Practical Auth in a Serverless World

Transcript

1. @_andreasgrimm Practical Auth in a Serverless World [email protected] @_andreasgrimm

2. @_andreasgrimm Andreas Grimm

3. @_andreasgrimm I ❤ serverless meetup.com/Serverless-Berlin

4. @_andreasgrimm I ❤ DDD (dddber.com) ... and EventStorming

5. @_andreasgrimm JavaScript & TypeScript https://www.meetup.com/ fullstack-berlin/

6. @_andreasgrimm akelius.com

7. @_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3

   K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community

8. @_andreasgrimm Agenda Serverless My Serverless Story Serverless & Auth Auth

   Fundamentals Protect a Serverless API Access an API from FaaS

9. @_andreasgrimm What is "serverless" ?

10. @_andreasgrimm There are still servers but you don't have to

    care about servers anymore

11. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”

12. @_andreasgrimm Your code is being scheduled ... by a scheduler

    you don't own. not true for Kubernetes (self-hosted & managed)

13. @_andreasgrimm High Availability

14. @_andreasgrimm Auto-Scaling including "scale to zero"

15. @_andreasgrimm No Idle Costs not subscription-based (e.g. $ 7 /

    months)

16. @_andreasgrimm Pay only for active usage pay-as-you-go pay-per-use pay-per-request pay-per-transaction

17. @_andreasgrimm Serverless > FaaS

18. @_andreasgrimm Storage Amazon S3 / Azure Blob Storage Amazon DynamoDB

    / Azure Cosmos DB AWS AppSync Amazon Athena

19. @_andreasgrimm Messaging Amazon SNS / Azure EventGrid Amazon SQS /

    Azure ServiceBus Google Cloud PubSub Amazon EventBridge

20. @_andreasgrimm Streams Amazon Kinesis / Azure EventHub

21. @_andreasgrimm and more: Observability (Central Logs, Metrics, Distributed Tracing) Marketing

    Analytics ...

22. @_andreasgrimm http://www.se-radio.net/2018/03/se-radio-episode-320-nate-taggart-on-serverless-paradigm/

23. @_andreasgrimm Pay only for active usage realtime-ish monitoring of transaction

    costs

24. @_andreasgrimm Serverless Pricing Model enables #FinDev https://www.youtube.com/watch?v=F0H7WuK56Nc

25. @_andreasgrimm Serverless = Serviceful cloud (vendor) native high-level managed services

26. @_andreasgrimm Your Value-add ? focus on competetive advantage don't reinvent

    the wheel!

27. @_andreasgrimm BaDaaS (Business-components-and-Deployment-as-a-Service) Focus on Your Value-add https://www.youtube.com/watch?v=2A5HVF0LUi0

28. @_andreasgrimm Serverless = Serviceful no need to deal with low-level

    ... - infrastructure - security

29. @_andreasgrimm Thomas Fricke - Kubernetes Security (BedCon 2019-09-05)

30. @_andreasgrimm Thomas Fricke - Kubernetes Security (BedCon 2019-09-05)

31. @_andreasgrimm (Real) Total Cost of Ownership? often impossible to measure

    empirically

32. @_andreasgrimm Team has to justify why not using services –

    Soenke Ruempler (@s0enke)

33. @_andreasgrimm Higher Level Security https://www.youtube.com/watch?v=rJBCRhrfnak

34. @_andreasgrimm Puresec / Protego https://www.youtube.com/watch?v=uiYTKuuC82U

35. @_andreasgrimm Serviceful ≠ Lock-in it's coupling ... like everything else

    -> Hexagonal / Clean Architecture ☝

36. @_andreasgrimm Cloud / Vendor Lock-In https://lumigo.io/blog/you-are-wrong-about-serverless-vendor-lock-in/

37. @_andreasgrimm https://martinfowler.com/articles/oss-lockin.html

38. @_andreasgrimm Cloud Lock-in vs. Employee Lock-in

39. @_andreasgrimm Total Cost of Ownership

40. @_andreasgrimm Time to market Jochen Christ - Mob Programming (BedCon,

    2019-09-05)

41. @_andreasgrimm On-Premise VM = Serverless?

42. @_andreasgrimm "serverless is a state of mind" https://www.youtube.com/watch?v=8Rzv68K8ZOY

43. @_andreasgrimm Serverless -> Commodity https://www.youtube.com/watch?v=SPsaqiegOP4

44. @_andreasgrimm Wardley Maps

45. @_andreasgrimm My Serverless Story ... or why I like it

    so much

46. @_andreasgrimm ❤ Business Problems

47. @_andreasgrimm Babysitting Infrastructure

48. @_andreasgrimm ❤ Effective Software Development Domain-Driven Design (DDD) Collaborative Modeling

49. @_andreasgrimm EventStorming by @ziobrando - Modeling Business Processes (as a

    whole) - Event-Driven (fits serverless )

50. @_andreasgrimm EventStorming session at Akelius Berlin office

51. @_andreasgrimm (real) DevOps Culture

52. @_andreasgrimm Agile Software Development ... done right

53. @_andreasgrimm DDD ❤ Serverless

54. @_andreasgrimm Modeling Whirlpool https://domainlanguage.com/ ddd/whirlpool/

55. @_andreasgrimm Build -> Measure -> Learn

56. @_andreasgrimm Continuous Discovery / Experimentation

57. @_andreasgrimm Serverless (+) Auth ... what's so special about it

    now?

