Securing an Unsecured app with open source tools.

Securing an Unsecured app.

With open source tools.

Secure Open Source day – Haarlem, the Netherlands
11/05/2019

Lawri van Buël

https://me.lawri.nl

Software Quality assurance

DevOps
Module Maintainer
Maintain Drupalchat.me Service.
Security Audits
Volunteering

slides: https://040lab.com/secosday/index.html

Problem
Solutions (TLS/OIDC)
Limitations
Federation
Technologies at play
Examples
Closure / Q&A

Problem

Technical

Un-secure Web Applications
Distribution of Thrust

Organizational

Governance
Liability
Integrity
Confidentiality

What to do?

Gatekeeper
Web Application
Authentication, Authorization and Accounting endpoint

Client side Certificates

or Transport Layer Security (TLS).

Authenticates Both Client and Server
Server wil only process encrypted content
Uses PKI with a CA
Requires Dedicated Setup

Open ID Connect (OIDC)

oAuth 2
Identity Provider
Web Oriented
JWT

Limitations

TLS

Deployment of Secrets
Access and revoking
Crypto Weaknesses

OIDC

Requires redirections
Access and revoking
Dependence on Provider

Federation

Internet
Discovery
Authentication

Logout
Revoke

Proxies and Relays

Technologies

oAuth 2
OpenID Connect
OpenResty (Nginx)
Drupal
Rocket.Chat

oAuth 2.0

Authorization Technology
Grants and Scopes
No ID
TLS only

OpenID Connect (OIDC)

Adds Authentication to oAuth 2.0
Uses JSON Web Tokens(JWT)
Adds the "openid" scope to oAuth
can be setup for Autodiscovery

Nginx / OpenResty

Nginx with Lua

Openresty

Lua Module: zmartzone/lua-resty-openidc

Example Config: (LUA)


                    complex = {}
                    function complex.config()
                    return {
                      redirect_uri = "https://app.example.com/redirect",
                      discovery = "https://drupal.example.com/.well-known/openid-configuration",
                      client_id = "Publicly-Visible-Client-ID",
                      client_secret = "Super-Secret-Client-Secret",
                      scope = "openid email profile",
                      refresh_session_interval = 300,
                      ssl_verify = "yes",
                      timeout = 300,
                    }
                    end
                    return complex

Example Vhost:


                        server {
                         ...
                          location / {
                            access_by_lua_block {
                              local opts = require('/etc/openresty/lua/oidc/config/app').config()
                              local res, err = require("resty.openidc").authenticate(opts)
                              if err then
                                ngx.status = 500
                                ngx.say(err)
                                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
                              end
                              ngx.req.set_header("X-USER", res.id_token.sub)
                            }
                          }
                         location ~ \.php$
                           access_by_lua_block {
                             local opts = require('/etc/openresty/lua/oidc/config/app').config()<
                             local res, err = require("resty.openidc").authenticate(opts, nil, "pass")
                             ...
                           }
                           ...
                         }

OIDC Provider

Oauth2 Server
OpenId Connect Autodiscovery

OIDC Consumer

Drupal Integration
Drupal Module

Example: Unsecure Web App

Drupal - Provider
Nginx with Lua (Openresty)
Insecure Web Application

Example: Rocket Chat

Drupal - Provider
Nginx
Rocket.Chat