Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Praktikable Authentifizierung in Serverless-Umg...

Andreas Grimm
September 26, 2019
Programming
0
54

Praktikable Authentifizierung in Serverless-Umgebungen

Heutzutage ist es für Unternehmen wichtiger denn je, Applikationen, Services und vor allem Kundendaten, vor Angreifern zu schützen.

Um in modernen Serverless-Umgebungen langfristig wettbewerbsfähig zu bleiben, muss man die dortigen Security-Spezifika und -eigenheiten kennen und wissen wie man auf einfache und effiziente Art und Weise Authentifizierung einbringt.

Traditionelle Ansätze zur Machine-to-Machine-Authentifizierung sind dort unzureichend, da zum Beispiel die Umgebungen nicht wie gewohnt stateful sondern stateless sind.

Nach einer kurzen Auffrischung einiger Authentifizierungs-Grundlagen werden Sie erfahren, wie man eine effiziente Authentifizierung planen und implementieren kann unter Verwendung von "Azure Functions", dem externen Identity Provider "Auth0", "OAuth 2", "JsonWebTokens (JWT)", das Secrets-Management-System "Azure Key Vault", "Azure Managed Identities" und "Cloudflare Workers".

Andreas Grimm

September 26, 2019
Tweet

More Decks by Andreas Grimm

See All by Andreas Grimm
Practical Auth in a Serverless World
andreasgrimm
1
46
Practical Auth in a Serverless World
andreasgrimm
0
53
What_is_Serverless.pdf
andreasgrimm
0
40
Practical Auth in a Serverless World
andreasgrimm
1
140
Clean JavaScript
andreasgrimm
0
120

Other Decks in Programming

See All in Programming
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.5k
受け取る人から提供する人になるということ
little_rubyist
0
260
Modular Monolith Monorepo ~シンプルさを保ちながらmonorepoのメリットを最大化する~
yuisakamoto
9
1.8k
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.2k
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
120
Amazon Qを使ってIaCを触ろう!
maruto
0
420
Remix on Hono on Cloudflare Workers
yusukebe
1
320
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
110
DevTools extensions で 独自の DevTool を開発する | FlutterKaigi 2024
kokiyoshida
0
150
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
140
Djangoの開発環境で工夫したこと - pre-commit / DevContainer
hiroki_yod
1
350

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Making Projects Easy
brettharned
115
5.9k
GitHub's CSS Performance
jonrohan
1030
460k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
The World Runs on Bad Software
bkeepers
PRO
65
11k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Building Adaptive Systems
keathley
38
2.3k
Six Lessons from altMBA
skipperchong
27
3.5k

Transcript

  1. @_andreasgrimm Praktikable Authentifizierung in Serverless-Umgebungen [email protected] @_andreasgrimm

  2. @_andreasgrimm Andreas Grimm

  3. @_andreasgrimm I ❤ serverless meetup.com/Serverless-Berlin

  4. @_andreasgrimm I ❤ DDD dddber.com

  5. @_andreasgrimm akelius.com

  6. @_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3

    K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community

  7. @_andreasgrimm Agenda Serverless - The Big Picture Why I Like

    It Serverless & Auth Auth Fundamentals Protect a Serverless API Access an API from FaaS

  8. @_andreasgrimm Serverless the big picture

  9. @_andreasgrimm

  10. @_andreasgrimm

  11. @_andreasgrimm There are still servers but you don't have to

    care about servers anymore

  12. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”

  13. @_andreasgrimm Your code is being scheduled ... by a scheduler

    that you don't own (not true for self-hosted / managed Kubernetes)

  14. @_andreasgrimm Functions as Deployment Unit

  15. @_andreasgrimm Thomas Fricke - Kubernetes Security (BedCon 2019-09-05)

  16. @_andreasgrimm Thomas Fricke - Kubernetes Security (BedCon 2019-09-05)

  17. @_andreasgrimm Higher Level Security https://www.youtube.com/watch?v=rJBCRhrfnak

  18. @_andreasgrimm Serverless > FaaS / Execution Model

  19. @_andreasgrimm High Availability

  20. @_andreasgrimm Auto-Scaling including "scale to zero"

  21. @_andreasgrimm No Idle Costs not subscription-based (e.g. $ 7 /

    months)

  22. @_andreasgrimm Pay only for active usage pay-as-you-go pay-per-use pay-per-request pay-per-transaction

  23. @_andreasgrimm Storage Amazon S3 / Azure Blob Storage Amazon DynamoDB

    / Azure Cosmos DB AWS AppSync Amazon Athena

  24. @_andreasgrimm Messaging Amazon SNS / Azure EventGrid Amazon SQS /

    Azure ServiceBus Google Cloud PubSub Amazon EventBridge

  25. @_andreasgrimm Streams Amazon Kinesis / Azure EventHub

  26. @_andreasgrimm and more: Observability (Central Logs, Metrics, Distributed Tracing) Marketing

    Analytics ...

