SlideShare a Scribd company logo

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA

Download as pptx, pdf
Will Tran
Will Tran

UAA, as a core component of Cloud Foundry, is responsible for authenticating and authorizing requests between platform users (e.g. those that push apps) and platform components (e.g. the cloud controller). But when it came to doing auth for the apps you push and the end users of those apps, using the built-in UAA wasn't the best fit, and you could easily end up shooting yourself in the foot. Until now. This talk will guide you though UAA's new multi-tenancy features, and show you how to use the built-in UAA to create arbitrary authorization scenarios for your products without the danger of affecting the security of the core platform. With this level of freedom, you'll have complete and fine-grained control over who is allowed to access your product's components, and how those components are allowed to interact with one another.

1 of 89
Downloaded 181 times
1
Enabling Cloud Native Security with Multi-Tenant UAA William Tran, Pivotal
2
Agenda • Introductions • Why use UAA for Cloud Native Applications • Advantages of Multi-tenant UAA • How to get started
3
Introductions
4
About Me • Spring user since version 2.0 (2007) • Joined Pivotal October 2013 • Based in Toronto, Canada • Working on Pivotal CF Services – Mobile Services API Gateway – Pivotal SSO – Spring Cloud Services • Committer on UAA
5
About UAA • User Account and Authorization server • Secures all CF components • OAuth2 and OpenID Connect • SCIM API for user management in internal user database • Integration with SAML 2.0 and LDAP • OAuth2 client registration API
6
About OAuth2 • Delegated Authorization • 4 Actors – The Authorization Server – User – Client – Resource Server • Clients act on behalf of users – Authorization Code Grant – Resource Owner Password Grant – Implicit Grant • Clients act on their own – Client Credentials Grant
7
OAuth2 In Cloudfoundry • Apps Manager (PWS or PCF)
8
OAuth2 In Cloudfoundry • Apps Manager – Go to apps.cfdomain in the browser UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser
9
OAuth2 In Cloudfoundry • Apps Manager – Apps manager redirects you to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Not logged in!
10
OAuth2 In Cloudfoundry • Apps Manager – Apps manager redirects you to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser
11
OAuth2 In Cloudfoundry • Apps Manager – UAA asks for username and password UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Please log in
12
OAuth2 In Cloudfoundry • Apps Manager – User logs in UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the username and password
13
OAuth2 In Cloudfoundry • Apps Manager – UAA redirects back to Apps Manager with a one time code UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is an authorization code
14
OAuth2 In Cloudfoundry • Apps Manager – UAA redirects back to Apps Manager with a one time code UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is an authorization code
15
OAuth2 In Cloudfoundry • Apps Manager – Apps Manager gives the code back to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the same authorization code
16
OAuth2 In Cloudfoundry • Apps Manager – UAA exchanges the code for an access token UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser The code is the same, here is a token
17
OAuth2 In Cloudfoundry • Apps Manager – Apps manager uses the access token to access the CC API UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser /v2/apps -H “Authorization: bearer eyJhbGci…”
18
OAuth2 In Cloudfoundry • Apps Manager – Apps manager renders the page UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the the pretty screen, finally!
19
OAuth2 In Cloudfoundry • Apps Manager – Authorization Code Grant – Typical of web applications – Apps manager webapp is the client
20
OAuth2 In Cloudfoundry • CF CLI cf target api.cfdomain cf login cf apps
21
OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI Here is the username and password
22
OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI Here is a token
23
OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI /v2/apps -H “Authorization: bearer eyJhbGci…”
24
OAuth2 In Cloudfoundry • CF CLI – Resource Owner Password Grant – Typical of CLI, Mobile Apps, non-browser user apps – CF CLI is the client
25
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler I’m getting very busy!
26
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler Don’t worry, I’ll create more instances
27
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler my-app
28
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler my-app my-app
29
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Time to check status!
30
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Here is my client_id and client_secret
31
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Here is a token
32
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler /v2/apps/1234/stats -H “Authorization: bearer eyJhbGci…”
33
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler CPU at 80%!
34
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler PUT /v2/apps/1234 -H “Authorization: bearer eyJhbGci…” -d ‘{"instances":2}’
35
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler OK, creating more instances
36
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) – Client Credentials Grant – Typical of apps that act without a user’s involvement – Autoscaling Service is the client
37
OAuth2 In Cloudfoundry • The CF platform has many more examples of using OAuth2 • UAA is the key – Manages users – Manages clients – Grants and verifies access tokens
38
UAA is the perfect fit for Cloud Native Security*
39
UAA for Cloud Native Security • *In CF there’s more to security than just UAA – Network security / security groups – Cross container traffic / trusted workloads – No End to end TLS • UAA is for application-level security • It works for us, so it’ll work for you*
40
