Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Auth in a Serverless World

Andreas Grimm
June 04, 2019
Technology
1
140

Practical Auth in a Serverless World

It became essential for businesses to protect their applications, services and customer data from attackers. If you want to stay competitive, knowing how to efficiently and easily apply security and auth while being aware of the most common pitfalls is key in today's serverless world.
Traditional machine-to-machine auth approaches where you can rely on a stateful environment fall short in a modern serverless and thus stateless world.
After a short recap of some auth fundamentals, you'll learn how to efficiently apply authentication to Azure Functions without compromising security - using an external Identity Provider like Auth0, OAuth 2, JWT, the secrets management system Azure Key Vault, Azure Managed Identities and Cloudflare Workers.

Andreas Grimm

June 04, 2019
Tweet

More Decks by Andreas Grimm

See All by Andreas Grimm
Practical Auth in a Serverless World
andreasgrimm
1
46
Praktikable Authentifizierung in Serverless-Umgebungen
andreasgrimm
0
54
Practical Auth in a Serverless World
andreasgrimm
0
53
What_is_Serverless.pdf
andreasgrimm
0
40
Clean JavaScript
andreasgrimm
0
120

Other Decks in Technology

See All in Technology
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
340
Application Development WG Intro at AppDeveloperCon
salaboy
0
210
Amazon Forecast亡き今、我々がマネージドサービスに頼らず時系列予測を実行する方法
sadynitro
0
170
LINEヤフーにおけるPrerender技術の導入とその効果
narirou
2
840
OCI Vault 概要
oracle4engineer
PRO
0
9.8k
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
200
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
260
SSMRunbook作成の勘所_20241120
koichiotomo
3
180
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
250
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.5k
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
490
電話を切らさない技術 電話自動応答サービスを支える フロントエンド
barometrica
2
710

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Designing the Hi-DPI Web
ddemaree
280
34k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Happy Clients
brianwarren
98
6.7k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
A better future with KSS
kneath
238
17k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Teambox: Starting and Learning
jrom
133
8.8k

Transcript

  1. @_andreasgrimm Practical Auth in a Serverless World [email protected] @_andreasgrimm

  2. @_andreasgrimm Andreas Grimm

  3. @_andreasgrimm I ❤ serverless

  4. @_andreasgrimm I ❤ DDD (dddber.com) ... and EventStorming

  5. @_andreasgrimm JavaScript TypeScript https://www.meetup.com/ fullstack-berlin/

  6. @_andreasgrimm Akelius Real Estate Internal Business Software 2/3 K8S, 1/3

    serverless IAM Architecture / Security DDD (trying to) Community

  7. @_andreasgrimm Agenda Serverless My Serverless Story Serverless & Auth Auth

    Fundamentals Securing a Serverless API Serverless Machine-to-Machine Client

  8. @_andreasgrimm What is "serverless" ?

  9. @_andreasgrimm There are still servers but you don't have to

    care about servers anymore

  10. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi (Wireless Fidelity) is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”

  11. @_andreasgrimm Auto-Scaling

  12. @_andreasgrimm High Availability

  13. @_andreasgrimm Charged based on usage pay-as-you-go pay-per-use pay-per-request pay-per-transaction

  14. @_andreasgrimm No Idle Costs Not subscription-based (e.g. $ 7 /

    months) Pay only for active usage

  15. @_andreasgrimm Serverless enables #FinDev https://www.youtube.com/watch?v=F0H7WuK56Nc

  16. @_andreasgrimm Serverless = Serviceful "Real" cloud native High-level managed cloud

    services Not to deal with low-level infrastructure

  17. @_andreasgrimm BaDaaS (Business-components-and-Deployment-as-a-Service) Focus on Your Value-add https://www.youtube.com/watch?v=2A5HVF0LUi0

  18. @_andreasgrimm Serverless > FaaS

  19. @_andreasgrimm Storage AWS S3 / Azure Blob Storage AWS DynamoDB

    / Azure Cosmos DB AWS AppSync

  20. @_andreasgrimm Messaging AWS SNS / Azure EventGrid AWS SQS /

    Azure ServiceBus

  21. @_andreasgrimm Streams Amazon Kinesis / Azure EventHub

  22. @_andreasgrimm and more: Tracing, Logging, Metrics Marketing Analytics ...