  27. @_andreasgrimm https://www.cloudzero.com/blog/serverless-is-not-a-bubble-its-a-spectrum

  28. @_andreasgrimm Serverless Serviceful vendor native high-level, managed, simple to use

  29. @_andreasgrimm BaDaaS (Business-components-and-Deployment-as-a-Service) Focus on Your Value-add https://www.youtube.com/watch?v=2A5HVF0LUi0

  30. @_andreasgrimm Puresec / Protego https://www.youtube.com/watch?v=uiYTKuuC82U

  31. @_andreasgrimm Serverless > Managed Services / Operational Construct

  32. @_andreasgrimm On-Premise VM = Serverless?

  33. @_andreasgrimm "serverless is a state of mind" https://www.youtube.com/watch?v=8Rzv68K8ZOY

  34. @_andreasgrimm Serverless > Spectrum

  35. @_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

  36. @_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

  37. @_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

  38. @_andreasgrimm Pay only for "active usage" -> "value" realtime-ish monitoring

    of transaction costs

  39. @_andreasgrimm Serverless Pricing Model enables #FinDev https://www.youtube.com/watch?v=F0H7WuK56Nc

  40. @_andreasgrimm Your Value-add ? undifferentiated heavy lifting? focus on competetive

    advantage! don't reinvent the wheel!

  41. @_andreasgrimm (Actual) Total Cost of Ownership? often impossible to measure

    empirically

  42. @_andreasgrimm Total Cost of Ownership

  43. @_andreasgrimm Cloud / Vendor Lock-In https://lumigo.io/blog/you-are-wrong-about-serverless-vendor-lock-in/

  44. @_andreasgrimm Serverless ≠ Lock-in it's coupling ... like everything else

    -> Hexagonal / Clean Architecture ☝

  45. @_andreasgrimm https://martinfowler.com/articles/oss-lockin.html

  46. @_andreasgrimm Serverless -> Commodity https://www.youtube.com/watch?v=SPsaqiegOP4

  47. @_andreasgrimm Wardley Maps identify your value-add

  48. @_andreasgrimm Serverless' Nature - event-driven / reactive - distributed systems

    (CAP theorem) - eventual consistency - idempotency - requires more architectural skills (in general) - business people's responsiveness matters

  49. @_andreasgrimm Future of (Software) Product Development ... part of it

    -> product development > software development - brings (back) technical simplicity -> focus on business/value add - not all features require a software solution (true serverless?)

  50. @_andreasgrimm

  51. @_andreasgrimm My Serverless Story ... or why I like it

    so much ❤

  52. @_andreasgrimm Business Problems ❤

  53. @_andreasgrimm Babysitting Infrastructure

  54. @_andreasgrimm ❤ Effective Software Development Domain-Driven Design (DDD) collaborative modeling

  55. @_andreasgrimm EventStorming by @ziobrando - modeling business processes - event-driven


    (fits serverless paradigm )

  56. @_andreasgrimm (real) DevOps Culture - product teams (marketing, business ops,

    ux/ui, qa, data science, software development, it ops, ...) - focus on value

  57. @_andreasgrimm Agile Software Development ... done right

  58. @_andreasgrimm DDD ❤ Serverless

  59. @_andreasgrimm Modeling Whirlpool https://domainlanguage.com/ ddd/whirlpool/

  60. @_andreasgrimm Build -> Measure -> Learn

  61. @_andreasgrimm Continuous Discovery / Experimentation

  62. @_andreasgrimm Auth how hard can it be?

  63. @_andreasgrimm https://frsecure.com/blog/expert-take-on-equifax-breach/

  64. @_andreasgrimm https://twitter.com/Nick_Craver/status/1098211627831345153

  65. @_andreasgrimm Serverless (+) Auth ... now what's so special about

    it?

