2. Who am I?
Solutions Architect
For DeARX
Based in our Cape Town office
Christhonie Geldenhuys
3. Topics
A practical view based on our experience with distributed computing
► A look at modern distributed systems
► Authentication
► Creating a seamless experience
► Leveraging Social login
► Additional factors
► Identity Management
► A single view
► Personal data and consent
► Authorisation
► Rate limiting or throttling
9. Key considerations remain the same
► Who is accessing
the system?
Authentication
► What can they do?
Authorization
► When/how often
can they do it?
Throttling
16. Benefits of this approach
► A single mechanism for authentication
► Common and shared across all application
► User information in one place
► Easy to maintain
► Can leverage proven security standards
Using an Identity Server provides;
► Central login mechanism
► Customised registration flow
► Customised approval flows
► Advanced authentication techniques
17. Single Sign-On
Single Sign-On application have the following characteristics;
► Static, well known URL – i.e. http://logon.acme.com
► Authentication session is maintained at this URL;
► Using cookies to identify the session
► Redirect mechanisms are used to redirect to and from this app
Benefits
► This enables the authentication session to span multiple application.
► Login once for a range of applications.
18. Implementation considerations
► Users and Groups now become a
central responsibility
► Roles remain an application
concern
► Share information via API or
claims.
How do we separate the various identity objects?
19. Social Login – Use cases
► End-users – Removes the risk to create yet another account
► Occasional or temporary workers – i.e. contractors, not requiring the benefits
corporate-wide access control groups / roles
21. What is POPI
► Protection of Personal Information Act will regulate the Processing of
Personal Information.
► Personal Information broadly means any information relating to an
identifiable, living natural person or juristic person (companies, CC’s etc.)
and includes, but is not limited to:
► contact details: email, telephone, address etc.
► demographic information: age, gender, race, birth date, ethnicity etc.
► history: employment, financial, educational, criminal, medical history
► biometric information: blood type etc.
► opinions of and about the person
► private correspondence etc.
► Processing means broadly anything that can be done with the Personal
Information, including collection, usage, storage, dissemination, etc.
22. Personal information as a service
What if…
► We can access personal data from a central source
► Information is stored once.
► Easy to add, change or remove in one place.
► Central access control
► Provide a customer self-help portal to view or change data.
► Get user content to determine who can use it.
23. Personal information capture
► Initial user / customer information is
captured as part of the registration
process.
► Additional user information can also be
stored here over time.
24. Personal information distribution
Obtaining the user consent is one
of the fundamental requirements
of personal information
regulation.
WSO2 Identity Server facilitates
this through its Consent
Management features.
25. Support in WSO2 Identity Server
Consent Management
► Provides self-help profile creation, user provisioning to other systems, sharing
of user attributes through SSO, and identity federation are fully based on user
consent
► Users can review, modify, and revoke previously given consent via the
self-care user portal or RESTful Consent API
► Consent API can also be used to integrate WSO2 IS consent management
capabilities with existing applications
► WSO2 IS can be used to manage consent of any 3rd party application via the
RESTful Consent API
28. OAuth to the rescue
WSO2 Identity Server includes
support for the popular OAuth
standards.
29. API Manager as a first line of defence
API Manager help offloads checking tokens at the point of ingress.
30. Who is this? – Access tokens
When using Access Tokens…
We might want to check who is using this token;
► For display of user name perhaps
► For additional authorization decisions
► Per operation, per business record, etc.
31. Access token lookup
► Use API to validate/lookup
token claims.
► Cache token for the validity
period.
► Store principle and claims as
part of cache.
Token validation
lookup
33. Access Token or JWT?
Access Token
Benefits
► Small, simple
► Ideal for smaller number of
sessions and “chatty” interfaces.
Drawbacks
► Require lookup
► Mitigated through caching
JWT
Benefits
► Self contained, stateless
► Verification can be self contained,
or via lookup (remember to cache)
Drawbacks
► Large (sometimes larger than
payload). Not ideal for;
► “Chatty” APIs
► Expensive networks, i.e. Mobile,
Satellite, IoT
34. Trust your services
It is vital to verify the communication path and authenticity of your identity /
authentication infrastructure.
Identity your infrastructure;
► Use HTTPS!
► Check the certificates!
Consider using certificate chains:
35. Which OAuth flow / grant type?
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
Use the online decision tree to determine which OAuth flow
is best for your application;
37. Rate limiting – Why and how
► Limit access to APIs using the
various rate limiting filters.
► Absolute limits or support for burst
traffic.
► API manager continuously monitors
the traffic and limits.
► API suspension is implemented
when limits are reached.
► Rather stop them at the gate than
try to deal with load while under
load.
► Suspension returns pre-defined
error codes (customisable)
► API auto resume after predefined
period(s).
39. Summary
► Authentication as a service
► A seamless experience for the user,
across multiple applications
► Identity as a service
► User/customer information in one
place.
► Controlled access to that
information.
► Authorization
► A mechanism to provide access to
resources.
► Rate limiting
► To protect our systems from
over-use and abuse.