So you want to secure your apps • Example – You want to host your API application on Cloud Foundry my-cloudfoundry.cn
41
So you want to secure your apps • Example – You want to host your API application on Cloud Foundry my-cloudfoundry.cn my-api
42
So you want to secure your apps • Example – It will be accessed by a web app hosted on CF my-cloudfoundry.cn my-api my- webapp browser
43
So you want to secure your apps • Example – It will be accessed through a mobile app as well my-cloudfoundry.cn my-api my- webapp browser Mobile app
44
So you want to secure your apps • Perfect! Use UAA my-cloudfoundry.cn my-api my- webapp browser Mobile app UAA
45
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant
46
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant
47
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant – API app token verification  JWT signature
48
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant – API app token verification  JWT signature • API app can validate token on its own
49
Who are your end users? • SpaceDevelopers, OrgManagers – Platform users, no problem
50
Who are your end users? • SpaceDevelopers, OrgManagers – Platform users, no problem • That sales guy – Not a platform user, PROBLEM
51
Who are your end users? jsmith jsmyth cf set-space-role jsmyth the-org the-space SpaceDeveloper oops
52
Who are your end users? jsmith jsmyth My app is too slow
53
Who are your end users? jsmith jsmyth cf login –u jsmyth ... cf scale sales-api –m 10G I can fix that!
54
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job
55
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job • Salesguy should not have been added to the platform UAA
56
Solutions? • Create your own authorization server • Deploy your own UAA
57
So you want to secure your products • Example – You want to build a product that’s packaged as a CF service my-cloudfoundry.cn my-service
58
So you want to secure your products • Example – When apps bind to the service… my-cloudfoundry.cn my-service my-app cf bind-service
59
So you want to secure your products • Example – Create an oauth client my-cloudfoundry.cn my-service my-app UAA POST /oauth/client
60
So you want to secure your products • Example – Create an oauth client my-cloudfoundry.cn my-service my-app UAA 201: Created
61
my-cloudfoundry.cn So you want to secure your products • Example – So that the app to service communication can be secured by OAuth2 client credentials grant my-service my-app UAA The client_id and client_secret are in VCAP_SERVICES
62
my-cloudfoundry.cn So you want to secure your products • Example – So that the app to service communication can be secured by OAuth2 client credentials grant my-service my-app UAA GET /api/foo -H ‘Authorization: bearer eyJhbGci…’
63
So you want to secure your products • Perfect! Use UAA – App to app communication  client credentials – Token verification  JWT signature – Every app gets their own credentials • Super secure right?
64
How do you create clients in UAA? • POST /oauth/clients – Token must have scope clients.write • Creating clients with authorities – Eg the app gets a token with my-service.read scope – Requires clients.write and uaa.admin • So give your service admin credentials?
65
Admin-Level Credentials my-service • client_id: my-service • client_secret: 123xyz • authorities: clients.write, uaa.admin • authorized_grant_types: client_credentials
66
Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz
67
Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz I got root, yo.
68
Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz This job sucks. cf env my-service
69
Admin-Level Credentials $ uaac target uaa.my-cloudfoundry.cn $ uaac token client get my-service -s 123xyz $ uaac client add my-admin-client –authorities cloud_controller.admin
70
Admin-Level Credentials I got root yo. Lets have some fun.
71
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job
72
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job • Giving admin level credentials to applications is dangerous
73
Solutions? • Create your own authorization server • Deploy your own UAA
74
How do you deploy your own UAA? • cf push cloudfoundry-identity-uaa.war • Yaml config • Bootstrap users • Provision DB • Do the above manually, or as part of a Bosh deployment
75
Running your own UAA • Pros: – Principle of least privilege – You can fork it • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release
76
Running your own UAA • Pros: – Principle of least privilege • Systems secured by your UAA cannot affect systems secured by the platform UAA
77
Running your own UAA • Pros: – Principle of least privilege Your UAA
78
Running your own UAA • Pros: – Principle of least privilege Your UAA Platform UAA
79
Running your own UAA • Pros: – Principle of least privilege Your UAA Platform UAA Impossible!
80
Running your own UAA • Pros: – Principle of least privilege – You can fork it • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release
81
Multitenant UAA
82
What is Multitenant UAA • CF v208 + • The built-in UAA with subdomains • Subdomain maps to Identity Zone • Total segregation between Identity Zones • API for creating Identity Zones • Existing API stays the same
83
Zone administrators • UAA users with god-like powers in an identity zone • Requires scope zone.[zone-id].admin • Instead of targeting zone via subdomain, use X-Identity-Zone-Id header – POST uaa.domain.com/oauth/clients  create a client in the UAA zone – POST uaa.domain.com/oauth/clients -H “X- Identity-Zone-Id:12345”  create a client in the Identity Zone with id 12345
84
Multitenant UAA • Pros: – Principle of least privilege – API calls for creating a new tenant (aka Identity Zone) – Zone administrators instead of bootstrap users • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release – You can’t fork it
85
Let’s Use It
86
Multitenant UAA with UAAC • Setup can be cumbersome – When acting as zone admin with X-Identity-Zone- Id header, you can only uaac curl • Once you have an admin client in the zone, uaac works great • Future enhancements – Creating initial users / clients when the Identity Zone is created – -z global option to target a zone via header
