The basis of a security framework is to identify and authenticate users and entities in the system. As a result, developing a proper identity management platform is the first step to start building the security mechanisms in the gateway. Now, we will describe key aspects of AGILE’s IDM and how it can be integrated on external systems, why some of the design choices were made, and point to additional resources which are hopefully useful for newcomers.
A Polyglot User Identity Management
We want to make our user’s lives easy by not creating yet another identity management system which forces them to create new username and passwords just to interact with the gateway. In our daily lives we already deal with a high amount of different credentials with particular restrictions; for example, passwords need to have a minimal length and must include particular characters. Some users deal with this by reusing passwords in different systems; however, this is a bad practice since the system administrator, or an attacker compromising the system, would obtain the user’s credentials for other external systems.
As a result, we have put considerable effort to find proper ways to integrate different authentication mechanisms into our identity management in order to have a usable user management. Currently, AGILE IDM allows users to authenticate using a range of protocols such as Web ID, Oauth2, or username and passwords verified locally on the gateway’s side.
Practically, this means that users who have been already registered with external identity providers, such as Google or GitHub can use their accounts to log into their AGILE gateways as users do when they login using services that rely on such identity providers using Oauth2. Furthermore, for users who do not want to use such identity providers, AGILE offers also other options to authenticate.
For instance, in particular installations of AGILE IDM, it may be desirable that users can log in using the username and passwords used by the underlying Linux system (also avoiding the creation of new username and passwords for the gateway management). Another option is to obtain a Web ID certificate from a provider (such as databox.me or similar) to login in AGILE by just selecting the client-side certificate during the validation step. The Web ID protocol, which is commonly used on linked data environments, allows users to authenticate with a web application by using a client side certificate validation step during the TLS handshake. The integration of this protocol will favor the integration of applications relying on linked data protocols (such as the Little Sister Jolocom’s application).
Last but not least, for users who still desire to have a local username and password generated just for the gateway management this is also supported.
Oauth2 Integration with AGILE IDM
AGILE IDM behaves as an Oauth2 provider towards applications relying on its authentication services. This integration method between applications and AGILE IDM is completely independent from the authentication mechanism used by AGILE IDM to authenticate the user. The latter could be Oauth2, Web ID, or a local username and password.
In consequence, any application relying on AGILE IDM to authenticate its users can use one of the Oauth2 grant types supported by AGILE IDM. Currently, AGILE IDM supports the following grant types:
- Authorization code
- Implicit (also known as token) flow
- Client Credentials
To facilitate the use of AGILE IDM within the project, and by external adopters we have created a set of Node.js applications relying on AGILE IDM which implement the proper Oauth2 flows here. Furthermore, the authorization code application also provides a basic web interface to create and update entities and users, change their attributes, and them to groups. This will hopefully make testing and understanding how AGILE IDM works easier for newcomers.
Portable and Flexible
AGILE IDM uses Node.js as runtime; as a result, it can be employed not only on the gateway but also in other scenarios and operating systems. Also, in addition to the user management and authentication component, AGILE IDM allows the definition of flexible policies on the principal’s attributes in such a way that they can be written or read by particular users. This is paramount to support the definition of other entities, such as sensors or applications connecter or running on the gateway.
Currently, along with the German FORSEC project, we have begun a collaboration effort to integrate AGILE IDM in an IoT platform allowing users to control their data usage in a Cloud-based platform. AGILE IDM will offer not only user authentication, but also the management of principals in the system through its flexible attribute definition system. Last but not least, AGILE IDM also receives input from FORSEC regarding the policy enforcement framework on the attribute level.
Hands on Tutorials
To foster the use of the identity management platform developed in AGILE, we have also spent resources to document its functionality and to provide tutorials describing how to install, configure or extend AGILE’s IDM. For more information, please check the following links:
- General README information
- Step-by-step guide configuration for Oauth2 providers
- Documentation for the project, developers and use cases of AGILE IDM: (link to be added soon)
- Tutorial video on AGILE IDM installation and use of Oauth2 client demo of AGILE IDM
- Juan D. Parra Rodriguez, University of Passau
- Daniel Schreckling, FORSEC