Bring your own Identity (BYOI) with OIDC and Amazon Verified Permissions | Amazon Web Services

00:02

hi I'm Alexi iano worldwide security and

00:05

identity partner Solutions architect

00:07

with Amazon verified permissions today

00:10

I'll be demonstrating a new feature that

00:12

makes it simple for you to use any open

00:15

ID connect identity providers and Amazon

00:18

verified permissions to authenticate and

00:21

authorize user access to any apis hosted

00:25

on Amazon API

00:28

Gateway Amazon verified permission

00:31

service enables you to implement

00:33

permissions management and authorization

00:35

within the applications that you

00:38

build it's authorization as a service

00:42

instead of building your own application

00:44

specific authorization system you can

00:47

add granular permissions into your

00:49

application your application or a

00:52

logical enforcement Point like Amazon

00:55

API Gateway can call Amazon verified

00:58

permissions to determine if a user can

01:01

access to a

01:03

resource verified permissions can check

01:06

a user's access rights based on the

01:09

policies in its policy story for example

01:13

in a banking application the application

01:15

would call Amazon verified permissions

01:18

every time when the user withdraws money

01:20

to ensure that the user is authorized to

01:22

take that

01:24

action let's have a look at the end to

01:27

end architecture flow to understand how

01:29

verified perm permissions accurates at

01:31

TR time for example serverless is a

01:34

common pattern in this diagram we deploy

01:38

an application using any open ID connect

01:40

provider as the identity provider a user

01:44

logs in locally of affiliation and the

01:47

identity provider generates custom

01:50

tokens as you can see the token can

01:53

contain different claim including a

01:56

group representing the user's role with

01:59

access or identity token the user can

02:03

request application in points the

02:06

browser or application sends the token

02:09

to the API Gateway API Gateway serves as

02:13

a policy enforcement point it stops the

02:16

request and executes a custom L

02:19

authorizer the authorizer performs the

02:22

is authorized to with stalking call to

02:25

verified permissions for a policy

02:28

decision Amazon verifi permissions

02:31

responds with an allow or deny decision

02:34

in this instance the decision was

02:37

allowed so the request proceeds to the

02:39

backend

02:42

API verified permissions launched quick

02:45

start a stepbystep wizard to walk you

02:48

through the setup process and

02:50

automatically apply verified permissions

02:52

policies to your API gway of resources

02:56

we enable role based or group based

02:59

access out of the box this covers the

03:02

authorization pattern that most builders

03:05

start with quick start will

03:08

autogenerate all of the components you

03:11

need to have an endtoend working

03:14

solution a quick start wizard will guide

03:17

you through the step-by-step

03:18

configuration process we are going to

03:20

review this process later in the video

03:23

when creating a new policy store in

03:26

Amazon verified permissions you can

03:28

choose an external open ID connect

03:30

provider option and provide its details

03:33

to Amazon verified

03:34

permissions you select what API and

03:38

Stage you want to protect with

03:40

authorization Amazon verified

03:42

permissions pulls all the required API

03:45

Gateway configuration and points and

03:48

actions

03:49

automatically using graphic user

03:51

interface you manually Define actions

03:54

allowed for each User Group verifi

03:57

permissions create a policy store

03:58

containing policy and schema and a

04:01

Lambda function that authorizes

04:04

request finally Amazon verified

04:07

permissions automatically assigns the

04:09

new Lambda function as an authorizer to

04:11

the API resources that you need to

04:14

protect the Lambda function generates

04:17

and enforces verified permissions

04:18

authorization

04:20

requests let's see how to use Amazon

04:23

verified permissions with an open it

04:25

connect identity provider to protect an

04:28

Amazon API Gateway

04:31

API you need to preconfig the oidc

04:34

identity provider of your choice we are

04:37

using key clock in this example create

04:42

users for this example I created two

04:45

users Alis and Bop create groups and

04:48

assign users to the

04:50

groups in this example Alis is in the

04:54

admin group and supposed to have full

04:56

access to the API Bop is in the user

05:00

group and supposed to have only read

05:02

access to the

05:03

API the open ID configuration allows you

05:07

to discover all the required values

05:10

needed to interact with a open ID

05:12

connect

05:13

provider create an Amazon API Gateway

05:16

API that you want to

05:18

protect we're using the pet store API

05:21

that is available as an example in the

05:24

Amazon API Gateway

05:26

console deploy a new stage of the API

05:30

that you want to protect we're using the

05:32

pro stage in this

05:34

example just to reiterate on the use

05:37

case our API has get and post methods I

05:41

want to secure this API based on the

05:43

users group membership admin users

05:46

should have full access to the API while

05:49

users belonging to the user group should

05:52

only have read access I'm going to use

05:55

Amazon verified permissions to achieve

05:58

this now get to the Amazon veried

06:01

permissions Management console click

06:04

create policy store in the top

06:07

right choose setup with API Gateway and

06:11

an identity provider and click

06:14

next choose the API that you want to

06:17

import actions and resources from in

06:20

this case select the pet store

06:23

API choose the deployment stage that you

06:26

want to import actions and resources

06:28

from and in this case we select the pro

06:32

stage finally click import API you will

06:36

see the map of imported resources and

06:38

actions click next choose external

06:41

opened connect provider option and

06:43

configure the oidc provider details we

