FIWARE Security OpenID 1.0

Description: This tutorial complements the previous Securing Access tutorial. This tutorial also secures access to a FIWARE application but using various OpenID Connect flows to authenticate users.

Authenticating Identities (Open-ID)

"Yes, your home is your castle, but it is also your identity and your possibility to be open to others.

— David Soul

Digital identities represent both the characteristics of people and the actions they carry out on the Internet. In order to secure an application it is necessary to authenticate that the identity is really who it says it is. In addition to OAuth 2.0, the FIWARE Keyrock generic enabler supports OpenID Connect (OIDC) to enable third-party applications to authenticate users. OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables to verify the identity of users and to obtain a basic profile about these users by using Json Web Tokens.

The OpenID Connect flows are build on the top of these three OAuth 2.0 grant flows:

Authorization and authentication are two completely different things. The first one allows or not to access certain data while the second one is about sign in. OAuth 2.0 enables authorization processes, but it lacks ways to identify and authenticate users. OIDC was created to solve OAuth 2.0 authentication issue. Either OAuth 2.0 and OIDC generate a token that identifies the user avoiding exposing the username and password. Particularly, OIDC generates a Json Web Token (JWT) that applications can intrinsically validate and obtain user information directly from itself.

:arrow_forward: Video: What is OpenID Connect?

Click on the image above to watch a video on OpenID connect and identity.

OAuth2 is a mechanism for granting access - specifically Authorization - Can I do this?). Technically, within the OAuth protocol there is no concept of Identity per-se and therefore it is not really designed for Authentication (I am User X) even if it is able to fulfil certain Authentication use cases such mobile app log in. OpenID provides an extension to OAuth2 enabling applications to obtain user information in a standard manner.

OpenID connect works across multiple entity providers (such as Keyrock) and is operated using JSON Web tokens. It adds an additional ID token to the response which holds some basic user information, additional user information can be requested from the standardized /userinfo endpoint.

OpenID connect requests follow a very similar flow to OAuth2 requests. They are distinguished by using the openid scope when making the initial request. The response contains an encoded JWT token holding elements described below:

name description
iss Issuer Identifier for the Issuer of the response.
sub Subject Identifier.
aud Audience(s) that this ID Token is intended for.
exp Expiration time.
iat Time at which the JWT was issued.

Other entries may also be added. The full OpenID specification can be found here

Standard Concepts of Json Web Tokens

A JSON Web Token (JWT) has the following structure:

  • Header. It identifies the algorithm used to sign the Json Web Token.
{
    "alg": "HS256",
    "typ": "JWT"
}
  • Payload. It contains user data, as well as information on when the token was created and who created it.
{
    "sub": "1234567890",
    "iss": "https://fiware-idm.com",
    "iat": 1516239022,
    "username": "Alice",
    "gravatar": true
}
  • Signature. It is generated as follows:
Crypto-Algorithm ( base64urlEncoding(header) + '.' + base64urlEncoding(payload), secret)

The JWT is the result of encoding each part using base64 and concatenating them with points. For instance:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiaHR0cHM6Ly9maXdhcmUtaWRtLmNvbSIsImlhdCI6MTUxNjIzOTAyMiwidXNlcm5hbWUiOiJBbGljZSIsImdyYXZhdGFyIjp0cnVlfQ.dZ7z0u_4FZC7xiVQDtGAl7NRT0fK8_5hJqYa9E-4xGE

Architecture

This application adds OIDC-driven security into the existing Stock Management and Sensors-based application created in previous tutorials by using the data created in the first security tutorial and reading it programmatically. It will make use of one FIWARE component - the Keyrock Generic enabler. Keyrock uses its own MySQL database. This tutorial only focus on granting JWT by the use of OIDC. You can practice using the tokens to securely access sensor information in the tutorial Securing Access tutorial.

Therefore the overall architecture will consist of the following elements:

  • FIWARE Keyrock offer a complement Identity Management System including:
    • An OAuth2 authorization system for Applications and Users
    • An OIDC authentication system for Applications and Users
    • A site graphical frontend for Identity Management Administration
    • An equivalent REST API for Identity Management via HTTP requests
  • A MySQL database :
    • Used to persist user identities, applications, roles and permissions
  • The Stock Management Frontend does the following:
    • Displays store information
    • Shows which products can be bought at each store
    • Allows users to "buy" products and reduce the stock count.
    • Allows authorized users into restricted areas

Since all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run from exposed ports.