  66. @_andreasgrimm Serverless > ... Identity Provider (IDP) including

  67. @_andreasgrimm Your Value-add ? in regards to "Identity Provider (IDP)"

  68. @_andreasgrimm keycloak.org identityserver.io

  69. @_andreasgrimm Self-Hosted IDP how to scale? no SLAs pager duty

    higher "Total Cost of Ownership"

  70. @_andreasgrimm ❤ Managed IDPs Auth0 AAD (Azure Active Directory) Okta

    PingIdentity AWS Cognito

  71. @_andreasgrimm Pricing Model

  72. @_andreasgrimm Auth0 Pricing pay-per-use: ✅ pay-per-transaction: ❌ enterprise users: ✅

    machine-2-machine: ✅

  73. @_andreasgrimm Technical Aspects customizability

  74. @_andreasgrimm Auth0 Rules - webtask.io - serverless JavaScript code snippets

  75. @_andreasgrimm Auth0 Rules code example

  76. @_andreasgrimm Which IDP to choose? it depends - law /

    regulatory - usage patterns - flexibility - simplicity

  77. @_andreasgrimm Vendor Lock-in Not as dramatic, because of open standards

    like "OAuth 2 & OpenID Connect"

  78. @_andreasgrimm APIs How to protect ?

  79. @_andreasgrimm We Want a Cat Picture

  80. @_andreasgrimm serverless.cat CAT API We Want a Cat Picture From

    CatAPI

  81. @_andreasgrimm serverless.cat CAT API > HTTP GET ✋ JWT Token

    missing 401 CatAPI Token Validation

  82. @_andreasgrimm identity provider serverless.cat CAT API CatAPI trusts IDP

  83. @_andreasgrimm serverless.cat CAT API identity provider access token We Need

    a Token From IDP

  84. @_andreasgrimm serverless.cat CAT API identity provider single page app single

    page app SPA Is Operated by a Human User

  85. @_andreasgrimm serverless.cat CAT API identity provider single page app single

    page app password user name SPA Sends User's Credentials To IDP

  86. @_andreasgrimm IDP Sends Token to Back to SPA serverless.cat CAT

    API identity provider single page app single page app access token

  87. @_andreasgrimm serverless.cat CAT API identity provider single page app access

    token access token JWT Token Is Valid CatAPI Validates Token

  88. @_andreasgrimm serverless.cat CAT API identity provider single page app access

    token CatAPI Sends Cat Picture

  89. @_andreasgrimm Interactive Client not related to serverless browser or native

    app

  90. @_andreasgrimm API runs in FaaS where to validate JWT ?

  91. @_andreasgrimm JWT Validation in Function

  92. @_andreasgrimm npm package based on "express-jwt"

  93. @_andreasgrimm Wrap main function with higher order function.

  94. @_andreasgrimm Azure Function Bindings declare actions without writing code e.g.

    get item from a DB

  95. @_andreasgrimm https://serverless.cat/?id=myCatID

  96. @_andreasgrimm Azure Function Bindings bindings run before the function code

    -> IO (costs) before JWT validation

  97. @_andreasgrimm DDOS Attacks Could Ruin You

  98. @_andreasgrimm JWT Validation in Function ⚠ only together with API

    key (functions key)

  99. @_andreasgrimm JWT Validation in Function App "Function App": group of

    functions deployed together sharing one identity

  100. @_andreasgrimm Function App Auth JWT Validation happens before Bindings no

    additional costs AAD only

  101. @_andreasgrimm JWT Validation in Azure API Management

  102. @_andreasgrimm Azure API Management pay-per-request: ✅

  103. @_andreasgrimm Azure API Management AAD only

  104. @_andreasgrimm JWT Validation in Cloudflare Workers

  105. @_andreasgrimm Like an API Gateway .. that runs code https://developers.cloudflare.com/workers/about/

  106. @_andreasgrimm ... but in 190+ Data Centers #EdgeComputing deployment region:

    world

  107. @_andreasgrimm Cloudflare Workers pay-per-use: ✅ pay-per-transaction: ❌

  108. @_andreasgrimm Cloudflare Workers free tier

  109. @_andreasgrimm Validate JWT forward JWT payload

  110. @_andreasgrimm In function: Just consume payload

  111. @_andreasgrimm Authenticated Origin Pulls using shared secret (aka apikey) or

    certificate-based

  112. @_andreasgrimm How to access ? (from FaaS) APIs

  113. @_andreasgrimm We (Still) Want The Cat Picture ...