87
Summary • UAA is great for securing Cloud Native Applications • Always use the principle of least privilege – Don’t add non-platform users to the platform – Don’t give out platform admin abilities to other apps • You can deploy your own UAA – but multitenant UAA is an API call away • Tooling needs to catch up – But once you get that admin client set up, its easy
88
Stay In Touch
89
Stay in touch • Me – Twitter: @fivetenwill – github.com/william-tran – wtran@pivotal.io • CF Identity PM – Sree Tummidi: stummidi@pivotal.io • CF Identity Team – Issues: github.com/cloudfoundry/uaa – Discussion: lists.cloudfoundry.org
Enabling Cloud Native Security with Multi-Tenant UAA William Tran, Pivotal
Agenda • Introductions • Why use UAA for Cloud Native Applications • Advantages of Multi-tenant UAA • How to get started
Introductions
About Me • Spring user since version 2.0 (2007) • Joined Pivotal October 2013 • Based in Toronto, Canada • Working on Pivotal CF Services – Mobile Services API Gateway – Pivotal SSO – Spring Cloud Services • Committer on UAA
About UAA • User Account and Authorization server • Secures all CF components • OAuth2 and OpenID Connect • SCIM API for user management in internal user database • Integration with SAML 2.0 and LDAP • OAuth2 client registration API
About OAuth2 • Delegated Authorization • 4 Actors – The Authorization Server – User – Client – Resource Server • Clients act on behalf of users – Authorization Code Grant – Resource Owner Password Grant – Implicit Grant • Clients act on their own – Client Credentials Grant
OAuth2 In Cloudfoundry • Apps Manager (PWS or PCF)
OAuth2 In Cloudfoundry • Apps Manager – Go to apps.cfdomain in the browser UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser
OAuth2 In Cloudfoundry • Apps Manager – Apps manager redirects you to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Not logged in!
OAuth2 In Cloudfoundry • Apps Manager – Apps manager redirects you to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser
OAuth2 In Cloudfoundry • Apps Manager – UAA asks for username and password UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Please log in
OAuth2 In Cloudfoundry • Apps Manager – User logs in UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the username and password
OAuth2 In Cloudfoundry • Apps Manager – UAA redirects back to Apps Manager with a one time code UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is an authorization code
OAuth2 In Cloudfoundry • Apps Manager – UAA redirects back to Apps Manager with a one time code UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is an authorization code
OAuth2 In Cloudfoundry • Apps Manager – Apps Manager gives the code back to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the same authorization code
OAuth2 In Cloudfoundry • Apps Manager – UAA exchanges the code for an access token UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser The code is the same, here is a token
OAuth2 In Cloudfoundry • Apps Manager – Apps manager uses the access token to access the CC API UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser /v2/apps -H “Authorization: bearer eyJhbGci…”
OAuth2 In Cloudfoundry • Apps Manager – Apps manager renders the page UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the the pretty screen, finally!
OAuth2 In Cloudfoundry • Apps Manager – Authorization Code Grant – Typical of web applications – Apps manager webapp is the client
OAuth2 In Cloudfoundry • CF CLI cf target api.cfdomain cf login cf apps
OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI Here is the username and password
OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI Here is a token
OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI /v2/apps -H “Authorization: bearer eyJhbGci…”
OAuth2 In Cloudfoundry • CF CLI – Resource Owner Password Grant – Typical of CLI, Mobile Apps, non-browser user apps – CF CLI is the client
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler I’m getting very busy!
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler Don’t worry, I’ll create more instances
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler my-app
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler my-app my-app
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Time to check status!
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Here is my client_id and client_secret
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Here is a token
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler /v2/apps/1234/stats -H “Authorization: bearer eyJhbGci…”
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler CPU at 80%!
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler PUT /v2/apps/1234 -H “Authorization: bearer eyJhbGci…” -d ‘{"instances":2}’
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler OK, creating more instances
OAuth2 In Cloudfoundry • Autoscaling Service (PCF) – Client Credentials Grant – Typical of apps that act without a user’s involvement – Autoscaling Service is the client
OAuth2 In Cloudfoundry • The CF platform has many more examples of using OAuth2 • UAA is the key – Manages users – Manages clients – Grants and verifies access tokens
UAA is the perfect fit for Cloud Native Security*
UAA for Cloud Native Security • *In CF there’s more to security than just UAA – Network security / security groups – Cross container traffic / trusted workloads – No End to end TLS • UAA is for application-level security • It works for us, so it’ll work for you*
So you want to secure your apps • Example – You want to host your API application on Cloud Foundry my-cloudfoundry.cn
So you want to secure your apps • Example – You want to host your API application on Cloud Foundry my-cloudfoundry.cn my-api
So you want to secure your apps • Example – It will be accessed by a web app hosted on CF my-cloudfoundry.cn my-api my- webapp browser
