTACH:
|
|
Login using AMP SAML (generate JWT)
|
|
|
|
*SAML*
|
|
|
|
|
|
[[file:/Users/esposito/.org/.attach/da/b23b61-a766-4eda-a1e9-1d39258ef5c0/_20210416_144701IT%27s%20BAD%20IT%27s%20REALLY%20BAD.gif]]
|
|
|
|
|
|
Worked with Guillaume.
|
|
|
|
*No DB of users!*
|
|
|
|
* History (2/?)
|
|
|
|
2nd goal: Support OAuth2 (become an OAuth2 provider)
|
|
3rd goal: Support AMP and Threatgrid login (OpenID Connect)
|
|
|
|
Become both an OAuth2 client and provider.
|
|
|
|
Need Clients/Users/Orgs in DB!!!
|
|
|
|
OAuth2 RFC => OAuth2 GRANTS
|
|
|
|
- Authorization Code Grant (the classic)
|
|
- Client Grant (for scripts)
|
|
- Implicit Grant (for Single Page Applications, now deprecated)
|
|
|
|
4rd goal: Support Account Activation => SCIM Client
|
|
|
|
...
|
|
|
|
- Become an OpenID Connect provider, made before the start of SecureX.
|
|
- OpenID Connect with SSE (we are the IdP now)
|
|
|
|
* Internal User Structure
|
|
* Cisco specificity
|