Authentication Protocols 정리

LDAP (Lightweight Directory Access Protocol)

• One of the core authentication protocols that was developed for directory services
• It has been used as a database of information, users, attributes about the users, or group membership privileges

Directory Service

• 폴더를 생각하기 쉽지만, 데이터 관리에서 말하는 directory란 읽기 작업에 특화 되어 있는 많은 양의 데이터를 담은 정보 저장소라고 생각하면 된다.
• 사전적 의미로, 체계적이고 조직적인 계획을 통해 정보를 질서정연하게 담은 정보 저장소로서 특정화된 데이터베이스 이며, 쓰기 작업 보다는 읽기 작업이 빈번한 서비스에 적합

• 맨 처음 X.500이 데렉토리 서비스의 표준 프로토콜로 등장했고, 이는 OSI 7 계층의 application layer에 속하는 프로토콜로 정보 통신 서비스에 필요한 정보를 데이터베이스화하여 효율적으로 관리하고 사용자가 편리하게 접근할 수 있는 기능을 제공

Origin of LDAP

• LDAP was developed to replace DAP called X.500 at the University of Michigan where Tim who is a co-inventor or the LDAP protocol

• It was first introduces in 1003, and became the internet standard for directory services in 1997

• LDAP also inspired the creation of OpenLDAP, the leading open source directory services platform

• LDAP authentication will be a foundational element of identity management for years to come despite its age.

Basic LDAP Authentication and Common Challenges

• To store core user identities (IDP) https://jumpcloud.com/blog/identity-provider-idp
• LDAP directories can store user data and credentials, they can act as the source of truth for LDAP authentication.
• User inputs their credentials via a system or application, which are then compared to those stored within the LDAP directory database. If they match, the user is authenticated and granted access.

How does LDAP authentication between a client and server work?

• Client is an LDAP-ready system or application accessed by a user, and the server is the LDAP directory database

• To authenticate, the client sends a bind request to the LDAP server along with the user’s identifier and password, which the client obtains when the user inputs their credentials.

• If the user is submitted credentials match the credentials associated with their core user identity that is stored within the LDAP database, the user is authen.

• If the credentials sent don’t match, the bind fails and access is denied.

SAML (Secure Assertion Markup Language)

• It’s a standardized way to make single SSO possible (SAML assertion is a key aspect of this)

• Messages between IDP and SP that confidently identify
• who a user is pertinent information exists
• what they authorized to access
• security conditions such as the source of assertion and assure that assertions are valid

• SAML assertion is written within XML schemas (Outlined in the SAML 2.0 Open Standard)

SAML Assertion Validator

• Writing XML schemas can be a heavy lift for some organizations and may take time to debug

• A built-in facility to troubleshoot user login errors

• It will identify problems and assertions that are sent from IDP. (NOT identify login issues)

• Does Authentik has assertion validator?

Assertion Statements

• Statements are encapsulated within SAML assertion and provide significant flexibility for IAM (identity and access management)

• Statements allow systems to interoperate across domain boundaries and make it possible to securely establish SSO for websites attribute-based user authentication and to secure web services

• Authentication Statement
• Generated by the system authenticating the user
• Contains information about how authentication occurs
• Logs information (including timestamps)

• Attribute Statement
• SAML has the capacity to relay information about users
• For example, a user’s department or groups, whether they are part of a VIP group that may access a restricted system
• Basic contact information exists here

• Authorization Decision Statement
• Outlines actions the user is entitled to perform
• For example, accessing a particular web page or a secure area of an app
• Limit access to sensitive materials
• Other authentication protocols can’t limit access (OpenID Connect)

OAuth 2

• Giving someone a special key and this key allow them to access specific information in another application

• We control who gets access to our data without having to share password.

• We can revoke that key anytime

• JWT based, and can define the scope of access that applications have to accounts
• You might be familiar with this as a general user when a third-party service asks for permission to access your Google account and outlines what assets within your account it will access.

OIDC

• ID Token: 유저 정보에 한해서 접근 목적으로 사용

• Access Token: 더 광범위한 범위에서 유저 정보 뿐만아니라, api 등 다른 정보들을 가져올 수 있다.

ID Tokens VS Access Tokens: What's the Difference?

ID Tokens vs Access Tokens. What are they and when do you use them? How do they differ? Where do they come from? We'll briefly cover OAuth 2.0 and OpenID Connect and the difference between Authentication and Authorization. Grab the FREE Cheat Sheet from the Auth0 by Okta blog post - https://auth0.com/blog/id-token-access-token-what-is-the-difference/ ___________________________________________ Learn with Auth0 by Okta Try for free - https://a0.to/auth0 The Auth0 by Okta blog - https://a0.to/blog Ask questions on the Community Forum - https://a0.to/community ___________________________________________ Follow Us on Social Twitter - https://twitter.com/oktadev LinkedIn - https://www.linkedin.com/company/oktadev

https://youtu.be/vVM1Tpu9QB4

SCIM (System for Cross-domain Identity Management)

• A common way to manage user accounts and privileges across apps

• Company can automatically create, update, delete, or synchronizing changes accounts accross multile applications in real time via a single centralized system

• REST and JSON based

Proxy Authentication

Forward Proxy

• A forward proxy server that sits between a group of client machines and the internet.

• Clients make requests to websites on the internet, the forward proxy act as a middleman, intercepts those requests and talks to web servers on behalf of the clients.

• Protect client’s online identity
• IP addresses of users are hidden from the servers.
• Only the IP address of the forward proxy is visible to the server.
• Therefore, it will be harder to trace back to the clients.

• Bypass browsing restrictions
• Governments, schools etcs use firewalls to restrict access to the internet.
• By connecting to a forward proxy outside the firewalls, the client machine can potentially get around these restrictions.
• It doesn’t always works as firewalls could block the connections to the proxy.

• Block access to certain content

Reverse Proxy

• A reverse proxy server that sits between internet and the web servers.

• It intercepts the requests from clients and talk to the web server on behalf of the clients

• protect a website
• Website’s IP addresses are hidden behind the reverse proxy and are not revealed to t he clients.
• It’s really harder to target a DDoS attack against a website.

• Load blancing
• Handling the traffic of milions of users every day is hard with a single server.
• Reverse proxy can balance a large amount of incoming requests by distributing the traffic to a large pool of web servers and effectively preventing any single one of them from becoming overloaded.
• It refers that reverse proxy can handle incoming traffic.
• Such as Cloudflare, put reverse proxy servers all of the locations all around the world. This makes revers proxy closed to the users and at the same time provides a large amount of processing capacity.

• Cache static contents
• A piece of content could be cached on the reverse proxy for a period of time.
• If the same piece of content is requested again from the reverse proxy, the locoally cached version could be quickly returned.

• A reverse proxy can handle SSL encryption.
• SSL handshake is computationally expensive.
• A reverse proxy can free up the origin servers from these expensive operations.
• Instead of handling SSL for all websites. a website only needs to handle SSL handshake from a small number of reverse proxy..