So you want to secure your apps • Example – It will be accessed through a mobile app as well my-cloudfoundry.cn my-api my- webapp browser Mobile app
So you want to secure your apps • Perfect! Use UAA my-cloudfoundry.cn my-api my- webapp browser Mobile app UAA
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant – API app token verification  JWT signature
So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant – API app token verification  JWT signature • API app can validate token on its own
Who are your end users? • SpaceDevelopers, OrgManagers – Platform users, no problem
Who are your end users? • SpaceDevelopers, OrgManagers – Platform users, no problem • That sales guy – Not a platform user, PROBLEM
Who are your end users? jsmith jsmyth cf set-space-role jsmyth the-org the-space SpaceDeveloper oops
Who are your end users? jsmith jsmyth My app is too slow
Who are your end users? jsmith jsmyth cf login –u jsmyth ... cf scale sales-api –m 10G I can fix that!
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job • Salesguy should not have been added to the platform UAA
Solutions? • Create your own authorization server • Deploy your own UAA
So you want to secure your products • Example – You want to build a product that’s packaged as a CF service my-cloudfoundry.cn my-service
So you want to secure your products • Example – When apps bind to the service… my-cloudfoundry.cn my-service my-app cf bind-service
So you want to secure your products • Example – Create an oauth client my-cloudfoundry.cn my-service my-app UAA POST /oauth/client
So you want to secure your products • Example – Create an oauth client my-cloudfoundry.cn my-service my-app UAA 201: Created
my-cloudfoundry.cn So you want to secure your products • Example – So that the app to service communication can be secured by OAuth2 client credentials grant my-service my-app UAA The client_id and client_secret are in VCAP_SERVICES
my-cloudfoundry.cn So you want to secure your products • Example – So that the app to service communication can be secured by OAuth2 client credentials grant my-service my-app UAA GET /api/foo -H ‘Authorization: bearer eyJhbGci…’
So you want to secure your products • Perfect! Use UAA – App to app communication  client credentials – Token verification  JWT signature – Every app gets their own credentials • Super secure right?
How do you create clients in UAA? • POST /oauth/clients – Token must have scope clients.write • Creating clients with authorities – Eg the app gets a token with my-service.read scope – Requires clients.write and uaa.admin • So give your service admin credentials?
Admin-Level Credentials my-service • client_id: my-service • client_secret: 123xyz • authorities: clients.write, uaa.admin • authorized_grant_types: client_credentials
Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz
Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz I got root, yo.
Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz This job sucks. cf env my-service
Admin-Level Credentials $ uaac target uaa.my-cloudfoundry.cn $ uaac token client get my-service -s 123xyz $ uaac client add my-admin-client –authorities cloud_controller.admin
Admin-Level Credentials I got root yo. Lets have some fun.
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job
The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job • Giving admin level credentials to applications is dangerous
Solutions? • Create your own authorization server • Deploy your own UAA
How do you deploy your own UAA? • cf push cloudfoundry-identity-uaa.war • Yaml config • Bootstrap users • Provision DB • Do the above manually, or as part of a Bosh deployment
Running your own UAA • Pros: – Principle of least privilege – You can fork it • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release
Running your own UAA • Pros: – Principle of least privilege • Systems secured by your UAA cannot affect systems secured by the platform UAA
Running your own UAA • Pros: – Principle of least privilege Your UAA
Running your own UAA • Pros: – Principle of least privilege Your UAA Platform UAA
Running your own UAA • Pros: – Principle of least privilege Your UAA Platform UAA Impossible!
Running your own UAA • Pros: – Principle of least privilege – You can fork it • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release
Multitenant UAA
What is Multitenant UAA • CF v208 + • The built-in UAA with subdomains • Subdomain maps to Identity Zone • Total segregation between Identity Zones • API for creating Identity Zones • Existing API stays the same
Zone administrators • UAA users with god-like powers in an identity zone • Requires scope zone.[zone-id].admin • Instead of targeting zone via subdomain, use X-Identity-Zone-Id header – POST uaa.domain.com/oauth/clients  create a client in the UAA zone – POST uaa.domain.com/oauth/clients -H “X- Identity-Zone-Id:12345”  create a client in the Identity Zone with id 12345
Multitenant UAA • Pros: – Principle of least privilege – API calls for creating a new tenant (aka Identity Zone) – Zone administrators instead of bootstrap users • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release – You can’t fork it
Let’s Use It
Multitenant UAA with UAAC • Setup can be cumbersome – When acting as zone admin with X-Identity-Zone- Id header, you can only uaac curl • Once you have an admin client in the zone, uaac works great • Future enhancements – Creating initial users / clients when the Identity Zone is created – -z global option to target a zone via header
Summary • UAA is great for securing Cloud Native Applications • Always use the principle of least privilege – Don’t add non-platform users to the platform – Don’t give out platform admin abilities to other apps • You can deploy your own UAA – but multitenant UAA is an API call away • Tooling needs to catch up – But once you get that admin client set up, its easy
Stay In Touch
Stay in touch • Me – Twitter: @fivetenwill – github.com/william-tran – wtran@pivotal.io • CF Identity PM – Sree Tummidi: stummidi@pivotal.io • CF Identity Team – Issues: github.com/cloudfoundry/uaa – Discussion: lists.cloudfoundry.org
Ad

