错误:非法证书不受信任
This blog was co-written by Max Saltonstall and Jen Person
该博客由 Max Saltonstall 和Jen Person 共同撰写
Today we’re cooking up a new recipe: using a third-party identity provider to control access to your cloud application.
今天,我们正在酝酿一个新方法:使用第三方身份提供商来控制对您的云应用程序的访问。
You might already have an authoritative source of identity, either cloud-based or on-prem, and still want to take advantage of BeyondCorp Remote Access. Keep reading to see how you can apply Zero Trust methods of working to a cloud app with Identity-Aware Proxy and external identity providers.
您可能已经拥有基于云或本地的权威身份来源,并且仍然想利用BeyondCorp远程访问的优势。 继续阅读以了解如何将具有身份识别代理和外部身份提供者的零信任工作方法应用于云应用。
You can use BeyondCorp with any identity provider and any back-end
您可以将BeyondCorp与任何身份提供商和任何后端一起使用
We’re using App Engine and Facebook for today’s example, but any back-end and identity source will work similarly. If you’re curious about how to use Identity-Aware Proxy and the fundamentals of BeyondCorp, read about those in these posts.
我们在今天的示例中使用的是App Engine和Facebook,但是任何后端和身份标识源都将类似地工作。 如果您对如何使用身份识别代理和BeyondCorp的基础知识感到好奇,请阅读这些 文章中的内容 。
If you already have an identity provider, cloud-based or on-prem, and want to take advantage of BeyondCorp Remote Access and the Zero Trust way of working, dive in, because today we’re covering how to secure App Engine (or any cloud app) with Identity-Aware Proxy (IAP) using external identity providers. If you’re just joining us, you can see how we used IAP to control access with Google Identity in our last post.
如果您已经拥有基于云或内部部署的身份提供者,并且想利用BeyondCorp远程访问和零信任的工作方式,请深入研究,因为今天我们将介绍如何保护App Engine(或任何其他方法)的安全。外部身份提供商使用具有身份识别代理(IAP)的云应用程序)。 如果您只是加入我们,可以在上一篇文章中了解我们如何使用IAP通过Google Identity控制访问。
这些成分 (The Ingredients)
In order to get cooking you’ll want to make sure you have the right ingredients from the start. For today’s example, we’re using:
为了烹饪,您需要从一开始就确保您使用正确的食材。 对于今天的示例,我们使用:
The gcloud CLI
We’ve included links to the documentation for all of these products so that you don’t have to read us yammering on about them for five pages. Let’s get to the good stuff!
我们提供了所有这些产品的文档链接,因此您不必花5页就对它们进行评论。 让我们来看看好东西!
Start by getting all your ingredients together: app, hosting, identity and proxy
首先将所有要素汇总在一起:应用程序,托管,身份和代理
架构 (The Architecture)
Here’s our basic structure, showing how requests proceed from your employees all the way to the back-end application.
这是我们的基本结构,显示了从员工一直到后端应用程序的请求处理方式。
To access the App Engine app, the client is directed to a login page hosted on Firebase Hosting. The page uses FirebaseUI to display a Facebook login button and handle login results. Identity Platform authenticates credentials on the backend. Let’s elaborate on how this works.
要访问App Engine应用程序,会将客户端定向到Firebase托管上托管的登录页面。 该页面使用FirebaseUI来显示Facebook登录按钮并处理登录结果。 Identity Platform在后端上对凭据进行身份验证。 让我们详细说明它是如何工作的。
- Get authentication credentials from the user. This can be the user’s email address and password, a SAML assertion, or an OAuth token from a federated identity provider. 从用户获取身份验证凭据。 这可以是用户的电子邮件地址和密码,SAML声明或来自联合身份提供者的OAuth令牌。
In the case of federated identity providers like Facebook, the providers return those tokens to Identity Platform’s authentication handler on the
/__auth/handlerendpoint. This service is hosted by Google, so you don’t have to receive and validate the authentication artifact.对于像Facebook这样的联合身份提供者,提供者将这些令牌返回到
/__auth/handler端点上的Identity Platform的身份验证处理/__auth/handler。 此服务由Google托管,因此您不必接收和验证身份验证工件。- After the tokens are received, Google Cloud’s backend services will verify them and return a response to the client. 收到令牌后,Google Cloud的后端服务将对其进行验证,并将响应返回给客户端。
- Once the client’s identity is verified, Cloud IAP will allow the client to access the app. 验证客户端身份后,Cloud IAP将允许客户端访问该应用程序。
Access to your application depends on identity verification, and authorization
访问您的应用程序取决于身份验证和授权
样本 (The Sample)
Just like your favorite cooking show, we have a sample cooked up and ready to present! Our sample code includes these ingredients:
就像您最喜欢的烹饪表演一样,我们有一个煮好的样品可以准备展示! 我们的示例代码包含以下成分:
- An App Engine app that reads a JSON Web Token provided by the client and displays information about that user. 一个App Engine应用程序,它读取客户端提供的JSON Web令牌并显示有关该用户的信息。
- A login page that we will deploy to Firebase Hosting 我们将部署到Firebase Hosting的登录页面
- A sample using React. We won’t be using this today, but feel free to explore it! 使用React的样本。 我们今天不会使用此功能,但请随时进行探索!
