Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical Auth in a Serverless World

Andreas Grimm
October 15, 2019
Programming
1
44

Practical Auth in a Serverless World

It became essential for businesses to protect their applications, services and customer data from attackers. If you want to stay competitive, knowing how to efficiently and easily apply security and auth while being aware of the most common pitfalls is key in today's serverless world.
Traditional machine-to-machine auth approaches where you can rely on a stateful environment fall short in a modern serverless and thus stateless world.
After a short recap of some auth fundamentals, you'll learn how to efficiently apply authentication to Azure Functions using Auth0, Cloudflare Workers and Azure Key Vault without compromising security.

Andreas Grimm

October 15, 2019
Tweet

More Decks by Andreas Grimm

See All by Andreas Grimm
Praktikable Authentifizierung in Serverless-Umgebungen
andreasgrimm
0
53
Practical Auth in a Serverless World
andreasgrimm
0
46
What_is_Serverless.pdf
andreasgrimm
0
35
Practical Auth in a Serverless World
andreasgrimm
1
130
Clean JavaScript
andreasgrimm
0
120

Other Decks in Programming

See All in Programming
ONE WEDGE_company_guide
1wedge_one
0
440
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
250
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
870
Goのmultiple errorsについて (2024年4月版)
syumai
1
330
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
0
340
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
Rethinking UI building strategies @ SFI 2024
letelete
0
270
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
120
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
220
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
200
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
640

Featured

See All Featured
A designer walks into a library…
pauljervisheath
199
23k
Code Review Best Practice
trishagee
54
15k
Debugging Ruby Performance
tmm1
70
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
77
42k
Web development in the modern age
philhawksworth
202
10k
Documentation Writing (for coders)
carmenintech
59
3.9k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Unsuck your backbone
ammeep
662
57k
Optimizing for Happiness
mojombo
370
69k
The Invisible Side of Design
smashingmag
294
49k
WebSockets: Embracing the real-time Web
robhawkes
59
7k

Transcript

  1. @_andreasgrimm Practical Auth in a Serverless World [email protected] @_andreasgrimm

  2. @_andreasgrimm Andreas Grimm

  3. @_andreasgrimm Slides will be published - https://speakerdeck.com/andreasgrimm

  4. @_andreasgrimm Ask questions during the talk!

  5. @_andreasgrimm I ❤ serverless meetup.com/Serverless-Berlin

  6. @_andreasgrimm I ❤ DDD dddber.com

  7. @_andreasgrimm JavaScript & TypeScript https://www.meetup.com/ fullstack-berlin/

  8. @_andreasgrimm akelius.com

  9. @_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3

    K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community

  10. @_andreasgrimm Agenda Serverless - The Big Picture Why I Like

    It Serverless & Auth Auth Fundamentals Protect a Serverless API Access an API from FaaS

  11. @_andreasgrimm

  12. @_andreasgrimm Serverless the big picture

  13. @_andreasgrimm

  14. @_andreasgrimm There are still servers but you don't have to

    care about servers anymore

  15. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”

  16. @_andreasgrimm FaaS / Execution Model you don't own the scheduler

    high availability auto-scaling (incl. scale to zero)

  17. @_andreasgrimm Pay only for active usage pay-as-you-go pay-per-use pay-per-request pay-per-transaction

  18. @_andreasgrimm https://www.cloudzero.com/blog/serverless-is-not-a-bubble-its-a-spectrum

  19. @_andreasgrimm and more: Observability, Distributed Tracing (Lumigo, Epsagon) Security (Protego,

    Puresec) Marketing etc. ...

  20. @_andreasgrimm Serverless Serviceful vendor native high-level, managed, simple to use

  21. @_andreasgrimm State of Mind / Spectrum

  22. @_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

  23. @_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

  24. @_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

  25. @_andreasgrimm Pay only for "active usage" -> "value"

  26. @_andreasgrimm Your Value-add ? undifferentiated heavy lifting? focus on competetive

    advantage! don't reinvent the wheel!

  27. @_andreasgrimm My Serverless Story ... or why I like it

    so much ❤

  28. @_andreasgrimm Business Problems ❤

  29. @_andreasgrimm Babysitting Infrastructure

  30. @_andreasgrimm ❤ Effective Software Development Domain-Driven Design (DDD) collaborative modeling

  31. @_andreasgrimm EventStorming by @ziobrando - modeling business processes - event-driven


    (fits serverless paradigm )

  32. @_andreasgrimm DDD ❤ Serverless

  33. @_andreasgrimm Modeling Whirlpool https://domainlanguage.com/ ddd/whirlpool/

  34. @_andreasgrimm Build -> Measure -> Learn

  35. @_andreasgrimm Continuous Discovery / Experimentation

  36. @_andreasgrimm Auth how hard can it be?

