Seamlessly Integrate Identity Into Your APIs with Okta + Kong | Developer Day 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi i'm bharat bhatt and i run marketing and technical partner integrations for developer relations at octet today i'm really excited to talk about some of the work we've been doing for the past six months with cong including working with their new con connect solutions we want you to build the future of identity with us and that is not possible without great api management and great api strategy i want to introduce mike bilodeau who's my counterpart cong and who has been working with me on this journey of creating augmented use cases for apis and identity basically the question is like how do i secure who accesses my apis and how do they access my apis with authentication and role-based access control i'm really excited to be uh having kong in our event and um you know i wanted to kind of uh put it over to mike and ask the question of hey how do you guys think about helping your customers govern access to their apis thanks broad and super excited to be here too i think uh as we look at ourselves as an ecosystem company getting to be part of uh of the octi ecosystem and have octa as part of our ecosystem is uh is really awesome and love all the things that we've been working on together and so if we look at a little bit at just the the background and sort of subtext all of this around why it matters so much to to be thinking about authentication authorization identity in general for apis is really that these these mega trends are happening that i think everybody in the development devops sort of api centric space is seeing of where there's a the movement from monolithic to uh to smaller microservices and especially cloud native uh cloud native micro services and so we're seeing everybody under that same pressure to innovate and that's you know creating a lot more apis and connections that we need to manage and so for us at com what's really important is is being able to provide kind of that connectivity that's reliable for every api and every micro service whether it's you know at the edge across applications like kubernetes ingress or within the application in a service mesh type of paradigm and so one of the things that we're seeing a lot is just looking at how authentication and authorization fit into the development lights life cycle and so we see a lot of opportunity especially with octa of where there's an opportunity of inserting authentication authorization basically all the policies that you need to govern your apis and how they behave directly into the development life cycle and so when you don't have that you really have this challenge where if you don't have a an api platform or an api management solution and a corresponding authentication authorization identity provider that can work with it well you really start to get these these issues that come into the entire life cycle of how you're going to manage your apis so you're going to see that slow down development so you're going to get you know a lot of manually created specs and docs that either don't have they're not standardized they're not consistent or in a lot of cases they might even be missing some of those critical elements around around identity and then you've got a lot of slow processes in the middle of where things are getting checked there's no easy way to to either generate the specifications check them validate them make sure that they're working well as well as just having potentially problems of having your gateway as as part of that process in general and then really on that outside of thinking about the ecosystem that everybody really wants to build is uh you know there's a saying that goes like you never build an api for yourself you're you're building it for someone else and so if there's no real way of allowing people to access that through a developer portal that again can be authenticated and can provide that identity to those other developers whether they're inside your organization or outside of your organization you're making an api that that's going to be very limited in value and so all these things kind of conspire to uh to really you know hurting how i think a lot of folks want to want to move into a more modern way of developing apis and microservices there's another thing there too um like where you you know if you're using if you're thinking about an api strategy and then you you you put on you know uh an identity provider there the identity provider actually takes care of all the new stuff coming into all the threat vectors that are new so you don't have to write that code ever and i i think that's one of the big things that people don't think about when they think about apis and and identity it's like why do i want to manage this stuff i actually you don't and and the reason you don't is not just because of that lift that you have to do but it also because all of the things that the identity provider and the api gateway provide like it's it's uh it just automatically automates when something new comes in exactly i mean the you know when we get into this we look a lot at the organization but from the standpoint of people who are kind of developing and working on these things day out day in and day out the biggest thing is just a waste of time um you know when you can when you can outsource essentially uh some of the the redundant manual code that you'd have to just be writing over and over again and you know you look at at some of this of where okay maybe when you had one application or one monolithic app it wasn't that bad but now when you're dealing it you know with tens or hundreds of apis it gets really time consuming and uh either it's it's going to at best case waste you a lot of time and a lot of money because you're spending all this time doing it instead of and worst case risk you can't work it's not going to be in there you're not going to have that standardization and you know you're going to put either you're going to have the risk of of it being inconsistent or you're going to have the risk of something actually kind of bad happening and that's another thing of where where we really look at how we we fit in with octa is we look at it like really injecting sort of the the octa or octa and now of course 0 as well really into every part of this process and so we think about everything in how you're actually building out your specifications so making sure that in your design and test workflows you're able to uh to basically test that you know authentication and authorization are behaving the way that you would expect them to being able to have that again identity into the cicd process of where uh making sure that there are certain checks and balances in your workflows so that as you're promoting things throughout the process or throughout the development lifecycle you're you're making sure that you're never getting to a stage where you're shipping something into production that either has uh you know out of compliance identity policies or or worse yet none at all and then of course on the outside of it is looking at how you can onboard you know either folks within your own organization or outside your organization to help them start consuming those apis as rapidly as possible so that's when you get into those are back things that we were talking about before of where instead of having