Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Auth in a Serverless World

Practical Auth in a Serverless World

It became essential for businesses to protect their applications, services and customer data from attackers. If you want to stay competitive, knowing how to efficiently and easily apply security and auth while being aware of the most common pitfalls is key in today's serverless world.
Traditional machine-to-machine auth approaches where you can rely on a stateful environment fall short in a modern serverless and thus stateless world.
After a short recap of some auth fundamentals, you'll learn how to efficiently apply authentication to Azure Functions using Auth0, Cloudflare Workers and Azure Key Vault without compromising security.

Andreas Grimm

October 15, 2019
Tweet

More Decks by Andreas Grimm

Other Decks in Programming

Transcript

  1. @_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3

    K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community
  2. @_andreasgrimm Agenda Serverless - The Big Picture Why I Like

    It Serverless & Auth Auth Fundamentals Protect a Serverless API Access an API from FaaS
  3. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”
  4. @_andreasgrimm FaaS / Execution Model you don't own the scheduler

    high availability auto-scaling (incl. scale to zero)
  5. @_andreasgrimm Which IDP to choose? it depends - law /

    regulatory - usage patterns - flexibility - simplicity
  6. @_andreasgrimm Auth Examples -> Auth0 (IDP) Azure Functions (FaaS) Azure

    API Management (API Gateway) Cloudflare Workers (API Gateway) Azure KeyVault (Security Management System) Azure Managed Identities (IAM for cloud resources)
  7. @_andreasgrimm serverless.cat CAT API identity provider single page app single

    page app password user name SPA Sends User's Credentials To IDP
  8. @_andreasgrimm IDP Sends Token to Back to SPA serverless.cat CAT

    API identity provider single page app single page app access token
  9. @_andreasgrimm serverless.cat CAT API identity provider single page app access

    token access token JWT Token Is Valid CatAPI Validates Token
  10. @_andreasgrimm JWT Validation in Function App "Function App": group of

    functions deployed together sharing one identity
  11. @_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP

    GET ✋ JWT Token missing 401 CatAPI Token Validation
  12. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret client id If We Send Client Credentials To IDP ... client secret client id
  13. @_andreasgrimm ... And IDP Verifies Client Credentials ... backend 1

    API 1 serverless.cat CAT API identity provider machine- to-machine client client secret client id client secret client id = ? ! access token
  14. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret How To Store & Access Secrets?
  15. @_andreasgrimm Secrets Management System - single, central place to securely

    store secrets encrypted - distribution of secrets to the end-application - updating / revoking secrets ("key rotation") in case of compromise
  16. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client Is a Token Cached in Memory ? Look-up Token in Memory
  17. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client No Cached Token in Memory
  18. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault No Cached Token in Key Vault function app identity 404
  19. @_andreasgrimm Function App's Privileges In Key Vault - solves "secret

    zero / bootstrapping" problem - "zero trust" applied
  20. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Client Secret Is in Key Vault function app identity client secret
  21. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Get Token from IDP client secret client id access token
  22. @_andreasgrimm Cache Token in Memory serverless.cat CAT API identity provider

    backend 1 API 1 machine- to-machine client azure key vault access token access token
  23. @_andreasgrimm Cache Token in Key Vault serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token
  24. @_andreasgrimm Get Cat Picture from CatAPI serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token
  25. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token
  26. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token
  27. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client
  28. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client Is a Token Cached in Memory ?
  29. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client
  30. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault backend 1 API 1 machine- to-machine client function app identity access token
  31. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client function app identity access token
  32. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client access token
  33. @_andreasgrimm Token Renewer serverless.cat CAT API identity provider renewer API

    1 machine- to-machine client client secrets access token backend 1 API 1 access tokens access token function app identity client secret client id access token access token
  34. @_andreasgrimm Summary - JWT Validation On Top of API key

    - Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation
  35. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

    __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, @ServerlessBER