The necessary configuration information for adding security to the Stock Management Frontend can be found in the tutorial section of the associated docker-compose.yml file - only the relevant variables are shown below:

Tutorial Security Configuration

tutorial:
    image: fiware/tutorials.context-provider
    hostname: tutorial
    container_name: fiware-tutorial
    networks:
        default:
            ipv4_address: 172.18.1.7
    expose:
        - "3000"
        - "3001"
    ports:
        - "3000:3000"
        - "3001:3001"
    environment:
        - "DEBUG=tutorial:*"
        - "SECURE_ENDPOINTS=true"
        - "OIDC_ENABLED=true"
        - "WEB_APP_PORT=3000"
        - "KEYROCK_URL=http://localhost"
        - "KEYROCK_IP_ADDRESS=http://172.18.1.5"
        - "KEYROCK_PORT=3005"
        - "KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp"
        - "KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret"
        - "KEYROCK_JWT_SECRET=jsonwebtokenpass"
        - "CALLBACK_URL=http://localhost:3000/login"

The tutorial container is listening on two ports:

  • Port 3000 is exposed so we can see the web page displaying the Dummy IoT devices.
  • Port 3001 is exposed purely for tutorial access - so that cUrl or Postman can make Ultralight commands without being part of the same network.

The tutorial container is driven by environment variables as shown:

Key Value Description
DEBUG tutorial:* Debug flag used for logging
OIDC_ENABLED true Enable OpenID Connect in the tutorial
KEYROCK_CLIENT_ID tutorial-dckr-site-0000-xpresswebapp The Client ID defined by Keyrock for this application
KEYROCK_CLIENT_SECRET tutorial-dckr-site-0000-clientsecret The Client Secret defined by Keyrock for this application
KEYROCK_JWT_SECRET jsonwebtokenpass The JWT Secret defined by Keyrock for this application to validate id_tokens
CALLBACK_URL http://localhost:3000/login The callback URL used by Keyrock when a challenge has succeeded.

The other tutorial container configuration values described in the YAML file have been described in previous tutorials

Start Up

To start the installation, do the following:

git clone https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect.git
cd tutorials.Securing-Access-OpenID-Connect

./services create

Note The initial creation of Docker images can take up to three minutes

Thereafter, all services can be initialized from the command-line by running the services Bash script provided within the repository:

./services <command>

Where <command> will vary depending upon the exercise we wish to activate.

:information_source: Note: If you want to clean up and start over again you can do so with the following command:

bash ./services stop

Dramatis Personae

The following people at test.com legitimately have accounts within the Application

  • Alice, she will be the Administrator of the Keyrock Application
  • Bob, the Regional Manager of the supermarket chain - he has several store managers under him:
    • Manager1
    • Manager2
  • Charlie, the Head of Security of the supermarket chain - he has several store detectives under him:
    • Detective1
    • Detective2

The following people at example.com have signed up for accounts, but have no reason to be granted access

  • Eve - Eve the Eavesdropper
  • Mallory - Mallory the malicious attacker
  • Rob - Rob the Robber
For more details (Click to expand) | Name | eMail | Password | | ---------- | --------------------------- | -------- | | alice | `alice-the-admin@test.com` | `test` | | bob | `bob-the-manager@test.com` | `test` | | charlie | `charlie-security@test.com` | `test` | | manager1 | `manager1@test.com` | `test` | | manager2 | `manager2@test.com` | `test` | | detective1 | `detective1@test.com` | `test` | | detective2 | `detective2@test.com` | `test` | | Name | eMail | Password | | ------- | --------------------- | -------- | | eve | `eve@example.com` | `test` | | mallory | `mallory@example.com` | `test` | | rob | `rob@example.com` | `test` |

Two organizations have also been set up by Alice:

Name Description UUID
Security Security Group for Store Detectives security-team-0000-0000-000000000000
Management Management Group for Store Managers managers-team-0000-0000-000000000000

One application, with appropriate roles and permissions has also been created:

Key Value
Client ID tutorial-dckr-site-0000-xpresswebapp
Client Secret tutorial-dckr-site-0000-clientsecret
JWT Secret jsonwebtokenpass
URL http://localhost:3000
RedirectURL http://localhost:3000/login

To save time, the data creating users and organizations from the previous tutorial has been downloaded and is automatically persisted to the MySQL database on start-up so the assigned UUIDs do not change and the data does not need to be entered again.