  114. @_andreasgrimm backend 1 API 1 serverless.cat CAT API ... But

    This Time in Our Backend

  115. @_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP

    GET Send "GET Request" to CatAPI

  116. @_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP

    ✋ JWT Token missing 401 CatAPI Responds 401

  117. @_andreasgrimm backend 1 API 1 identity provider serverless.cat CAT API

    CatAPI (still) trusts IDP

  118. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    access token We Need a Token From IDP

  119. @_andreasgrimm You Pay Per Token

  120. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client machine- to-machine client client secret client id No Human, Only Machine Is Involved

  121. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret client id If We Send Client Credentials To IDP ... client secret client id

  122. @_andreasgrimm ... And IDP Verifies Client Credentials ... backend 1

    API 1 serverless.cat CAT API identity provider machine- to-machine client client secret client id client secret client id = ? ! access token

  123. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client access token ... Then We Get Token From IDP

  124. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret How To Store & Access Secrets?

  125. @_andreasgrimm How To Store & Access Secrets?

  126. @_andreasgrimm Hardcoded Secrets ? ?

  127. @_andreasgrimm Hardcoded Secrets ... are easy & simple to use

  128. @_andreasgrimm ❌ Hardcoded Secrets are VERY insecure because can easily

    be leaked stays forever in VCS

  129. @_andreasgrimm Environment Variables / On- Demand how to provide in

    a secure way?

  130. @_andreasgrimm Secrets Management System

  131. @_andreasgrimm Secrets Management System what is it? why use it?

  132. @_andreasgrimm Secrets Management System - single, central place to securely

    store secrets encrypted - distribution of secrets to the end-application - updating / revoking secrets ("key rotation") in case of compromise

  133. @_andreasgrimm SE Radio Podcast "Secrets Management System" https://www.se-radio.net/2017/12/se-radio-episode-311-armon-dadgar-on-secrets- management/

  134. @_andreasgrimm Secrets Management System ... but serverless, please!

  135. @_andreasgrimm Azure Key Vault

  136. @_andreasgrimm Azure Key Vault Pricing pay-per-use: ✅ pay-per-transaction: ❌ $0.03/10,000

    transactions

  137. @_andreasgrimm Why use Key Vault? secret-less access, based on identity

    ideal for "stateless" environments

  138. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client Is a Token Cached in Memory ? Look-up Token in Memory

  139. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client No Cached Token in Memory

  140. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Look-up Token in Key Vault function app identity

  141. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault No Cached Token in Key Vault 404

  142. @_andreasgrimm Key Vault Auth? - secret zero / bootstrapping?

  143. @_andreasgrimm Azure Managed Identiy has to be activated for the

    Function App

  144. @_andreasgrimm Function App's Privileges In Key Vault - least privilege

    - consider many KeyVaults per resource

  145. @_andreasgrimm Function App's Privileges In Key Vault - solves "secret

    zero / bootstrapping" problem - "zero trust" applied

  146. @_andreasgrimm Azure Key Vault - Secrets (serverless) secrets management system

  147. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Client Secret Is in Key Vault function app identity client secret

  148. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Get Token from IDP client secret client id access token

  149. @_andreasgrimm Cache Token in Memory serverless.cat CAT API identity provider

    backend 1 API 1 machine- to-machine client azure key vault access token access token

  150. @_andreasgrimm Cache Token in Key Vault serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token

  151. @_andreasgrimm Why To Cache The Token?

  152. @_andreasgrimm Get Cat Picture from CatAPI serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token

  153. @_andreasgrimm "Second" Request ✌

  154. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token

  155. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token

  156. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token

  157. @_andreasgrimm Scaling Happens ...

  158. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client

  159. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client function app identity access token

  160. @_andreasgrimm Machine-to-Machine Client runs in FaaS stateless environment (partially) where

    to store secrets?

  161. @_andreasgrimm How to Access Key Vault From Code?

  162. @_andreasgrimm Secret via Env Var not hardcoded ☝

  163. @_andreasgrimm Key Vault References @Microsoft.KeyVault(SecretUri=https://serviceful-cloud.vault.azure.net/secrets/auth-m2m- client-secret-auth0/b01787d0082f49448744cabfe1bab7ad)

  164. @_andreasgrimm Get Token From IDP Function does not know about

    Key Vault at all

  165. @_andreasgrimm Get Data From API

  166. @_andreasgrimm Demo

  167. @_andreasgrimm Summary - JWT Validation On Top of API key

    - Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation

  168. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

    __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, @ServerlessBER