Understanding TS 133 501 (5G) Step 2 of EAP-AKA’

I got a question dealing with the EAP-AKA’ used in 5G to authenticate clients coming from a 3GPP-Network.

I read the latest specification on ETSI. The problem which I have is based on Step 2 on Page 37/38, where it says (at least I understood it like that), that when the UDM/ARPF got the SUCI it shall continue as shown in RFC 5448 (a description of a EAP-AKA’), otherwise it shall follows the EAP-AKA’ shown in the specification (TS 133 501).

That’s what confuses me. Are there really two different implementations of the EAP-AKA’? I tried to layer those two, but ntl for me those two are different, due to the message flow.
Is that correct?

Go to Source
Author: Sheena

What is a recommended authentication architecture for a front GUI app that I want to control but that will be used by others to control their servers?

I have a front end (WEB GUI) app that I designed (Python for now + JavaScript in the future) that I use to access a controller, it uses REST APIs.

I want to publish this app in the cloud so that others could use it.

The biggest issue I am seeing is the security side as the app needs to authenticate with the remote server (a controller itself) and start sending tasks to the controller that will translate that in internal REST APIs to control for processes on downstream servers

Is there an authentication flow that will guarantee the owners of the controllers that I (the publisher of the front end) do not intercept the authentication flow and I gain unwanted access to their servers ?

My idea is to use a two steps authentication/authorization process like below. Is there a better way?
Please edit this diagram if you have suggestions
enter image description here

Go to Source
Author: MiniMe

How to create a user and copy corresponding pub file to authorized_key using AWS CloudFormation?

I am having trouble to create a user and copy the corresponding pub file called authorized_keys into the .ssh folder on the instance using AWS Cloud Formation. I do this, because I want to connect with this user using SSH. When I check the SystemLog of the created instance, it does not seem like the user is created or any file is copied as authorized_keys in the .ssh directory, this is my code:

LinuxEC2Instance:
Type: AWS::EC2::Instance
Metadata:
  AWS::CloudFormation::Init:
    config:
      users:
        ansible:
          groups:
            - "exampleuser"
          uid: 1
          homeDir: "/home/exampleuser"
      files:
        /home/exampleuser/.ssh/authorized_keys:
          content: !Sub |
            '{{ resolve:secretsmanager:
              arn:aws:secretsmanager:availability-zone:account-id:secret:keyname:
                SecretString:
                  keystring }}'
          mode: "000600"
          owner: "exampleuser"
          group: "exampleuser"

Am I missing something so that the user is created and the file is also being copied?

Go to Source
Author: Benny

Is it ok to share relevant login information on an API’s public endpoint?

I have an (https-only) API that uses OAuth2 for authentication and authorization via access tokens.

Any request to the API needs an access token to the Authorization header. The API validates that this access token is signed by a specific tenant (e.g. google), is targeted to a specific audience, and has some specific scopes.

As a user/service, it would be really helpful if the API would expose, on a public endpoint, such information, so that I know from where I should fetch an access token from (e.g. through PKCE), and which scopes I need to request the token from.

A natural mechanism for this is for the API to have a public endpoint with something like

{
    "provider_uri": "https://accounts.google.com/.well-known/openid-configuration",
    "client_id":"...apps.googleusercontent.com",
    "scope":"openid ..."
}

Is this a valid approach? What other relevant idioms exist to address such problem?

Go to Source
Author: Jorge Leitao