58. @_andreasgrimm Serverless > FaaS including: Identity & Access Management /

    IDaaS

59. @_andreasgrimm Self-Hosted IDPs (IDP = Identity Provider) How to scale?

    No SLAs "Pager Duty" -> Soenke's list "Total Cost of Ownership"

60. @_andreasgrimm keycloak.org identityserver.io

61. @_andreasgrimm ❤ Managed IDPs Auth0 AAD (Azure Active Directory) Okta

    PingIdentity AWS Cognito

62. @_andreasgrimm Pricing Model

63. @_andreasgrimm Auth0 Pricing Pay-Per-Use: Yes Pay-Per-Transaction: No Enterprise Users: Yes

    Machine-2-Machine: Yes

64. @_andreasgrimm AAD (B2C) Pricing Pay-Per-Use: Yes Pay-Per-Transaction: Yes Enterprise Users:

    No Machine-2-Machine: No

65. @_andreasgrimm AAD Pricing Pay-Per-Use: No Pay-Per-Transaction: No Enterprise Users: Yes

    Machine-2-Machine: Yes

66. @_andreasgrimm Technical Aspects Customizability

67. @_andreasgrimm Auth0 Rules - webtask.io - Serverless JavaScript Code Snippets

68. @_andreasgrimm Auth0 Rules Code Example

69. @_andreasgrimm AAD Claims Mapping Limited Can't run own code Feels

    tedious

70. @_andreasgrimm Which IDP to choose? It depends (on ..) usage

    patterns flexibility simplicity

71. @_andreasgrimm Auth Examples -> Auth0 (IDP) Azure Functions (FaaS) Azure

    API Management (API Gateway) Cloudflare Workers (API Gateway) Azure KeyVault (Security Management System) Azure Managed Identities (IAM for cloud resources)

72. @_andreasgrimm APIs How to protect ?

73. @_andreasgrimm Interactive Client ("Frontend")

74. @_andreasgrimm Interactive Client Not related to serverless Browser or native

    app

75. @_andreasgrimm API Runs in FaaS Where to validate JWT ?

76. @_andreasgrimm JWT Validation in Function

77. @_andreasgrimm npm package based on "express-jwt"

78. @_andreasgrimm Wrap main function with higher order function.

79. @_andreasgrimm Azure Function Bindings Declare actions without writing code e.g.

    get item from a DB

80. @_andreasgrimm https://origin.com/api?id=myDocID

81. @_andreasgrimm Azure Function Bindings Bindings run before the function code

    -> IO (costs) before JWT validation

82. @_andreasgrimm JWT Validation in Function ⚠ Only together with API

    key (functions key)

83. @_andreasgrimm JWT Validation in Function App "Function App": - Group

    of functions deployed together - Sharing one identity

84. @_andreasgrimm Function App Auth JWT Validation happens before Bindings No

    additional costs AAD only

85. @_andreasgrimm JWT Validation in Azure API Management

86. @_andreasgrimm Azure API Management Pay-per-Request: Yes

87. @_andreasgrimm Azure API Management AAD only

88. @_andreasgrimm JWT Validation in Cloudflare Workers

89. @_andreasgrimm Like an API Gateway .. that runs code https://developers.cloudflare.com/workers/about/

90. @_andreasgrimm ... but in 190+ Data Centers #EdgeComputing Deployment Region:

    World

91. @_andreasgrimm Cloudflare Workers Pay-Per-Use: Yes

92. @_andreasgrimm Cloudflare Workers Free Tier

93. @_andreasgrimm Validate JWT Forward JWT Payload

94. @_andreasgrimm In function: Just consume payload

95. @_andreasgrimm Authenticated Origin Pulls using shared secret (aka apikey) also

    certificate-based possible

96. @_andreasgrimm APIs How to access ? (from Backend)

97. @_andreasgrimm Non-Interactive Client ("Backend")

98. @_andreasgrimm Machine-to-Machine Client Runs in FaaS Stateless environment (partially) Where

    to store secrets?

99. @_andreasgrimm AuthN by Cloud-internal Trust Relationship

100. @_andreasgrimm Get and Safely Store Access Token

101. @_andreasgrimm AuthN, Get Token, Use Token To Get Data

102. @_andreasgrimm Azure Managed Identiy Has to be activated for the

     Function App

103. @_andreasgrimm Azure KeyVault Secrets (where the clientSecret is stored securely)

104. @_andreasgrimm Function App Identity's Privileges least privilege (consider many KeyVaults

     per resource)

105. @_andreasgrimm Azure KeyVault Pricing Pay-Per-Use: Yes (in ranges)

106. @_andreasgrimm Why use Key Vault? secret-less access, based on identity

     enables key rotation ideal for "stateless" environments

107. @_andreasgrimm How to Access Key Vault From Code?

108. @_andreasgrimm Secret via Env Var not hardcoded ☝

109. @_andreasgrimm Key Vault References @Microsoft.KeyVault(SecretUri=https://serviceful-cloud.vault.azure.net/secrets/auth-m2m- client-secret-auth0/b01787d0082f49448744cabfe1bab7ad)

110. @_andreasgrimm Get Token From IDP Function does not know about

     Key Vault at all

111. @_andreasgrimm Get Data From API

112. @_andreasgrimm Demo

113. @_andreasgrimm Summary - JWT Validation On Top of API key

     - Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation

114. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

     __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, Serverless Berlin