  23. @_andreasgrimm http://www.se-radio.net/2018/03/se-radio-episode-320-nate-taggart-on-serverless-paradigm/

  24. @_andreasgrimm My Serverless Story

  25. @_andreasgrimm ❤ Business Problems

  26. @_andreasgrimm Babysitting Infrastructure

  27. @_andreasgrimm ❤ Effective Software Development Domain-Driven Design (DDD) EventStorming EventModeling

  28. @_andreasgrimm Event Storming by @ziobrando - Modeling Business Processes (as

    a whole) - Event-Driven (fits serverless )

  29. @_andreasgrimm Event Modelling upcoming book by Adam Dymitruk (@adymitruk)

  30. @_andreasgrimm (real) DevOps Culture

  31. @_andreasgrimm Agile Software Development ... done right

  32. @_andreasgrimm DDD ❤ Serverless

  33. @_andreasgrimm Modeling Whirlpool https://domainlanguage.com/ ddd/whirlpool/

  34. @_andreasgrimm Build -> Measure -> Learn

  35. @_andreasgrimm Continuous Discovery / Experimentation

  36. @_andreasgrimm Cost of Self-hosting ? often hard to measure and

    thus underestimated

  37. @_andreasgrimm Team has to justify why not using services –

    Soenke Ruempler (@s0enke)

  38. @_andreasgrimm Cloud Lock-in vs. Employee Lock-in

  39. @_andreasgrimm Cloud / Vendor Lock-In https://lumigo.io/blog/you-are-wrong-about-serverless-vendor-lock-in/

  40. @_andreasgrimm Serverless -> Commodity https://www.youtube.com/watch?v=SPsaqiegOP4

  41. @_andreasgrimm Serverless (+) Auth ... what's so special about it

    now?

  42. @_andreasgrimm https://www.youtube.com/watch?v=2n_ldYNnccQ

  43. @_andreasgrimm https://www.youtube.com/watch?v=yaNm8NpVxSo

  44. @_andreasgrimm Serverless > FaaS including: Identity & Access Management /

    IDaaS

  45. @_andreasgrimm Self-Hosted IDPs (IDP = Identity Provider) How to scale?

    No SLAs "Pager Duty" -> Soenke's list

  46. @_andreasgrimm keycloak.org identityserver.io

  47. @_andreasgrimm ❤ Managed IDPs Auth0 AAD (Azure Active Directory) Okta

    PingIdentity AWS Cognito

  48. @_andreasgrimm Pricing Model

  49. @_andreasgrimm Auth0 Pricing Pay-Per-Use: Yes Pay-Per-Transaction: No Enterprise Users: Yes

    Machine-2-Machine: Yes

  50. @_andreasgrimm AAD (B2C) Pricing Pay-Per-Use: Yes Pay-Per-Transaction: Yes Enterprise Users:

    No Machine-2-Machine: No

  51. @_andreasgrimm AAD Pricing Pay-Per-Use: No Pay-Per-Transaction: No Enterprise Users: Yes

    Machine-2-Machine: Yes

  52. @_andreasgrimm Technical Aspects Customizability

  53. @_andreasgrimm Auth0 Rules - webtask.io - Serverless JavaScript Code Snippets

  54. @_andreasgrimm Auth0 Rules Code Example

  55. @_andreasgrimm AAD Claims Mapping Limited Can't run own code Feels

    tedious

  56. @_andreasgrimm Which IDP to choose? It depends (on ..) usage

    patterns flexibility simplicity

  57. @_andreasgrimm Auth Examples -> Auth0 (IDP) Azure Functions (FaaS) Azure

    API Management (API Gateway) Cloudflare Workers (API Gateway) Azure KeyVault (Security Management System) Azure Managed Identities (IAM for cloud resources)

  58. @_andreasgrimm APIs How to protect ?