The Keyrock MySQL database deals with all aspects of application security including storing users, password etc; defining access rights and dealing with OAuth2 authorization protocols. The complete database relationship diagram can be found here

To refresh your memory about how to create users and organizations and applications, you can log in at http://localhost:3005/idm using the account alice-the-admin@test.com with a password of test.

and look around.

OIDC Flows

FIWARE Keyrock complies with the OIDC standard described in OpenID Connect 1.0 and supports all three standard authentication flows defined there.

As OIDC is built on the top of OAuth 2.0, when making requests to the OAuth Token Endpoint, the Authorization header is built by combining the application Client ID and Client Secret credentials provided by the Keyrock separated by a : and base-64encoded. The value can be generated as shown:

echo tutorial-dckr-site-0000-xpresswebapp:tutorial-dckr-site-0000-clientsecret | base64
dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldAo=

Enable OpenID Connect

OpenID Connect can be enabled on a Keyrock's application either through the GUI or through the REST API.

GUI

Once signed-in, users are able to activate OIDC in their application through the edit web page.

The secret to be used when validating JSON Web Tokens can be found in the application information web page.

The JWT secret could be also refreshed by clicking on the "Reset secret" button in the OAuth2 credentials section.

REST API

Enabling OIDC can be also done when creating an application in Keyrock. It can be made via a POST request to the /v1/applications as described in Roles and Permissions tutorial, including the openid into the scope attribute.

curl -iX POST \
  'http://localhost:3005/v1/applications' \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' \
  -d '{
  "application": {
    "name": "Tutorial Application",
    "description": "FIWARE Application protected by OAuth2 and Keyrock",
    "redirect_uri": "http://tutorial/login",
    "url": "http://tutorial",
    "grant_type": [
      "authorization_code",
      "implicit",
      "password"
    ],
    "scope": "openid",
    "token_types": ["permanent"]
  }
}'

If the applications has been already created, this can also be done from the command-line by making a PATCH request.

curl -X PATCH \
  'http://localhost:3005/v1/applications/{{application-id}}' \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' \
  -d '{
  "application": {
    "scope": "openid"
  }
}'

Authorization Code Flow

The Authorization Code flow can be adapted to support authentication mechanisms. OIDC does not modify the flow of the authorization code itself but simply adds a parameter to the request to the Authorization endpoint as we will see below. The response returns an access-code which can be exchanged for an id_token which then identifies the user.

This is an example of the sort of flow used when a third party (such as Travis-CI) asks you to log in using your GitHub account. Travis never gains access to your password, but does receive details that you are who you claim to be from GitHub.

Authorization Code - Sample Code

A user must first be redirected to Keyrock, requesting a code, oa.getAuthorizeUrl() is returning a URL of the form /oauth/authorize?response_type=code&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}&scope=openid

The value "openid" is included in the scope parameter of the request to indicate to Keyrock that this is an OIDC request. The state value in this tutorial could be "oauth2" and "oic". This value indicates how to manage the answers coming from Keyrock

function authCodeOICGrant(req, res) {
    const path = oa.getAuthorizeUrl("code", "openid", "oic");
    return res.redirect(path);
}

The after the User authorizes access, the response is received by the redirect_uri and is handled in the code below, a interim access code is received from Keyrock and second request must be made to obtain a usable id_token.

function authCodeOICGrantCallback(req, res) {
    return oa
        .getOAuthAccessToken(req.query.code, "authorization_code")
        .then(results => {
            return getUserFromIdToken(req, results.id_token);
        })
        .then(user => {
            // Store user
        });
}

The id_token is just a JWT that we can validate using the JWT Secret that we have preconfigured in the application through the environment variables and obtain the user information from that id_token.

function getUserFromIdToken(req, idToken) {
    return new Promise(function(resolve, reject) {
        jwt.verify(idToken, jwtSecret, function(error, decoded) {
            // Decoded --> Json with user, token and issuer information
        });
    });
}

The decoded json is return as shown:

{
    "organizations": [],
    "displayName": "",
    "roles": [],
    "app_id": "tutorial-dckr-site-0000-xpresswebapp",
    "trusted_apps": [],
    "isGravatarEnabled": false,
    "email": "alice-the-admin@test.com",
    "id": "aaaaaaaa-good-0000-0000-000000000000",
    "app_azf_domain": "",
    "username": "alice",
    "trusted_applications": [],
    "iss": "https://fiware-idm.com",
    "sub": "aaaaaaaa-good-0000-0000-000000000000",
    "aud": "tutorial-dckr-site-0000-xpresswebapp",
    "exp": 1516238462,
    "iat": 1516239022
}

Authorization Code - Running the Example

It is possible to invoke the Authorization Code grant flow programmatically, by bringing up the page http://localhost:3000/ and clicking on the Authorization Code Button

The user is initially redirected to Keyrock, and must log in

The user must then authorize the request

The response displays the user on the top right of the screen, details of the token are flashed onto the screen:

Note Unless you deliberately log out of Keyrock > http://localhost:3005, the existing Keyrock session which has already permitted access will be used for subsequent authorization requests, so the Keyrock login screen will not be shown again.

Implicit Flow

The Implicit flow can also be adapted to support authentication mechanisms. As well as in the authorization code grant, OIDC does not modify the flow but changes the response_type of the requests. This flow returns an id_token directly rather than returning an interim access-code. This is less secure than the Authcode flow but can be used in some client-side applications

Implicit Flow - Sample Code

A user must first be redirected to Keyrock, requesting a token, oa.getAuthorizeUrl() is returning a URL of the form /oauth/authorize?response_type=id_token&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}} Note that to follow an OIDC flow the response type is "id_token".

function implicitOICGrant(req, res) {
    const path = oa.getAuthorizeUrl("id_token", null, "oic");
    return res.redirect(path);
}

The after the User authorizes access, the response is received by the redirect_uri and is handled in the code below, a usable access token is received from Keyrock

function implicitOICGrantCallback(req, res) {
    return getUserFromIdToken(req, req.query.id_token).then(user => {
        // Store User and return
    });
}

The id_token is just a JWT that we can validate using the JWT Secret as it was explained in the authorization code section.

Implicit Flow - Running the Example

It is possible to invoke the Implicit grant flow programmatically, by bringing up the page http://localhost:3000/ and clicking on the Implicit Grant Button

The user is initially redirected to Keyrock, and must log in

The user must then authorize the request

The response displays the user on the top right of the screen, details of the token are also flashed onto the screen:

Note Unless you deliberately log out of Keyrock > http://localhost:3005, the existing Keyrock session which has already permitted access will be used for subsequent authorization request.

Hybrid Flow

The Hybrid flow combines the authorization code and the implicit grant. It could be useful to parallelize process in the frontend and the backend of applications. The flow is similar to the authorization code grant but in this case tokens are generated in both authorization and token endpoint.

Hybrid - Sample Code

A user must first be redirected to Keyrock, requesting a code, oa.getAuthorizeUrl() is returning a URL of the form /oauth/authorize?response_type=code id_token token&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}&scope=openid Note that in a hybrid flow is required to include all the response_types: code, token and id_token. In the first request this will generate an authorization code, an access token and an id_token. If we also include the scope "openid", when using authorization code previously generated, Keyrock generates a new access token and a new id_token.

function hybridOICGrant(req, res) {
    const path = oa.getAuthorizeUrl("code id_token token", "openid", "oic");
    return res.redirect(path);
}

The after the User authorizes access, the response is received by the redirect_uri and is handled in the code below, a interim access code is received from Keyrock and second request must be made to obtain a usable id_token.

function authCodeOICGrantCallback(req, res) {
    return oa
        .getOAuthAccessToken(req.query.code, "hybrid")
        .then(results => {
            return getUserFromIdToken(req, results.id_token);
        })
        .then(user => {
            // Store User and return
        });
}

The id_token is just a JWT that we can validate using the JWT Secret as it was explained in the authorization code section.

Hybrid - Running the Example

It is possible to invoke the Hybrid flow programmatically, by bringing up the page http://localhost:3000/ and clicking on the Authorization Code Button

The user is initially redirected to Keyrock, and must log in

The user must then authorize the request

The response displays the user on the top right of the screen, details of the token are flashed onto the screen:

Note Unless you deliberately log out of Keyrock > http://localhost:3005, the existing Keyrock session which has already permitted access will be used for subsequent authorization requests, so the Keyrock login screen will not be shown again.