06:47

need the issuer URL the issuer URL could

06:50

be found in the well-known open ID

06:52

connected provider configuration in

06:54

point token type select the token that

06:58

you are passing to a API Gateway in the

07:01

authorization header we also need to

07:04

define the token claims that map to user

07:08

and group entities in the policy store

07:10

schema verified permissions uses toen

07:13

claims to map to policies in an is

07:16

authorized with token

07:18

call let's check the content of the

07:21

token let's authenticate as Lis copy the

07:25

identity token and use an online tool in

07:28

order to check the claims in this token

07:32

as you can see the token has a sub claim

07:34

that identifies the user the group claim

07:37

contains the groups that the user

07:39

belongs to we're using the groups claim

07:42

to define the actions allowed for each

07:44

group as you see the groups have slashes

07:47

in the beginning your identity provider

07:50

May return the groups in a different

07:52

format the audience validation is

07:55

optional you can configure it if you

07:57

want to validate the audience in the

07:58

token

08:00

you should be validating the audience of

08:02

the token to make sure that the token is

08:04

intended for your application never

08:06

leave the audience validation unchecked

08:08

in a production environment since this

08:11

is the demo we are skipping this step

08:14

it's time to Define actions allowed for

08:16

each group we have two groups admin and

08:20

user we are allowing all actions for the

08:22

admin group and only get actions for the

08:26

user group verified permissions create a

08:29

policy store and the Lambda function

08:32

that authorizes request we need to

08:35

assign the new Lambda function as an

08:37

authorizer to the API that we need to

08:40

protect the function generates and

08:43

enforces veried permissions

08:44

authorization

08:46

requests we are choosing now to make

08:48

Amazon verified permissions to attach

08:50

the authorizer to the API immediately

08:53

click create policy store the resources

08:56

are deployed using AWS Cloud information

08:59

you can see the status of the deployment

09:02

in the cloud formation

09:04

conso once the deployment is complete

09:06

let's check what was created for

09:09

us now weate to the Amazon verified

09:12

permissions

09:13

counil you can see that a policy store

09:16

is created it has two policies one for

09:19

the admin group and one for the user

09:22

group each policy defines the principle

09:26

user group and the actions allowed

09:30

you can also see what that a policy

09:32

schema is created it defines the

09:35

relationship between entities such as

09:37

principles actions and

09:40

resources let's check the Amazon API

09:43

Gateway resources and make sure that a

09:45

Lambda authorizer is attached to the API

09:48

that we want to protect as you can see

09:51

the authorizer is attached to every

09:53

method of the API but options

09:59

Let's test our

10:01

configuration let's get the API Gateway

10:04

URL of the pet store API I weate to the

10:07

Amazon API Gateway console and check the

10:10

stages copy the invoke URL of the pro

10:14

stage open Postman let's configure the

10:17

authorization for the request navigate

10:20

to the authorization Tab and select the

10:22

allos to point0

10:24

type as you can see the authorization

10:28

data will be passed in the authorization

10:31

header of the HTTP request the bearer

10:34

header prefix is added automatically by

10:37

Postman before the actual value of the

10:40

token choose the token name of your

10:44

choice let's complete the configuration

10:47

the grand type is authorization

10:51

code the all URL is the authorization

10:54

end point of the open ID connect

10:58

provider the access token URL is a token

11:01

end point of the opened connect

11:07

provider the client ID and client secret

11:10

are the client credentials that you

11:12

created in the open ID connect provider

11:15

the scope is the scope that you want to

11:17

request the Callback URL is a URL that

11:21

the open ID connect provider will

11:23

redirect to after the user authenticates

11:26

we using the postman callback URL click

11:30

get new access token Postman will open a

11:33

new window to authenticate with the open

11:35

Ed connect provider enter the username

11:38

and password of the user that you want

11:40

to authenticate as Postman will redirect

11:44

you to the postman call back URL with

11:46

the authorization code Postman will

11:49

exchange the authorization code for the

11:51

token you can see the token in the

11:54

postman

11:56

environment let's authenticate as Alis

11:59

send get pets request to the API you

12:04

should get a 200 okay response with a

12:07

list of

12:08

pads send a post pets request to the API

12:14

you should get a 200 okay response with

12:16

the new pad because Ellis is the admin

12:18

user and allowed to perform any actions

12:21

in the

12:22

application now let's authenticate as

12:24

Bob send a get pets request to the API

12:29

you should get a 200 okay response with

12:31

a list of pets because Bob belongs to

12:34

user group and user group is allowed to

12:38

perform get requests now send a post

12:41

pets request to the API you will see

12:45

that request was forbidden because Bob

12:48

is not allowed to create new

12:51

pets with the announcement of quick

12:53

start for open a connect we want to give

12:56

a quick highlight to our partners this

12:58

allow allows you to bring your own

13:01

identity to AWS and leave the last mile

13:04

of authorization integration to

13:07

us this feature works with standard open

13:10

connect identity providers and we are

13:13

excited to announce that three of the

13:15

top identity providers cyber art OCTA

13:17

and transman security have partnered

13:20

with us for lunch and highlighted how

13:23

their identity provider works with this

13:27

feature you can find more information

13:30

about Amazon verified permissions by

13:33

following these

13:34

links thank you