With these components, an authenticated user will be directed to the login page. Once logged in, Identity-Aware Proxy will verify if the user is authorized to access the App Engine app. If so, the client is served the app. If not, the client sees a Permission Denied page. We’ve kept the sample as generic as possible so you can add the flavors your particular app needs.
使用这些组件,已认证的用户将被定向到登录页面。 登录后,身份识别代理将验证用户是否有权访问App Engine应用。 如果是这样,则向客户端提供该应用程序。 否则,客户端将看到“权限被拒绝”页面。 我们将示例尽可能地保留为通用,以便您可以添加特定应用程序所需的口味。
This recipe uses App Engine, JSON Web Tokens, Firebase Hosting and React
本食谱使用App Engine,JSON Web令牌,Firebase托管和React
There are a few additional steps to take so you can see this sample in action. Let’s walk through them.
还需要执行一些其他步骤,因此您可以看到实际的示例。 让我们来看看它们。
1.创建App Engine应用 (1. Create the App Engine app)
Create a new project or start with an existing one. Then create an App Engine app.
创建一个新项目或从现有项目开始。 然后创建一个App Engine应用程序 。
2.安装Firebase CLI (2. Install the Firebase CLI)
You’ll need the Firebase CLI for deploying to Firebase Hosting. You can download it using npm.
您需要Firebase CLI才能部署到Firebase Hosting。 您可以使用npm下载它。
npm install -g firebase-tools3.启用API (3. Enable the APIs)
Enable the Identity Platform and Identity-Aware Proxy APIs via the Cloud Console.
With these preparation steps out of the way, we’re ready to get the code.
完成这些准备步骤后,我们就可以获取代码了。
4.获取代码 (4. Get the Code)
The sample code is available on GitHub, so go ahead clone it.
示例代码在GitHub上可用,因此请继续克隆它。
git clone https://github.com/GoogleCloudPlatform/iap-gcip-web-toolkit.gitChange to the directory of the App Engine app.
转到App Engine应用的目录。
cd iap-gcip-web-toolkit/sample/appRun npm install to install the required packages.
运行npm install安装所需的软件包。
npm installNow the app is ready to deploy. Run this command to deploy:
现在,该应用程序已准备就绪,可以进行部署。 运行以下命令进行部署:
npm run deployIf you open the package.json file, you can see what this command actually does.
如果打开package.json文件,则可以看到此命令的实际作用。
// package.json"deploy": "gcloud app deploy",That’s right, all it does is run gcloud app deploy. So you can also use this command directly if you prefer.
没错,它所做的只是运行gcloud app deploy 。 因此,您也可以根据需要直接使用此命令。
We start with a minimal oatmeal app: not that impressive, but achieves the basics
我们从一个最小的燕麦片应用程序开始:虽然不那么令人印象深刻,但是却达到了基本要求
Think of this app like oatmeal: it gets the job done, it’s mildly disappointing on its own, but it’s a great stepping stone as you learn more techniques as a chef.
将该应用程序想象成燕麦粥:它可以完成工作,本身就让人有些失望,但是当您学习更多厨师技术时,它是一个很好的垫脚石。
You’ll see the URL for the deployed app once the deploy finishes. You can follow this link now, but you’ll notice that you get back a permission error. That’s exactly what we want since we haven’t configured the proxy yet! We don’t want any other cooks messing with this cake’s batter until it’s good and ready, so we’ll keep them all out.
部署完成后,您将看到已部署应用程序的URL。 您现在可以点击此链接,但是您会注意到您返回了权限错误。 这正是我们想要的,因为我们尚未配置代理! 我们不希望其他厨师弄乱这块蛋糕的面糊,直到它做好并准备好为止,因此我们将它们全部排除在外。
It doesn’t do much, but it keeps people out. All of them!
它并没有做太多,但是却使人们无法进入。 他们全部!