  37. @_andreasgrimm https://frsecure.com/blog/expert-take-on-equifax-breach/

  38. @_andreasgrimm https://twitter.com/Nick_Craver/status/1098211627831345153

  39. @_andreasgrimm Serverless (+) Auth ... now what's so special about

    it?

  40. @_andreasgrimm Serverless Identity Provider (IDP) IDaaS

  41. @_andreasgrimm Your Value-add ? in regards to "Identity Provider (IDP)"

  42. @_andreasgrimm keycloak.org identityserver.io

  43. @_andreasgrimm Self-Hosted IDP how to scale? no SLAs pager duty

    higher "Total Cost of Ownership"

  44. @_andreasgrimm ❤ Managed IDPs Auth0 AAD (Azure Active Directory) Okta

    PingIdentity AWS Cognito

  45. @_andreasgrimm Pricing Model

  46. @_andreasgrimm Auth0 Pricing pay-per-use: ✅ pay-per-transaction: ❌ enterprise users: ✅

    machine-2-machine: ✅

  47. @_andreasgrimm Technical Aspects customizability

  48. @_andreasgrimm Auth0 Rules - webtask.io - serverless JavaScript code snippets

  49. @_andreasgrimm Auth0 Rules code example

  50. @_andreasgrimm Which IDP to choose? it depends - law /

    regulatory - usage patterns - flexibility - simplicity

  51. @_andreasgrimm Vendor Lock-in Not as dramatic, because of open standards

    like "OAuth 2 & OpenID Connect"

  52. @_andreasgrimm Auth Examples -> Auth0 (IDP) Azure Functions (FaaS) Azure

    API Management (API Gateway) Cloudflare Workers (API Gateway) Azure KeyVault (Security Management System) Azure Managed Identities (IAM for cloud resources)

  53. @_andreasgrimm APIs How to protect ?

  54. @_andreasgrimm We Want a Cat Picture

  55. @_andreasgrimm serverless.cat CAT API We Want a Cat Picture From

    CatAPI

  56. @_andreasgrimm serverless.cat CAT API > HTTP GET ✋ JWT Token

    missing 401 CatAPI Token Validation

  57. @_andreasgrimm identity provider serverless.cat CAT API CatAPI trusts IDP

  58. @_andreasgrimm serverless.cat CAT API identity provider access token We Need

    a Token From IDP

  59. @_andreasgrimm serverless.cat CAT API identity provider single page app single

    page app password user name SPA Sends User's Credentials To IDP

  60. @_andreasgrimm IDP Sends Token to Back to SPA serverless.cat CAT

    API identity provider single page app single page app access token

  61. @_andreasgrimm serverless.cat CAT API identity provider single page app access

    token access token JWT Token Is Valid CatAPI Validates Token

  62. @_andreasgrimm serverless.cat CAT API identity provider single page app access

    token CatAPI Sends Cat Picture

  63. @_andreasgrimm Interactive Client not related to serverless browser or native

    app

  64. @_andreasgrimm API runs in FaaS where to validate JWT ?

  65. @_andreasgrimm JWT Validation in Function

  66. @_andreasgrimm npm package based on "express-jwt"

  67. @_andreasgrimm Wrap main function with higher order function.

  68. @_andreasgrimm Azure Function Bindings declare actions without writing code e.g.

    get item from a DB

  69. @_andreasgrimm https://serverless.cat/?id=myCatID

  70. @_andreasgrimm Azure Function Bindings bindings run before the function code

    -> IO (costs) before JWT validation

  71. @_andreasgrimm DDOS Attacks Could Ruin You

  72. @_andreasgrimm JWT Validation in Function ⚠ only together with API

    key (functions key)

  73. @_andreasgrimm JWT Validation in Function App "Function App": group of

    functions deployed together sharing one identity

  74. @_andreasgrimm Function App Auth JWT Validation happens before Bindings no

    additional costs AAD only

  75. @_andreasgrimm JWT Validation in Azure API Management

  76. @_andreasgrimm Azure API Management pay-per-request: ✅

  77. @_andreasgrimm Azure API Management AAD only

  78. @_andreasgrimm JWT Validation in Cloudflare Workers

  79. @_andreasgrimm Like an API Gateway .. that runs code https://developers.cloudflare.com/workers/about/

  80. @_andreasgrimm ... but in 190+ Data Centers #EdgeComputing deployment region:

    world

  81. @_andreasgrimm Cloudflare Workers pay-per-use: ✅ pay-per-transaction: ❌

  82. @_andreasgrimm Cloudflare Workers free tier

  83. @_andreasgrimm Validate JWT forward JWT payload

  84. @_andreasgrimm In function: Just consume payload

  85. @_andreasgrimm Authenticated Origin Pulls using shared secret (aka apikey) or

    certificate-based

  86. @_andreasgrimm How to access ? (from FaaS) APIs

  87. @_andreasgrimm We (Still) Want The Cat Picture ...