to to really you know go in define all of the down to the line policies of which apis every single uh given you know developer can access we're able to do that in a role-based way we're able to make sure that it's governed you know using that same idp and really provide that frictionless developer onboarding experience and that's a huge huge way we're working with uh with octa today with you know a large portion of our customers right when you said uh we're moving the testing part of it too that's just music to my ears like basically it's like because it's like you know it's like it's shifting identity left and and i just i love this concept of where when we're when we're thinking about an api api strategy we're also not just testing the api part of it we're testing the identity part of it at the same time early in the process and i mean just that's just that's just to me that's something that a lot of people haven't had the ability to do and us coming together at you know kang and octa we're able to give that to customers so yeah um i think you'll you'll like this even more then you can start to see it painted out of how we're working this in so you know we uh we think of api ops kind of as an evolution of devops skit ops it's complementary it's not something that replaces it but it takes into those into account the specific nuances that you need when you're thinking about dealing with apis in particular and so we look at all of the different places that you can really inject identity i put all these these logos in because this is this is sort of what what it comes down to is you can have that for every single person who's logging into you know the connects kind of central management plan for us every person who's looking into each one of your different services in the service hub every single external person who's coming in and looking at your developer portal or they want to access your analytics like kong vitals and then of course exactly what you were just talking to you there of really making sure that it's injected into that entire process of your get workflows going into your cdcic pipeline and getting it into uh just the life cycle where you're constantly making it a part of how you actually you know develop publish promote whatever you want to call it each part of that entire process to make sure that you're never at a stage of where you could potentially be in a situation that you don't want to be in from an identity perspective and from an api perspective absolutely yeah right it makes it faster to just do it this way right yeah it makes it faster and less maintenance right so i think that's the that's the other key of it like i feel like we're i feel like both of our companies what we're helping people do is do less maintenance it's like yeah you know and and that's um hey this has been this has been really nice talking at uh this morning uh mike and uh uh i just wanna uh thank you again for you know joining our event and um i'm really excited about um and i'll just i'll just pop this up here but like i'm really excited about some of the technical integrations that we're working on um and uh you know for folks out there uh we're working on some really cool technical integrations that we're going to talk more about at the kong summit in september so please come and join the kong summit in september uh and mike's going to mike and other folks at congo are going to talk more about some of the integrations that we're building technically with kong uh from the octa and zero side um and um um thank you again mike um great to have you it's our pleasure and um i wanna remind everybody that we have uh five great developer labs tomorrow as well and uh on demand from from 8am to 5pm uh including a lab where we show you how to implement con connect with octa please join us i'm going to now pass it over thanks again mike and i'm going to pass it over to vic now to uh he's going to show you how it all comes together with uh with this demo hi i'm victor gam of developer of the kid with conch and in this part of our presentation here at octa developer day i'm going to show you how you can integrate octa and your applications using our clone connect platform so clone connect it is a managed control plane for your clonk gateway your cone gateway can be deployed whenever you like it can be deployed in your bare metal application somewhere in the cloud somewhere in kubernetes and this platform allows to manage and enable some additional functionality without changing the application code today i'll show you how you can enable authorization and notification for your application using integration between octa and quank in this demo i will be using the application that deployed already in the cloud and running in the public internet called httpbn.org it's just simple application that allows you to test your http communication and play around with http protocol i will be using this as example of the service where i don't need to change the code or modify uh of this application in order to provide new behavior so let's get to it i already have a account at connect and you can sign up and play around with for free and i already have a runtime configured runtime it is instance of a column gateway that deployed somewhere here in this particular case my quan gateway is deployed in google cloud platform and uh in the google cloud platform it runs inside the docker if you want to configure your runtime you can click this configure runtime and you can connect any version even linux you can get this install it on your linux machine and connect to cloneconnect platform also you can run this in kubernetes you can find the video on the chrome youtube channel where i explain how you can do this next thing is that i will be adding new service that will be uh representing uh my upstream application so in this particular case it's gonna be http bin uh version one http click create the next thing is that i need to uh configure actual implementation so that's service that i just created here it's a logical instance that is available in connect and will be i can used to configure my gateway but actual implementation that this is what i'm creating right now so here it's going to be http http bin dot work click next and i need to create the first round call it http it will do path slash http bin and that would suffice for now the way how it works let me show you i'm going to my insomnia make sure there's nothing enabled here so just a simple get request take some time to my local caches to update but here's the thing that i see this is the response from the service and information that's about the path where we came from what's the forward list so this information provided by http.org because everything that you send to this resource will be played back to you as a kind of like a echo server so the next thing that i will be showing you two examples for this for today those examples will explain how you can do things around service to service authorization so for example you have as a service that doesn't have ui and you need to interact this only through api so how you can use things like octa in order to manage access to the service and the second example i will show you how you can use octa to do interactive notification authorization so you would know if you need to enter a username and password so it's more like a traditional oauth example so let's