It’s just like the kitchen at a fancy restaurant: you’re only allowed in if you have the right credentials. So let’s create a way to check for ID at the door, so we can make sure only the right sous-chefs can mess with our vichyssoise!
就像高档餐厅的厨房一样:只有拥有正确的凭据,您才可以进入。 因此,让我们创建一种在门口检查ID的方法,以便确保只有正确的副厨师才能使我们的vichyssoise混乱!
5.托管登录页面 (5. Host the login page)
Whenever you go to one of our apps behind IAP, the first step is to check your identity. Just like a bouncer at the exclusive club, you need to prove yourself before you’re allowed through the door. If you are not authenticated, we need to get your credentials, to see if you are allowed to access the app in question. To see if you can get into this specific club.
每当您使用IAP背后的我们的一个应用程序时,第一步就是检查您的身份。 就像独家俱乐部的保镖一样,您需要证明自己,然后才可以进入。 如果您未通过身份验证,我们需要获取您的凭据,以查看是否允许您访问有问题的应用程序。 查看您是否可以进入这个特定的俱乐部。
Using Cloud Identity this brings up a Google authentication page, already made and ready for us to use. But if we choose to use another identity provider, then we need a solution for gathering credentials when our requester is not logged in yet. Below we’ll make that page with Firebase Hosting, and luckily for us, the code we need is already in the sample repo.
使用Cloud Identity,这会打开一个Google身份验证页面,该页面已经制作好,可供我们使用。 但是,如果我们选择使用另一个身份提供者,那么当我们的请求者尚未登录时,我们需要一种用于收集凭据的解决方案。 下面,我们将使用Firebase Hosting来创建该页面,幸运的是,我们所需的代码已经在示例存储库中。
You can make your own login page or use Google’s
您可以创建自己的登录页面,也可以使用Google的登录页面
Start by entering the directory containing the code for the login screen.
首先输入包含登录屏幕代码的目录。
cd ../authui-firebaseuiThere are some packages we’ll need, so go ahead and run npm install.
我们需要一些软件包,因此继续运行npm install 。
npm installWe need to add Firebase to our Cloud project. You can do so with this command:
我们需要将Firebase添加到我们的Cloud项目中。 您可以使用以下命令进行操作:
firebase use project-idThen, just like the App Engine sample, we run this command:
然后,就像App Engine示例一样,我们运行以下命令:
npm run deployBut unlike the App Engine sample, instead of running `gcloud app deploy`, this command deploys your login page to Firebase Hosting using the Firebase CLI.
但是与App Engine示例不同的是,此命令没有运行`gcloud app deploy`,而是使用Firebase CLI将您的登录页面部署到Firebase Hosting。
// package.json"deploy": "firebase deploy",6.启用Facebook身份 (6. Enable Facebook Identity)
Let’s take Facebook as our external identity provider for today’s example, as a way for people to log in to our app without Google account credentials. To start using Facebook
在今天的示例中,让我们以Facebook作为我们的外部身份提供程序,以使人们无需Google帐户凭据即可登录我们的应用程序。 开始使用Facebook
as an identity provider, head to the Facebook developer page and create an app. You will need the App ID and secret for your GCP project. If you want more details on using Facebook for your applications check out the instructions outlined in the Manage access with external identities quickstart.
作为身份提供者,请访问Facebook开发人员页面并创建一个应用。 您将需要GCP项目的应用ID和密码。 如果您想了解有关在应用程序中使用Facebook的更多详细信息,请查看“ 使用外部身份管理访问”快速入门中概述的说明。
Give your users flexibility with external identity support
借助外部身份支持,为您的用户提供灵活性
7.将Facebook添加为Google Cloud身份提供商 (7. Add Facebook as a Google Cloud identity provider)
To configure Identity Platform to use Facebook for authentication from the Cloud Console, go to Tools, Identity Platform, and then click Add a Provider.
要配置Identity Platform以从Cloud Console使用Facebook进行身份验证,请转至工具 , Identity Platform ,然后单击添加提供者 。
Select Facebook from the list of providers,
从提供商列表中选择Facebook,
then enter the App ID and App Secret you got from your Facebook app. Finally, click Save.