Recommended

Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Tanya Denisyuk
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 

More Related Content

What's hot (20)

An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 

Similar to Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA (20)

Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Tanya Denisyuk
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and Ops
Chris DeLashmutt
 
Security as a Service - Tian Wang
Security as a Service - Tian WangSecurity as a Service - Tian Wang
Security as a Service - Tian Wang
VMware Tanzu
 
Cloudfoundry Introduction
Cloudfoundry IntroductionCloudfoundry Introduction
Cloudfoundry Introduction
Yitao Jiang
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
Draft Ietf Oauth V2 12
Draft Ietf Oauth V2 12Draft Ietf Oauth V2 12
Draft Ietf Oauth V2 12
Vishal Shah
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
The Cloud Foundry bootcamp talk from SpringOne On The Road - Europe
The Cloud Foundry bootcamp talk from SpringOne On The Road - EuropeThe Cloud Foundry bootcamp talk from SpringOne On The Road - Europe
The Cloud Foundry bootcamp talk from SpringOne On The Road - Europe
Joshua Long
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
VMware Tanzu
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?
Akana
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
Krishna-Kumar
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIs
wesley chun
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
Eric Bottard
 
Cf intro for spring devs
Cf intro for spring devsCf intro for spring devs
Cf intro for spring devs
Eric Bottard
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
Andreas Schranzhofer
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
CA API Management
 
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Tanya Denisyuk
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and Ops
Chris DeLashmutt
 
Security as a Service - Tian Wang
Security as a Service - Tian WangSecurity as a Service - Tian Wang
Security as a Service - Tian Wang
VMware Tanzu
 
Cloudfoundry Introduction
Cloudfoundry IntroductionCloudfoundry Introduction
Cloudfoundry Introduction
Yitao Jiang
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
Draft Ietf Oauth V2 12
Draft Ietf Oauth V2 12Draft Ietf Oauth V2 12
Draft Ietf Oauth V2 12
Vishal Shah
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
The Cloud Foundry bootcamp talk from SpringOne On The Road - Europe
The Cloud Foundry bootcamp talk from SpringOne On The Road - EuropeThe Cloud Foundry bootcamp talk from SpringOne On The Road - Europe
The Cloud Foundry bootcamp talk from SpringOne On The Road - Europe
Joshua Long
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
VMware Tanzu
 
API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?API Security: Does My Business Need OAuth?
API Security: Does My Business Need OAuth?
Akana
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
Krishna-Kumar
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIs
wesley chun
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
Eric Bottard
 
Cf intro for spring devs
Cf intro for spring devsCf intro for spring devs
Cf intro for spring devs
Eric Bottard
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
Andreas Schranzhofer
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
CA API Management
 
Ad

Recently uploaded (20)

How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Boost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for SchoolsBoost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for Schools
Visitu
 
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Safe Software
 
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsFME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable Insights
Safe Software
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Topic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptxTopic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptx
marutnand8
 
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnEssentials of Resource Planning in a Downturn
Essentials of Resource Planning in a Downturn
OnePlan Solutions
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdfHow to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
victordsane
 
Design by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First DevelopmentDesign by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First Development
Par-Tec S.p.A.
 
iOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod KumariOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod Kumar
Pramod Kumar
 
Scalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple DevicesScalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple Devices
Scalefusion
 
