add authentication to any application
play

ADD AUTHENTICATION TO ANY APPLICATION Aaron Parecki @aaronpk - PowerPoint PPT Presentation

Mar 18, 2024 •281 likes •884 views

ADD AUTHENTICATION TO ANY APPLICATION Aaron Parecki @aaronpk aaronpk.com Developer Advocate at Okta @oktadev oauth.net @aaronpk oauth2simplified.com avocado.lol @aaronpk avocado.lol @aaronpk avocado.lol wiki.avocado.lol

  1. ADD AUTHENTICATION TO ANY APPLICATION Aaron Parecki • @aaronpk • aaronpk.com Developer Advocate at Okta • @oktadev

  2. oauth.net @aaronpk

  3. oauth2simplified.com

  4. avocado.lol @aaronpk

  5. avocado.lol @aaronpk

  6. avocado.lol wiki.avocado.lol @aaronpk

  7. avocado.lol Public Internet Private Network wiki.avocado.lol @aaronpk

  8. avocado.lol wiki.avocado.lol User Database Public Internet @aaronpk

  9. avocado.lol stats.avocado.lol wiki.avocado.lol User Database @aaronpk

  10. avocado.lol wiki.avocado.lol stats.avocado.lol User Database .htpasswd @aaronpk

  11. avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol User Database .htpasswd GitHub Auth @aaronpk

  12. USER MANAGEMENT ▸ Add the user to wiki account database ▸ Add password to .htpasswd file ▸ Add the user to the GitHub organization @aaronpk

  13. avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol SAML Plugin .htpasswd SAML Plugin ?? SAML LDAP Database @aaronpk

  14. There must be a better way! @aaronpk

  15. ngx_http_auth_request_module @aaronpk

  16. http://nginx.org/en/docs/http/ngx_http_auth_request_module.html @aaronpk

  17. 1 avocado.lol login.avocado.lol sub-request 2 3 wiki.avocado.lol stats.avocado.lol ci.avocado.lol @aaronpk

  18. Enable the auth subrequest Send the subrequest to here location / { auth_request /validate; ... } Pass the subrequest to this backend location = /validate { We don’t care about 
 proxy_pass ... the request body proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; } @aaronpk

  19. ? avocado.lol login.avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol @aaronpk

  20. LASSO github.com/LassoProject @aaronpk

  21. LASSO ▸ A microservice written in Go ▸ Supports a variety of OAuth/OIDC 
 authentication mechanisms ▸ Configurable session cookie lifetime ▸ Handles the nginx auth_module subrequest, 
 returning HTTP 200 or 401 ▸ Uses a JWT cookie for fast and stateless verification @aaronpk

  22. NGINX CONFIG server { listen 443 ssl http2; Send the subrequest here server_name stats.avocado.lol; auth_request /lasso-validate; … } @aaronpk

  23. server { listen 443 ssl http2; server_name stats.avocado.lol; This is the address that 
 auth_request /lasso-validate; Lasso is listening on auth_request_set $auth_user $upstream_http_x_lasso_user; location = /lasso-validate { proxy_pass http://127.0.0.1:9090/validate; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # these return values are passed to the @error401 call auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt; auth_request_set $auth_resp_err $upstream_http_x_lasso_err; auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount; } When Lasso says they are not 
 error_page 401 = @error401; logged in, redirect to the login URL location @error401 { return 302 https://login.avocado.lol/login?url= https://$http_host$request_uri&lasso-failcount=$auth_resp_failcount &X-Lasso-Token=$auth_resp_jwt&error=$auth_resp_err; } } @aaronpk

  24. NGINX CONFIG The public hostname of the 
 Lasso server server { listen 443 ssl http2; server_name login.avocado.lol; ssl_certificate /etc/letsencrypt/live/login.avocado.lol/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/login.avocado.lol/privkey.pem; This is the address that 
 # Proxy to your Lasso instance location / { Lasso is listening on proxy_set_header Host login.avocado.lol; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:9090; } } @aaronpk

  25. avocado.lol login.avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol @aaronpk

  26. avocado.lol login.avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol @aaronpk

  27. avocado.lol login.avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol @aaronpk

  28. avocado.lol login.avocado.lol wiki.avocado.lol stats.avocado.lol ci.avocado.lol @aaronpk

  29. https://stats.avocado.lol/ redirecting to… https://login.avocado.lol/login?url=https://stats.avocado.lol/… @aaronpk

  30. https://login.avocado.lol/login?url=https://stats.avocado.lol/ redirecting to… https://accounts.google.com/login… @aaronpk

  31. https://accounts.google.com/?…. to continue to login.avocado.lol Aaron Parecki aaronpk@avocado.lol @aaronpk

  32. https://login.avocado.lol/callback?code=azsyxuqmdkfhgpw redirecting to… https://stats.avocado.lol/ @aaronpk