然后输入您从Facebook应用获得的应用ID和应用秘密。 最后,点击保存 。
8.配置重定向URI (8. Configure a redirect URI)
If someone completes their login via Facebook, where do they go next? We need to tell Facebook, our identity provider and source of authentication credentials, so it knows which URI to redirect to after completing login. Head back to Facebook’s Apps page and select your app. In the left menu, click Products. Locate the Facebook Login product, and click Set Up. In the left navigation menu, select Settings, and then in the Valid OAuth Redirect URIs box, enter the redirect URI. This URI has the following format:
如果有人通过Facebook完成登录,下一步该怎么做? 我们需要告诉Facebook,我们的身份提供商和身份验证凭据的来源,以便它知道登录后重定向到哪个URI。 返回Facebook的“应用程序”页面,然后选择您的应用程序。 在左侧菜单中,单击产品。 找到Facebook登录产品,然后单击“设置”。 在左侧导航菜单中,选择“设置”,然后在“有效的OAuth重定向URI”框中,输入重定向URI。 该URI具有以下格式:
https://project-id.firebaseapp.com/__/auth/handlerYou can also find this URI in the Identity Platform provider configuration page. Remember to click Save Changes! Now you’ve finished setting up Identity Platform! With our metaphorical cake baked and cooled, it’s time to add the frosting: configuring IAP to use it for authorization.
您也可以在Identity Platform提供程序配置页面中找到此URI。 记住单击“保存更改”! 现在,您已经完成了Identity Platform的设置! 将我们的隐喻性蛋糕烘烤并冷却后,就该添加糖霜了:配置IAP以将其用于授权。
Yummy!
好吃!
9.为外部身份启用IAP (9. Enable IAP for external identities)
We know who is coming in the door of our restaurant, now let’s make sure only the right people can come to the kitchen. In our last post, we showed you how to enable IAP for App Engine using Google Authentication. The process of implementing IAP with external identities is similar, but there are a couple more steps to connect IAP to the Identity Platform authentication we just configured.
我们知道谁会来我们餐厅的门,现在让我们确保只有合适的人才能来厨房。 在上一篇文章中 ,我们向您展示了如何使用Google身份验证为App Engine启用IAP。 使用外部身份实施IAP的过程类似,但是还有更多步骤将IAP连接到我们刚刚配置的Identity Platform身份验证。
Identity Platform allows you to choose from any number of authentication options
Identity Platform允许您从任意数量的身份验证选项中进行选择
First, you’ll need to enable IAP. If you’re not sure how, then check out the post or this quickstart on enabling IAP for access control.
首先,您需要启用IAP。 如果您不确定如何操作,请查看帖子或启用IAP进行访问控制的快速入门 。
From the IAP page, in the side panel, under Use external identities for authorization, click Start.
在IAP页面的侧面板中的“ 使用外部身份进行授权”下 ,单击“ 开始” 。
In the Authentication URL field, enter the URL of the authentication app you deployed to Firebase Hosting. It should look something like https://<project-id>.firebaseapp.com/. Check the box with your project name. It will have Facebook listed as an identity provider since we enabled it earlier. Click Save and you’re good to go!
在“身份验证URL”字段中,输入您部署到Firebase Hosting的身份验证应用程序的URL。 它应该看起来像https://<project-id>.firebaseapp.com/ 。 选中带有您的项目名称的框。 自从我们之前启用它以来,它将把Facebook列为身份提供者。 单击“ 保存” ,一切顺利!
放在一起 (Putting it all together)
We have now implemented all the ingredients of this recipe, so let’s throw it in the oven and try it out! Start in a new incognito window to make sure you experience the full flow.
现在,我们已经实现了该食谱的所有成分,因此让我们将其放入烤箱中尝试一下吧! 从新的隐身窗口开始,以确保您体验完整的流程。
Open the URL for your App Engine app. You’ll be redirected to the login page that uses FirebaseUI as the frontend and Identity Platform on the backend to authenticate with Facebook.
打开您的App Engine应用的网址。 您将被重定向到登录页面,该页面使用FirebaseUI作为前端,后端使用Identity Platform进行身份验证。
We have a full start-to-finish authentication flow!
我们有完整的从头到尾的身份验证流程!
Once you’re logged in, you’ll see your app! Commence fireworks celebrations
登录后,您将看到您的应用程序! 开始烟花庆祝活动
下一步是什么? (What’s next?)
We’ve just deployed an app to Google Cloud using Facebook as the identity to authorize people to view the app. Now you can learn about the many ways Identity Platform allows authentication, so you can make sure you only give access to the right people at the right time. Or, try out implementing the provider your company requires. And make sure you always know who is getting in.
我们刚刚使用Facebook作为身份将应用程序部署到Google Cloud,以授权人们查看该应用程序。 现在,您可以了解Identity Platform允许身份验证的多种方式,因此可以确保仅在正确的时间向正确的人员提供访问权限。 或者,尝试实施公司所需的提供商 。 并且确保您始终知道谁在加入。
错误:非法证书不受信任
6324
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