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink TemplateeeeeeeeeeeeeeeeeeeeeeeeeeNeuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
alexandernoetzold
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...
How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...
How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...
Insurance Tech Services
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Key AI Technologies Used by Indian Artificial Intelligence Companies
Key AI Technologies Used by Indian Artificial Intelligence CompaniesKey AI Technologies Used by Indian Artificial Intelligence Companies
Key AI Technologies Used by Indian Artificial Intelligence Companies
Mypcot Infotech
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Boost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for SchoolsBoost Student Engagement with Smart Attendance Software for Schools
Boost Student Engagement with Smart Attendance Software for Schools
Visitu
 
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Scaling FME Flow on Demand with Kubernetes: A Case Study At Cadac Group SaaS ...
Safe Software
 
FME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable InsightsFME for Climate Data: Turning Big Data into Actionable Insights
FME for Climate Data: Turning Big Data into Actionable Insights
Safe Software
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Topic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptxTopic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptx
marutnand8
 
Essentials of Resource Planning in a Downturn
Essentials of Resource Planning in a DownturnEssentials of Resource Planning in a Downturn
Essentials of Resource Planning in a Downturn
OnePlan Solutions
 
Artificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across IndustriesArtificial Intelligence Applications Across Industries
Artificial Intelligence Applications Across Industries
SandeepKS52
 
Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!Build enterprise-ready applications using skills you already have!
Build enterprise-ready applications using skills you already have!
PhilMeredith3
 
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdfHow to purchase, license and subscribe to Microsoft Azure_PDF.pdf
How to purchase, license and subscribe to Microsoft Azure_PDF.pdf
victordsane
 
Design by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First DevelopmentDesign by Contract - Building Robust Software with Contract-First Development
Design by Contract - Building Robust Software with Contract-First Development
Par-Tec S.p.A.
 
iOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod KumariOS Developer Resume 2025 | Pramod Kumar
iOS Developer Resume 2025 | Pramod Kumar
Pramod Kumar
 
Scalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple DevicesScalefusion Remote Access for Apple Devices
Scalefusion Remote Access for Apple Devices
Scalefusion
 
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink TemplateeeeeeeeeeeeeeeeeeeeeeeeeeNeuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
alexandernoetzold
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...
How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...
How Insurance Policy Administration Streamlines Policy Lifecycle for Agile Op...
Insurance Tech Services
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Key AI Technologies Used by Indian Artificial Intelligence Companies
Key AI Technologies Used by Indian Artificial Intelligence CompaniesKey AI Technologies Used by Indian Artificial Intelligence Companies
Key AI Technologies Used by Indian Artificial Intelligence Companies
Mypcot Infotech
 
COBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM CertificateCOBOL Programming with VSCode - IBM Certificate
COBOL Programming with VSCode - IBM Certificate
VICTOR MAESTRE RAMIREZ
 