  59. @_andreasgrimm Interactive Client ("Frontend")

  60. @_andreasgrimm Interactive Client Not related to serverless Browser or native

    app

  61. @_andreasgrimm API Runs in FaaS Where to validate JWT ?

  62. @_andreasgrimm JWT Validation in Function

  63. @_andreasgrimm npm package based on "express-jwt"

  64. @_andreasgrimm Wrap main function with higher order function.

  65. @_andreasgrimm Azure Function Bindings Declare actions without writing code e.g.

    get item from a DB

  66. @_andreasgrimm https://origin.com/api?id=myDocID

  67. @_andreasgrimm Azure Function Bindings Bindings run before the function code

    -> IO (costs) before JWT validation

  68. @_andreasgrimm JWT Validation in Function ⚠ Only together with API

    key (functions key)

  69. @_andreasgrimm JWT Validation in Function App "Function App": - Group

    of functions deployed together - Sharing one identity

  70. @_andreasgrimm Function App Auth JWT Validation happens before Bindings No

    additional costs AAD only

  71. @_andreasgrimm JWT Validation in Azure API Management

  72. @_andreasgrimm Azure API Management Pay-per-Request: Yes

  73. @_andreasgrimm Azure API Management AAD only

  74. @_andreasgrimm JWT Validation in Cloudflare Workers

  75. @_andreasgrimm Like an API Gateway .. that runs code https://developers.cloudflare.com/workers/about/

  76. @_andreasgrimm ... but in 180+ Data Centers #EdgeComputing Deployment Region:

    World

  77. @_andreasgrimm Cloudflare Workers Pay-per-Request: Yes (in ranges)

  78. @_andreasgrimm Cloudflare Workers Free Tier

  79. @_andreasgrimm Validate JWT Forward JWT Payload

  80. @_andreasgrimm In function: Just consume payload

  81. @_andreasgrimm Authenticated Origin Pulls using shared secret (aka apikey) also

    certificate-based possible

  82. @_andreasgrimm APIs How to access ? (from Backend)

  83. @_andreasgrimm Non-Interactive Client ("Backend")

  84. @_andreasgrimm Machine-to-Machine Client Runs in FaaS Stateless environment (partially) Where

    to store secrets?

  85. @_andreasgrimm AuthN by Cloud-internal Trust Relationship

  86. @_andreasgrimm Get and Safely Store Access Token

  87. @_andreasgrimm AuthN, Get Token, Use Token To Get Data

  88. @_andreasgrimm Azure Managed Identiy Has to be activated for the

    Function App

  89. @_andreasgrimm Azure KeyVault Secrets (where the clientSecret is stored securely)

  90. @_andreasgrimm Function App Identity's Privileges least privilege (consider one KeyVault

    per resource)

  91. @_andreasgrimm Azure KeyVault Pricing Pay-Per-Transaction: Yes (in ranges)

  92. @_andreasgrimm How to Access Key Vault From Code?

  93. @_andreasgrimm Secret via Env Var not hardcoded ☝

  94. @_andreasgrimm Key Vault References @Microsoft.KeyVault(SecretUri=https://serviceful-cloud.vault.azure.net/secrets/auth-m2m- client-secret-auth0/b01787d0082f49448744cabfe1bab7ad)

  95. @_andreasgrimm Get Token From IDP Function does not know about

    Key Vault at all

  96. @_andreasgrimm Get Data From API

  97. @_andreasgrimm Demo

  98. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

    __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Blog: andreasgrimm.com - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Meetup Organizer: @DDDBER, @FullstackJS, Serverless Berlin