  33. https://stats.avocado.lol/ 100 75 50 25 0 APRIL MAY JUNE JULY @aaronpk

  34. Nginx Lasso Google GET stats.avocado.lol GET login.avocado.lol/validate Not 401 Not Authorized Authorized 302 login.avocado.lol GET login.avocado.lol Lasso Login 302 accounts.google.com/oauth/authorize GET accounts.google.com/oauth/authorize Google 302 login.avocado.lol/callback?code=x OAuth GET login.avocado.lol/callback?code=x POST accounts.google.com/oauth/token Lasso Begins { "user": "username@avocado.lol" } Session 302 stats.avocado.lol Cookie: Lasso-Session: eyJ... GET stats.avocado.lol GET login.avocado.lol/validate Authorized! 200 OK 200 OK @aaronpk

  35. LASSO USE CASES Restrict to email address domain name 
 (e.g. Google Apps Accounts) Allow all users if they can authenticate 
 (e.g. your own OAuth/OpenID Connect server) Public access, authenticate for additional privileges 
 (e.g. read-only public wiki, log in to edit) @aaronpk

  36. CONFIGURING LASSO - GOOGLE APPS DOMAIN config.yml lasso: Require authentication 
 listen: 127.0.0.1 on every request port: 9090 publicAccess: false Allow only users at 
 allowAllUsers: false the domains below domains: 
 - avocado.lol 
 Allow users with email 
 addresses at this domain oauth: provider: google client_id: 144124... client_secret: u_eWvYCtD callback_urls: - https://login.avocado.lol/auth preferredDomain: avocado.lol @aaronpk

  37. CONFIGURING LASSO - CUSTOM OPENID SERVER config.yml Require authentication 
 lasso: on every request listen: 127.0.0.1 port: 9090 Allow any user at 
 publicAccess: false the OAuth server allowAllUsers: true oauth: provider: oidc client_id: 014223 client_secret: JKLOL auth_url: https://dev-442449.oktapreview.com/oauth2/default/v1/authorize token_url: https://dev-442449.oktapreview.com/oauth2/default/v1/token user_info_url: https://dev-442449.oktapreview.com/oauth2/default/v1/userinfo scopes: Custom OpenID Connect 
 - openid - email server configuration - profile callback_url: https://login.avocado.lol/auth @aaronpk

  38. CONFIGURING LASSO - WORDPRESS SERVER config.yml Require authentication 
 lasso: on every request listen: 127.0.0.1 port: 9090 Allow any user who 
 publicAccess: false can log in to this WordPress allowAllUsers: true oauth: provider: indieauth client_id: https://login.avocado.lol/ auth_url: https://wordpress.avocado.lol/wp-json/indieauth/1.0/auth callback_url: https://login.avocado.lol/auth WordPress OAuth 
 server configuration @aaronpk

  39. https://stats.avocado.lol/ redirecting to… https://login.avocado.lol/login?url=https://stats.avocado.lol/… @aaronpk

  40. https://login.avocado.lol/login?url=https://stats.avocado.lol/ redirecting to… https://wordpress.avocado.lol/wp-login.php?… @aaronpk

  41. https://wordpress.avocado.lol/wp-login.php?…. @aaronpk

  42. https://login.avocado.lol/callback?code=azsyxuqmdkfhgpw redirecting to… https://stats.avocado.lol/ @aaronpk

  43. https://stats.avocado.lol/ 100 75 50 25 0 APRIL MAY JUNE JULY @aaronpk

  44. CONFIGURING LASSO - PUBLIC ACCESS WITH GITHUB LOGIN config.yml lasso: Allow requests even 
 listen: 127.0.0.1 without authentication port: 9090 publicAccess: true Anyone with a GitHub 
 allowAllUsers: true account can log in oauth: provider: github Configure GitHub credentials client_id: client_secret: auth_url: https://github.com/login/oauth/authorize token_url: https://github.com/login/oauth/access_token scopes: - user user_info_url: https://api.github.com/user?access_token= @aaronpk

  45. https://stats.avocado.lol/ Log In 100 75 50 25 0 APRIL MAY JUNE JULY @aaronpk

  46. https://stats.avocado.lol/ redirecting to… https://login.avocado.lol/login?url=https://stats.avocado.lol/… @aaronpk

  47. https://login.avocado.lol/login?url=https://stats.avocado.lol/ redirecting to… https://wordpress.avocado.lol/wp-login.php?… @aaronpk

  48. https://github.com/login/oauth/authorize?…. @aaronpk

  49. https://login.avocado.lol/callback?code=azsyxuqmdkfhgpw redirecting to… https://stats.avocado.lol/ @aaronpk

  50. https://stats.avocado.lol/ Logged in as @aaronpk 100 75 50 25 0 APRIL MAY JUNE JULY @aaronpk