Ad

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA

  • 1. Enabling Cloud Native Security with Multi-Tenant UAA William Tran, Pivotal
  • 2. Agenda • Introductions • Why use UAA for Cloud Native Applications • Advantages of Multi-tenant UAA • How to get started
  • 4. About Me • Spring user since version 2.0 (2007) • Joined Pivotal October 2013 • Based in Toronto, Canada • Working on Pivotal CF Services – Mobile Services API Gateway – Pivotal SSO – Spring Cloud Services • Committer on UAA
  • 5. About UAA • User Account and Authorization server • Secures all CF components • OAuth2 and OpenID Connect • SCIM API for user management in internal user database • Integration with SAML 2.0 and LDAP • OAuth2 client registration API
  • 6. About OAuth2 • Delegated Authorization • 4 Actors – The Authorization Server – User – Client – Resource Server • Clients act on behalf of users – Authorization Code Grant – Resource Owner Password Grant – Implicit Grant • Clients act on their own – Client Credentials Grant
  • 7. OAuth2 In Cloudfoundry • Apps Manager (PWS or PCF)
  • 8. OAuth2 In Cloudfoundry • Apps Manager – Go to apps.cfdomain in the browser UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser
  • 9. OAuth2 In Cloudfoundry • Apps Manager – Apps manager redirects you to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Not logged in!
  • 10. OAuth2 In Cloudfoundry • Apps Manager – Apps manager redirects you to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser
  • 11. OAuth2 In Cloudfoundry • Apps Manager – UAA asks for username and password UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Please log in
  • 12. OAuth2 In Cloudfoundry • Apps Manager – User logs in UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the username and password
  • 13. OAuth2 In Cloudfoundry • Apps Manager – UAA redirects back to Apps Manager with a one time code UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is an authorization code
  • 14. OAuth2 In Cloudfoundry • Apps Manager – UAA redirects back to Apps Manager with a one time code UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is an authorization code
  • 15. OAuth2 In Cloudfoundry • Apps Manager – Apps Manager gives the code back to UAA UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the same authorization code
  • 16. OAuth2 In Cloudfoundry • Apps Manager – UAA exchanges the code for an access token UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser The code is the same, here is a token
  • 17. OAuth2 In Cloudfoundry • Apps Manager – Apps manager uses the access token to access the CC API UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser /v2/apps -H “Authorization: bearer eyJhbGci…”
  • 18. OAuth2 In Cloudfoundry • Apps Manager – Apps manager renders the page UAA (login.) Apps Manager (apps.) Cloud Controller (api.) Browser Here is the the pretty screen, finally!
  • 19. OAuth2 In Cloudfoundry • Apps Manager – Authorization Code Grant – Typical of web applications – Apps manager webapp is the client
  • 20. OAuth2 In Cloudfoundry • CF CLI cf target api.cfdomain cf login cf apps
  • 21. OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI Here is the username and password
  • 22. OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI Here is a token
  • 23. OAuth2 In Cloudfoundry • CF CLI – cf login UAA (login.) Cloud Controller (api.) CF CLI /v2/apps -H “Authorization: bearer eyJhbGci…”
  • 24. OAuth2 In Cloudfoundry • CF CLI – Resource Owner Password Grant – Typical of CLI, Mobile Apps, non-browser user apps – CF CLI is the client
  • 25. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler I’m getting very busy!
  • 26. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler Don’t worry, I’ll create more instances
  • 27. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler my-app
  • 28. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) my-appAutoscaler my-app my-app
  • 29. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Time to check status!
  • 30. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Here is my client_id and client_secret
  • 31. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler Here is a token
  • 32. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler /v2/apps/1234/stats -H “Authorization: bearer eyJhbGci…”
  • 33. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler CPU at 80%!
  • 34. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler PUT /v2/apps/1234 -H “Authorization: bearer eyJhbGci…” -d ‘{"instances":2}’
  • 35. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) UAA (login.) Cloud Controller (api.) Autoscaler OK, creating more instances
  • 36. OAuth2 In Cloudfoundry • Autoscaling Service (PCF) – Client Credentials Grant – Typical of apps that act without a user’s involvement – Autoscaling Service is the client
  • 37. OAuth2 In Cloudfoundry • The CF platform has many more examples of using OAuth2 • UAA is the key – Manages users – Manages clients – Grants and verifies access tokens
  • 38. UAA is the perfect fit for Cloud Native Security*
  • 39. UAA for Cloud Native Security • *In CF there’s more to security than just UAA – Network security / security groups – Cross container traffic / trusted workloads – No End to end TLS • UAA is for application-level security • It works for us, so it’ll work for you*
  • 40. So you want to secure your apps • Example – You want to host your API application on Cloud Foundry my-cloudfoundry.cn
  • 41. So you want to secure your apps • Example – You want to host your API application on Cloud Foundry my-cloudfoundry.cn my-api
  • 42. So you want to secure your apps • Example – It will be accessed by a web app hosted on CF my-cloudfoundry.cn my-api my- webapp browser
  • 43. So you want to secure your apps • Example – It will be accessed through a mobile app as well my-cloudfoundry.cn my-api my- webapp browser Mobile app
  • 44. So you want to secure your apps • Perfect! Use UAA my-cloudfoundry.cn my-api my- webapp browser Mobile app UAA
  • 45. So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant
  • 46. So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant
  • 47. So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant – API app token verification  JWT signature
