"Безопасность микросервисных приложений"
TRANSCRIPT
![Page 2: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/2.jpg)
2
О чем доклад?• Немного терминологии и истории• OAuth2 и Open ID Connect – как работает• IndentityServer/IdentityManager• Архитектура• Как использовать• Примеры
• Безопасное взаимодействие сервисов
![Page 3: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/3.jpg)
3
Терминология• Идентификация• Аутентификация• Авторизация
![Page 4: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/4.jpg)
4
HTTP Basic Authentication
![Page 5: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/5.jpg)
5
HTTP Digest Authentication
![Page 6: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/6.jpg)
6
Forms Authentication
![Page 7: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/7.jpg)
7
Token Authentication
![Page 8: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/8.jpg)
8
Token Authentication
![Page 9: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/9.jpg)
9
Thinktecture Identity Server• OpenID Connect and OAuth2• Авторы• Dominick Baier• Brock Allen
• Identity Server• Identity Manager• MembershipReboot
![Page 10: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/10.jpg)
10
Features• Authentication as a Service• Single Sign-on / Sign-out• Access Control for APIs• Federation• Customization everywhere
![Page 11: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/11.jpg)
11
Big picture
![Page 12: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/12.jpg)
12
Big picture
![Page 13: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/13.jpg)
13
![Page 14: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/14.jpg)
14
Terminology • OpenID Connect Provider (OP) - security token service, identity provider,
authorization server, IP-STS and more.• Client• User - human• Scope
• Identity scopes – openid, profile, email• Resource scopes – various API
• Authentication/Token Request• Identity Token• Access Token
![Page 16: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/16.jpg)
16
What is Identity Server• Authorization/Authentication• Token• UserInfo• Discovery• Logout• Token Revocation• Token Introspection• Access Token Validation• Identity Token Validation
![Page 17: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/17.jpg)
17
Customization• AuthenticationSessionValidator, AuthorizationCodeStore• ClaimsProvider, ClientPermissionsService• ClientStore, ConsentService, ConsentStore• CorsPolicyService, CustomGrantValidators, CustomRequestValidator,
CustomTokenResponseGenerator, CustomTokenValidator • EventService, ExternalClaimsFilter, LocalizationService, RedirectUriValidator• RefreshTokenService, RefreshTokenStore, ScopeStore• SecretParsers, SecretValidators, SigningKeyService• TokenHandleStore, TokenService, TokenSigningService, UserService• ViewService
![Page 18: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/18.jpg)
18
Customization• AuthenticationSessionValidator, AuthorizationCodeStore• ClaimsProvider, ClientPermissionsService• ClientStore, ConsentService, ConsentStore• CorsPolicyService, CustomGrantValidators, CustomRequestValidator,
CustomTokenResponseGenerator, CustomTokenValidator • EventService, ExternalClaimsFilter, LocalizationService, RedirectUriValidator• RefreshTokenService, RefreshTokenStore, ScopeStore• SecretParsers, SecretValidators, SigningKeyService• TokenHandleStore, TokenService, TokenSigningService, UserService• ViewService
![Page 19: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/19.jpg)
19
Customization• ClientStore• ScopeStore• UserService• ViewService
![Page 20: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/20.jpg)
20
What is Identity Manager• Simple creating users, editing user information (passwords, email,
claims, roles, etc.) and deleting users. • Replacement for the ASP.NET WebSite Administration tool User
Management
![Page 21: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/21.jpg)
21
What is MembershipReboot• single- or multi-tenant account management• flexible account storage design (relational/SQL or object/NoSql)• claims-aware user identities• support for account registration, email verification, password reset, etc.• account lockout for multiple failed login attempts (password guessing)• extensible templating for email notifications• customizable username, password and email validation• notification system for account activity and updates (e.g. for auditing)• account linking with external identity providers (enterprise or social)• supports certificate based authentication• proper password storage (via PBKDF2)
• configurable iterations• defaults to OWASP recommendations for iterations (e.g. 64K in year 2012)
• two factor authentication support via mobile phone SMS messages or client certificates
![Page 22: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/22.jpg)
22
![Page 23: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/23.jpg)
23
Demo
![Page 24: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/24.jpg)
24
![Page 25: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/25.jpg)
25
![Page 26: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/26.jpg)
26
Источники• https://habrahabr.ru/company/dataart/blog/262817/
• https://identityserver.github.io/Documentation/
• http://openid.net/connect/
• https://tools.ietf.org/html/rfc6749
![Page 27: "Безопасность микросервисных приложений"](https://reader035.vdocuments.net/reader035/viewer/2022062503/5880c4101a28abba3b8b6243/html5/thumbnails/27.jpg)
Thank youTo be continued…