  88. @_andreasgrimm backend 1 API 1 serverless.cat CAT API ... But

    This Time in Our Backend

  89. @_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP

    GET ✋ JWT Token missing 401 CatAPI Token Validation

  90. @_andreasgrimm backend 1 API 1 identity provider serverless.cat CAT API

    CatAPI (still) trusts IDP

  91. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    access token We Need a Token From IDP

  92. @_andreasgrimm You Pay Per Token

  93. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret client id If We Send Client Credentials To IDP ... client secret client id

  94. @_andreasgrimm ... And IDP Verifies Client Credentials ... backend 1

    API 1 serverless.cat CAT API identity provider machine- to-machine client client secret client id client secret client id = ? ! access token

  95. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret How To Store & Access Secrets?

  96. @_andreasgrimm How To Store & Access Secrets?

  97. @_andreasgrimm Hardcoded Secrets ? ?

  98. @_andreasgrimm Hardcoded Secrets ... are easy & simple to use

  99. @_andreasgrimm ❌ Hardcoded Secrets are VERY insecure because can easily

    be leaked stays forever in VCS

  100. @_andreasgrimm Environment Variables / On- Demand how to provide in

    a secure way?

  101. @_andreasgrimm Secrets Management System

  102. @_andreasgrimm Secrets Management System what is it? why use it?

  103. @_andreasgrimm Secrets Management System - single, central place to securely

    store secrets encrypted - distribution of secrets to the end-application - updating / revoking secrets ("key rotation") in case of compromise

  104. @_andreasgrimm SE Radio Podcast "Secrets Management System" https://www.se-radio.net/2017/12/se-radio-episode-311-armon-dadgar-on-secrets- management/

  105. @_andreasgrimm Secrets Management System ... but serverless, please!

  106. @_andreasgrimm Azure Key Vault

  107. @_andreasgrimm Azure Key Vault Pricing pay-per-use: ✅ pay-per-transaction: ❌ $0.03/10,000

    transactions

  108. @_andreasgrimm Why use Key Vault? secret-less access, based on identity

    ideal for "stateless" environments

  109. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client Is a Token Cached in Memory ? Look-up Token in Memory

  110. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client No Cached Token in Memory

  111. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault No Cached Token in Key Vault function app identity 404

  112. @_andreasgrimm Key Vault Auth? - secret zero / bootstrapping?

  113. @_andreasgrimm Azure Managed Identiy has to be activated for the

    Function App

  114. @_andreasgrimm Function App's Privileges In Key Vault - least privilege

    - consider many KeyVaults per resource

  115. @_andreasgrimm Function App's Privileges In Key Vault - solves "secret

    zero / bootstrapping" problem - "zero trust" applied

  116. @_andreasgrimm Azure Key Vault - Secrets (serverless) secrets management system

  117. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Client Secret Is in Key Vault function app identity client secret

  118. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Get Token from IDP client secret client id access token

  119. @_andreasgrimm Cache Token in Memory serverless.cat CAT API identity provider

    backend 1 API 1 machine- to-machine client azure key vault access token access token

  120. @_andreasgrimm Cache Token in Key Vault serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token

  121. @_andreasgrimm Why To Cache The Token?

  122. @_andreasgrimm Get Cat Picture from CatAPI serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token

  123. @_andreasgrimm "Second" Request ✌

  124. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token

  125. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token

  126. @_andreasgrimm Scaling Happens ...

  127. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client

  128. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client Is a Token Cached in Memory ?

  129. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client

  130. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault backend 1 API 1 machine- to-machine client function app identity access token

  131. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client function app identity access token

  132. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client access token

  133. @_andreasgrimm Machine-to-Machine Client runs in FaaS stateless environment (partially) where

    to store secrets?

  134. @_andreasgrimm How to Access Key Vault From Code?

  135. @_andreasgrimm Secret via Env Var not hardcoded ☝

  136. @_andreasgrimm Key Vault References @Microsoft.KeyVault(SecretUri=https://serviceful-cloud.vault.azure.net/secrets/auth-m2m- client-secret-auth0/b01787d0082f49448744cabfe1bab7ad)

  137. @_andreasgrimm Get Token From IDP Function does not know about

    Key Vault at all

  138. @_andreasgrimm Get Data From API

  139. @_andreasgrimm Demo

  140. @_andreasgrimm Improving Security ... by separating the token renewal

  141. @_andreasgrimm Token Renewer serverless.cat CAT API identity provider renewer API

    1 machine- to-machine client client secrets access token backend 1 API 1 access tokens access token function app identity client secret client id access token access token

  142. @_andreasgrimm https://github.com/idandaccess/azure-functions-auth-example

  143. @_andreasgrimm Demo

  144. @_andreasgrimm Summary - JWT Validation On Top of API key

    - Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation

  145. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

    __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, @ServerlessBER