  • 48. So you want to secure your apps • Perfect! Use UAA – Client for web app  authcode grant – Client for mobile app  password grant – API app token verification  JWT signature • API app can validate token on its own
  • 49. Who are your end users? • SpaceDevelopers, OrgManagers – Platform users, no problem
  • 50. Who are your end users? • SpaceDevelopers, OrgManagers – Platform users, no problem • That sales guy – Not a platform user, PROBLEM
  • 51. Who are your end users? jsmith jsmyth cf set-space-role jsmyth the-org the-space SpaceDeveloper oops
  • 52. Who are your end users? jsmith jsmyth My app is too slow
  • 53. Who are your end users? jsmith jsmyth cf login –u jsmyth ... cf scale sales-api –m 10G I can fix that!
  • 54. The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job
  • 55. The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job • Salesguy should not have been added to the platform UAA
  • 56. Solutions? • Create your own authorization server • Deploy your own UAA
  • 57. So you want to secure your products • Example – You want to build a product that’s packaged as a CF service my-cloudfoundry.cn my-service
  • 58. So you want to secure your products • Example – When apps bind to the service… my-cloudfoundry.cn my-service my-app cf bind-service
  • 59. So you want to secure your products • Example – Create an oauth client my-cloudfoundry.cn my-service my-app UAA POST /oauth/client
  • 60. So you want to secure your products • Example – Create an oauth client my-cloudfoundry.cn my-service my-app UAA 201: Created
  • 61. my-cloudfoundry.cn So you want to secure your products • Example – So that the app to service communication can be secured by OAuth2 client credentials grant my-service my-app UAA The client_id and client_secret are in VCAP_SERVICES
  • 62. my-cloudfoundry.cn So you want to secure your products • Example – So that the app to service communication can be secured by OAuth2 client credentials grant my-service my-app UAA GET /api/foo -H ‘Authorization: bearer eyJhbGci…’
  • 63. So you want to secure your products • Perfect! Use UAA – App to app communication  client credentials – Token verification  JWT signature – Every app gets their own credentials • Super secure right?
  • 64. How do you create clients in UAA? • POST /oauth/clients – Token must have scope clients.write • Creating clients with authorities – Eg the app gets a token with my-service.read scope – Requires clients.write and uaa.admin • So give your service admin credentials?
  • 65. Admin-Level Credentials my-service • client_id: my-service • client_secret: 123xyz • authorities: clients.write, uaa.admin • authorized_grant_types: client_credentials
  • 66. Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz
  • 67. Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz I got root, yo.
  • 68. Admin-Level Credentials my-service • CLIENT_ID: my-service • CLIENT_SECRET: 123xyz This job sucks. cf env my-service
  • 69. Admin-Level Credentials $ uaac target uaa.my-cloudfoundry.cn $ uaac token client get my-service -s 123xyz $ uaac client add my-admin-client –authorities cloud_controller.admin
  • 70. Admin-Level Credentials I got root yo. Lets have some fun.
  • 71. The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job
  • 72. The Principle of Least Privilege • You (or the application, process, module, etc) should have the minimum level of access required for performing their job • Giving admin level credentials to applications is dangerous
  • 73. Solutions? • Create your own authorization server • Deploy your own UAA
  • 74. How do you deploy your own UAA? • cf push cloudfoundry-identity-uaa.war • Yaml config • Bootstrap users • Provision DB • Do the above manually, or as part of a Bosh deployment
  • 75. Running your own UAA • Pros: – Principle of least privilege – You can fork it • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release
  • 76. Running your own UAA • Pros: – Principle of least privilege • Systems secured by your UAA cannot affect systems secured by the platform UAA
  • 77. Running your own UAA • Pros: – Principle of least privilege Your UAA
  • 78. Running your own UAA • Pros: – Principle of least privilege Your UAA Platform UAA
  • 79. Running your own UAA • Pros: – Principle of least privilege Your UAA Platform UAA Impossible!
  • 80. Running your own UAA • Pros: – Principle of least privilege – You can fork it • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release
  • 82. What is Multitenant UAA • CF v208 + • The built-in UAA with subdomains • Subdomain maps to Identity Zone • Total segregation between Identity Zones • API for creating Identity Zones • Existing API stays the same
  • 83. Zone administrators • UAA users with god-like powers in an identity zone • Requires scope zone.[zone-id].admin • Instead of targeting zone via subdomain, use X-Identity-Zone-Id header – POST uaa.domain.com/oauth/clients  create a client in the UAA zone – POST uaa.domain.com/oauth/clients -H “X- Identity-Zone-Id:12345”  create a client in the Identity Zone with id 12345
  • 84. Multitenant UAA • Pros: – Principle of least privilege – API calls for creating a new tenant (aka Identity Zone) – Zone administrators instead of bootstrap users • Cons: – Overhead – Manual upgrades – “yak shaving” a bosh release – You can’t fork it
  • 86. Multitenant UAA with UAAC • Setup can be cumbersome – When acting as zone admin with X-Identity-Zone- Id header, you can only uaac curl • Once you have an admin client in the zone, uaac works great • Future enhancements – Creating initial users / clients when the Identity Zone is created – -z global option to target a zone via header
  • 87. Summary • UAA is great for securing Cloud Native Applications • Always use the principle of least privilege – Don’t add non-platform users to the platform – Don’t give out platform admin abilities to other apps • You can deploy your own UAA – but multitenant UAA is an API call away • Tooling needs to catch up – But once you get that admin client set up, its easy
  • 89. Stay in touch • Me – Twitter: @fivetenwill – github.com/william-tran – [email protected] • CF Identity PM – Sree Tummidi: [email protected] • CF Identity Team – Issues: github.com/cloudfoundry/uaa – Discussion: lists.cloudfoundry.org

Editor's Notes

  • #2: Hello everyone, thank you for coming to my talk, I’m very excited to be here.