start with the first one machine to machine or service to service communication so i do have a route here this route um we just we just tested i want to add a plugin and this plugin in this case will be using open id connect plugin so in order to use this i have my octa applications already configured so i go here to applications applications and my first application that will be using my client id and client secrets is here client credentials so i need to use this client id and client secret in my config so if i go here client id here client secret another thing that i need to put here it's the url to for authorization server the way how i can get this i need to go to security api in my oct interface and get this issuer url here config issuer in order to make it more interesting i just reset the cache for um 10 seconds and another thing that i want to add here is that my scope this particular case is going to be scope that i already created here so i'm going here creating slopes and that's my custom scope that i want to have for my services now uh when i enable this plugin so i will be able to uh connect to my um say provide window just go here to get so started getting something else so it redirects me to octa but it shows me the better quest meaning that i cannot use this service configured in this way in order to access this through the simple get i need to provide some authorization information so in this case i need to go here click basic authorization i'll just do column client id and client secret when i send this it sends me back response that i just did this is the response to my request http.get but also it will include a token so this token that we can take a look in this gwt um your website and we know that this token was provided by this authorization server for this client id so now i can use this application to communicate with this service so when i need to provide the basic notification i need to include this with my request and after that each request will include this information about better token that's a use case where we need to deal with the service to service communication so let's configure another another route but we're going to be using for different use cases this can be http 2 and with add path slash http bin two go in so what i wanted to do and when we go into this url through the browser i want to get access i want to octa control access to this one in order to use this i will be using another application i go into application application and here is the client credentials so client credentials application will be using given client id and secret and another thing that i also need to get from here is configure this route slightly differently so in this case i went and configured this as there's a few types of applications you can create in octa so when you go and create the application i will be using this type um open id for uh for connecting this through my web location or uh if i want to use this um kind of like service to service communication i will just create the api um api based application so next thing that's our also creating this open id connect plugin for my authorization code i'm going in here client id client secret and the difference between this thing is that i also can specify my redirect so when we go to this url we need to get um authorized by by octa so we need to have this urls and after that when it's done when we successfully enter our credentials we will be able to [Music] to navigate back to our application so we can do scope we can specify our scope that i created for my application [Music] and let's see yeah that should work another thing that you will see here there's assignments that i have a two users that would be assigned to this application so i will be i can use uh both users to log in to my service now so what i will go ahead here just do create missing host url okay sure i'll miss that and my just let me see if i have a correct secret and key and cl also configured here create now if i will create a new private window try to access to this one to get i should be able to see octo window so in this case i will be logging with my github login to my one password i'll be using my own for some reason it's redirected me back to my admin console but i was able to redirect back to the service and now i get access to this one and also let's take a look on this copy value let's see if we will get we're getting this token that we can analyze and see if it's a correct one let me remove the trailing one and now i see this is different application id and now this is my information that i can get from this open id connect provider information about the user that will be included now with tokid so in my application i will be able to introspect this authorization token and extract some additional information for my application what if i want to restrict the access to uh to this resource so this user will not be able to get access here so in in my in my octa i do have a groups called kong group that only one user will be included here a user named rick astley and now i need to teach my endpoint uh to use this so the way how it works in in this particular case i need to create a with my authorization server i need to create a claim that will include information um about information about this particular group so i'm going here into my claim see there's nothing here i'll call it wong claim for groups start with conch and start with create so now i need to go and modify my service let's keep this window open and in my plugin configuration i can click edit plugin i need to configure special names so in this case i need to configure uh scopes scopes claim uh in this case it's gonna be quank claim and scopes required in this case it will require scope about the group so let's group click update get back to my service if i can try it again now i get a message forbidden because let's take a look i was logged into the system using my my own user id so in this case i was not the part of this conc group now let's try let's try again with different users so i'll go in here once again trying to log in here for beaten but because my maybe some additional information here should not be here let's start with another private window now my application i can enter my rick astley username and password and now i click sign in and now i was successfully logged in using this one and let's take a look on my token we can we can look talking here kind of additional information we have here so we know that this is our user that we get here and we're also now having a claim as a part of our response that we're getting from octa and uh we know that this particular group which is comply with uh with configuration that we provided in the quang gateway side of things so that would be it for today but it doesn't mean that octa developer day will end on this one for you so tomorrow uh we will have a developer lab where you can join my colleagues who can help you with some hands-on experience and how you can figure this yourself i hope you enjoyed this demo as always my name is victor gamov and have a nice day [Music]

Info

Channel: OktaDev

Views: 299

Rating: undefined out of 5

Keywords: API, Auth0, CI/CD, Developer Day, IAM, Kong, OAuth, OIDC, Okta, authentication, developer, identity, security

Id: qS2QV9sZcbw

Channel Id: undefined

Length: 29min 54sec (1794 seconds)

Published: Wed Aug 25 2021