Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Praktikable Authentifizierung in Serverless-Umg...

Praktikable Authentifizierung in Serverless-Umgebungen

Heutzutage ist es für Unternehmen wichtiger denn je, Applikationen, Services und vor allem Kundendaten, vor Angreifern zu schützen.

Um in modernen Serverless-Umgebungen langfristig wettbewerbsfähig zu bleiben, muss man die dortigen Security-Spezifika und -eigenheiten kennen und wissen wie man auf einfache und effiziente Art und Weise Authentifizierung einbringt.

Traditionelle Ansätze zur Machine-to-Machine-Authentifizierung sind dort unzureichend, da zum Beispiel die Umgebungen nicht wie gewohnt stateful sondern stateless sind.

Nach einer kurzen Auffrischung einiger Authentifizierungs-Grundlagen werden Sie erfahren, wie man eine effiziente Authentifizierung planen und implementieren kann unter Verwendung von "Azure Functions", dem externen Identity Provider "Auth0", "OAuth 2", "JsonWebTokens (JWT)", das Secrets-Management-System "Azure Key Vault", "Azure Managed Identities" und "Cloudflare Workers".

Avatar for Andreas Grimm

Andreas Grimm

September 26, 2019
Tweet

More Decks by Andreas Grimm

Other Decks in Programming

Transcript

  1. @_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3

    K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community
  2. @_andreasgrimm Agenda Serverless - The Big Picture Why I Like

    It Serverless & Auth Auth Fundamentals Protect a Serverless API Access an API from FaaS
  3. @_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like

    WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”
  4. @_andreasgrimm Your code is being scheduled ... by a scheduler

    that you don't own (not true for self-hosted / managed Kubernetes)
  5. @_andreasgrimm Storage Amazon S3 / Azure Blob Storage Amazon DynamoDB

    / Azure Cosmos DB AWS AppSync Amazon Athena
  6. @_andreasgrimm Messaging Amazon SNS / Azure EventGrid Amazon SQS /

    Azure ServiceBus Google Cloud PubSub Amazon EventBridge
  7. @_andreasgrimm Serverless' Nature - event-driven / reactive - distributed systems

    (CAP theorem) - eventual consistency - idempotency - requires more architectural skills (in general) - business people's responsiveness matters
  8. @_andreasgrimm Future of (Software) Product Development ... part of it

    -> product development > software development - brings (back) technical simplicity -> focus on business/value add - not all features require a software solution (true serverless?)
  9. @_andreasgrimm (real) DevOps Culture - product teams (marketing, business ops,

    ux/ui, qa, data science, software development, it ops, ...) - focus on value
  10. @_andreasgrimm Which IDP to choose? it depends - law /

    regulatory - usage patterns - flexibility - simplicity
  11. @_andreasgrimm serverless.cat CAT API identity provider single page app single

    page app password user name SPA Sends User's Credentials To IDP
  12. @_andreasgrimm IDP Sends Token to Back to SPA serverless.cat CAT

    API identity provider single page app single page app access token
  13. @_andreasgrimm serverless.cat CAT API identity provider single page app access

    token access token JWT Token Is Valid CatAPI Validates Token
  14. @_andreasgrimm JWT Validation in Function App "Function App": group of

    functions deployed together sharing one identity
  15. @_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP

    ✋ JWT Token missing 401 CatAPI Responds 401
  16. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client machine- to-machine client client secret client id No Human, Only Machine Is Involved
  17. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret client id If We Send Client Credentials To IDP ... client secret client id
  18. @_andreasgrimm ... And IDP Verifies Client Credentials ... backend 1

    API 1 serverless.cat CAT API identity provider machine- to-machine client client secret client id client secret client id = ? ! access token
  19. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client access token ... Then We Get Token From IDP
  20. @_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider

    machine- to-machine client client secret How To Store & Access Secrets?
  21. @_andreasgrimm Secrets Management System - single, central place to securely

    store secrets encrypted - distribution of secrets to the end-application - updating / revoking secrets ("key rotation") in case of compromise
  22. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client Is a Token Cached in Memory ? Look-up Token in Memory
  23. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client No Cached Token in Memory
  24. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Look-up Token in Key Vault function app identity
  25. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault No Cached Token in Key Vault 404
  26. @_andreasgrimm Function App's Privileges In Key Vault - solves "secret

    zero / bootstrapping" problem - "zero trust" applied
  27. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Client Secret Is in Key Vault function app identity client secret
  28. @_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1

    machine- to-machine client azure key vault Get Token from IDP client secret client id access token
  29. @_andreasgrimm Cache Token in Memory serverless.cat CAT API identity provider

    backend 1 API 1 machine- to-machine client azure key vault access token access token
  30. @_andreasgrimm Cache Token in Key Vault serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token
  31. @_andreasgrimm Get Cat Picture from CatAPI serverless.cat CAT API identity

    provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token
  32. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token
  33. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token access token
  34. @_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1

    API 1 machine- to-machine client azure key vault access token access token
  35. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client
  36. @_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend

    1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client function app identity access token
  37. @_andreasgrimm Summary - JWT Validation On Top of API key

    - Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation
  38. @_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |

    __ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, @ServerlessBER