  51. WHO LOGGED IN? server { ... auth_request_set $auth_user $upstream_http_x_lasso_user; ... fastcgi_param REMOTE_USER $auth_user; 
 # or proxy_set_header Remote-User $auth_user; ... } <?php if($_SERVER['REMOTE_USER']) echo 'Hello, ' . $_SERVER['REMOTE_USER'] . '!'; else echo 'Not logged in'; @aaronpk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities Zhenfeng Zhang , Yuchen Wang , Kang Yang Institute of Software, Chinese Academy of Sciences; The Joint Academy of Blockchain

869 views • 25 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Just like fishing, it can be frustrating at times most needed multiple attempts, which is fine casting

483 views • 19 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
Authentication CS 4720 Mobile Application Development CS 4720 System Security Human:

Authentication CS 4720 Mobile Application Development CS 4720 System Security Human:

Authentication CS 4720 Mobile Application Development CS 4720 System Security Human: social engineering attacks Physical: steal the server itself Network: treat your server like a 2 year old Operating System: the war

574 views • 22 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
Domain Adaptation for Commitment Detection in Email Hosein Azarbonyad (1) , Robert Sim (2) , and

Domain Adaptation for Commitment Detection in Email Hosein Azarbonyad (1) , Robert Sim (2) , and

Domain Adaptation for Commitment Detection in Email Hosein Azarbonyad (1) , Robert Sim (2) , and Ryen White (2) (1) University of Amsterdam and KLM (2) Microsoft AI, Seattle WHAT IS COMMITMENT? Any sentence in email where the sender is

651 views • 18 slides
Doesnt Work! Measurable Controllable.Scalable .. WORKS! 108

Doesnt Work! Measurable Controllable.Scalable .. WORKS! 108

Doesnt Work! Measurable Controllable.Scalable .. WORKS! 108 new Had 300 now customers in has over 3 months 4000 customers UKs smartest internet marketers for Google Ads Some of our clients

1.42k views • 117 slides
Regular Expressions = Regular Languages Mark Greenstreet, CpSc 421, Term 1, 2008/09 17

Regular Expressions = Regular Languages Mark Greenstreet, CpSc 421, Term 1, 2008/09 17

Regular Expressions = Regular Languages Mark Greenstreet, CpSc 421, Term 1, 2008/09 17 September 2008 p.1/18 Lecture Outline Regular Expressions Regular Expresssions Equivalence of Regular Expressions and Finite Automata 17

630 views • 24 slides
A counterexample to the DemyanovRyabova conjecture 25 August 2018 AVOCADO, Newcastle Vera

A counterexample to the DemyanovRyabova conjecture 25 August 2018 AVOCADO, Newcastle Vera

A counterexample to the DemyanovRyabova conjecture 25 August 2018 AVOCADO, Newcastle Vera Roshchina UNSW Sydney v.roshchina@unsw.edu.au Demyanov Converter For a finite set of polytopes , C () = conv P Arg max

932 views • 6 slides
Understanding and Changing Your Business Strategy Jan Masaoka Blue Avocado Unconventional,

Understanding and Changing Your Business Strategy Jan Masaoka Blue Avocado Unconventional,

Understanding and Changing Your Business Strategy Jan Masaoka Blue Avocado Unconventional, practical, fun For community nonprofits Finance &amp; strategy, Ask Rita in HR, Board Caf, First Person Nonprofit , 3-Minute Vacations,

737 views • 47 slides
INTERNATIONAL SEMINAR ON ECONOMICS INTERNATIONAL SEMINAR ON ECONOMICS AND MARKETING OF TROPICAL

INTERNATIONAL SEMINAR ON ECONOMICS INTERNATIONAL SEMINAR ON ECONOMICS AND MARKETING OF TROPICAL

INTERNATIONAL SEMINAR ON ECONOMICS INTERNATIONAL SEMINAR ON ECONOMICS AND MARKETING OF TROPICAL AND AND MARKETING OF TROPICAL AND SUBTROPICAL FRUITS SUBTROPICAL FRUITS 16- 16 -18 July 2007 18 July 2007 PWTC PWTC Kuala Lumpur, Malaysia

426 views • 28 slides
Effective Social Media Content to Engage Your Visitors Welcome! The webinar will begin at 10:00

Effective Social Media Content to Engage Your Visitors Welcome! The webinar will begin at 10:00

How to Develop Effective Social Media Content to Engage Your Visitors Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2. Confirm

709 views • 28 slides
2/6/2019 COPE WEBINAR SERIES FOR HEALTH PROFESSIONALS FINDING SLIDES FOR TODAYS WEBINAR

2/6/2019 COPE WEBINAR SERIES FOR HEALTH PROFESSIONALS FINDING SLIDES FOR TODAYS WEBINAR

2/6/2019 COPE WEBINAR SERIES FOR HEALTH PROFESSIONALS FINDING SLIDES FOR TODAYS WEBINAR February 6, 2019 Preventing Metabolic Adaptation During Weight Loss www.villanova.edu/COPE Click on Miller/Mull webinar description page Moderator:

453 views • 7 slides

More recommend