Praktikable Authentifizierung in Serverless-Umgebungen

@_andreasgrimm Praktikable Authentifizierung in Serverless-Umgebungen [email protected] @_andreasgrimm

@_andreasgrimm Andreas Grimm

@_andreasgrimm I ❤ serverless meetup.com/Serverless-Berlin

@_andreasgrimm I ❤ DDD dddber.com

@_andreasgrimm akelius.com

@_andreasgrimm Akelius (Berlin office) Real Estate Internal Business Software 2/3
K8S, 1/3 serverless IAM Architecture / Security DDD & EventStorming Community

@_andreasgrimm Agenda Serverless - The Big Picture Why I Like
It Serverless & Auth Auth Fundamentals Protect a Serverless API Access an API from FaaS

@_andreasgrimm Serverless the big picture

@_andreasgrimm

@_andreasgrimm There are still servers but you don't have to
care about servers anymore

@_andreasgrimm – Gojko Adzic (@gojkoadzic) “Serverless is without servers like
WiFi is without wires. With WiFi there are still wires (e.g. router attached to cable modem), but you don't care about them anymore.”

@_andreasgrimm Your code is being scheduled ... by a scheduler
that you don't own (not true for self-hosted / managed Kubernetes)

@_andreasgrimm Functions as Deployment Unit

@_andreasgrimm Thomas Fricke - Kubernetes Security (BedCon 2019-09-05)

@_andreasgrimm Higher Level Security https://www.youtube.com/watch?v=rJBCRhrfnak

@_andreasgrimm Serverless > FaaS / Execution Model

@_andreasgrimm High Availability

@_andreasgrimm Auto-Scaling including "scale to zero"

@_andreasgrimm No Idle Costs not subscription-based (e.g. $ 7 /
months)

@_andreasgrimm Pay only for active usage pay-as-you-go pay-per-use pay-per-request pay-per-transaction

@_andreasgrimm Storage Amazon S3 / Azure Blob Storage Amazon DynamoDB
/ Azure Cosmos DB AWS AppSync Amazon Athena

@_andreasgrimm Messaging Amazon SNS / Azure EventGrid Amazon SQS /
Azure ServiceBus Google Cloud PubSub Amazon EventBridge

@_andreasgrimm Streams Amazon Kinesis / Azure EventHub

@_andreasgrimm and more: Observability (Central Logs, Metrics, Distributed Tracing) Marketing
Analytics ...

@_andreasgrimm https://www.cloudzero.com/blog/serverless-is-not-a-bubble-its-a-spectrum

@_andreasgrimm Serverless Serviceful vendor native high-level, managed, simple to use

@_andreasgrimm BaDaaS (Business-components-and-Deployment-as-a-Service) Focus on Your Value-add https://www.youtube.com/watch?v=2A5HVF0LUi0

@_andreasgrimm Puresec / Protego https://www.youtube.com/watch?v=uiYTKuuC82U

@_andreasgrimm Serverless > Managed Services / Operational Construct

@_andreasgrimm On-Premise VM = Serverless?

@_andreasgrimm "serverless is a state of mind" https://www.youtube.com/watch?v=8Rzv68K8ZOY

@_andreasgrimm Serverless > Spectrum

@_andreasgrimm Stop Calling Everything Serverless - Jeremy Daly https://www.youtube.com/watch?v=vuWiB3vNiHc

@_andreasgrimm Pay only for "active usage" -> "value" realtime-ish monitoring
of transaction costs

@_andreasgrimm Serverless Pricing Model enables #FinDev https://www.youtube.com/watch?v=F0H7WuK56Nc

@_andreasgrimm Your Value-add ? undiﬀerentiated heavy lifting? focus on competetive
advantage! don't reinvent the wheel!

@_andreasgrimm (Actual) Total Cost of Ownership? often impossible to measure
empirically

@_andreasgrimm Total Cost of Ownership

@_andreasgrimm Cloud / Vendor Lock-In https://lumigo.io/blog/you-are-wrong-about-serverless-vendor-lock-in/

@_andreasgrimm Serverless ≠ Lock-in it's coupling ... like everything else
-> Hexagonal / Clean Architecture ☝

@_andreasgrimm https://martinfowler.com/articles/oss-lockin.html

@_andreasgrimm Serverless -> Commodity https://www.youtube.com/watch?v=SPsaqiegOP4

@_andreasgrimm Wardley Maps identify your value-add

@_andreasgrimm Serverless' Nature - event-driven / reactive - distributed systems
(CAP theorem) - eventual consistency - idempotency - requires more architectural skills (in general) - business people's responsiveness matters

@_andreasgrimm Future of (Software) Product Development ... part of it
-> product development > software development - brings (back) technical simplicity -> focus on business/value add - not all features require a software solution (true serverless?)

@_andreasgrimm

@_andreasgrimm My Serverless Story ... or why I like it
so much ❤

@_andreasgrimm Business Problems ❤

@_andreasgrimm Babysitting Infrastructure

@_andreasgrimm ❤ Effective Software Development Domain-Driven Design (DDD) collaborative modeling

@_andreasgrimm EventStorming by @ziobrando - modeling business processes - event-driven 
(ﬁts serverless paradigm )

@_andreasgrimm (real) DevOps Culture - product teams (marketing, business ops,
ux/ui, qa, data science, software development, it ops, ...) - focus on value

@_andreasgrimm Agile Software Development ... done right

@_andreasgrimm DDD ❤ Serverless

@_andreasgrimm Modeling Whirlpool https://domainlanguage.com/ ddd/whirlpool/

@_andreasgrimm Build -> Measure -> Learn

@_andreasgrimm Continuous Discovery / Experimentation

@_andreasgrimm Auth how hard can it be?

@_andreasgrimm https://frsecure.com/blog/expert-take-on-equifax-breach/

@_andreasgrimm https://twitter.com/Nick_Craver/status/1098211627831345153

@_andreasgrimm Serverless (+) Auth ... now what's so special about
it?

@_andreasgrimm Serverless > ... Identity Provider (IDP) including

@_andreasgrimm Your Value-add ? in regards to "Identity Provider (IDP)"

@_andreasgrimm keycloak.org identityserver.io

@_andreasgrimm Self-Hosted IDP how to scale? no SLAs pager duty
higher "Total Cost of Ownership"

@_andreasgrimm ❤ Managed IDPs Auth0 AAD (Azure Active Directory) Okta
PingIdentity AWS Cognito

@_andreasgrimm Pricing Model

@_andreasgrimm Auth0 Pricing pay-per-use: ✅ pay-per-transaction: ❌ enterprise users: ✅
machine-2-machine: ✅

@_andreasgrimm Technical Aspects customizability

@_andreasgrimm Auth0 Rules - webtask.io - serverless JavaScript code snippets

@_andreasgrimm Auth0 Rules code example

@_andreasgrimm Which IDP to choose? it depends - law /
regulatory - usage patterns - ﬂexibility - simplicity

@_andreasgrimm Vendor Lock-in Not as dramatic, because of open standards
like "OAuth 2 & OpenID Connect"

@_andreasgrimm APIs How to protect ?

@_andreasgrimm We Want a Cat Picture

@_andreasgrimm serverless.cat CAT API We Want a Cat Picture From
CatAPI

@_andreasgrimm serverless.cat CAT API > HTTP GET ✋ JWT Token
missing 401 CatAPI Token Validation

@_andreasgrimm identity provider serverless.cat CAT API CatAPI trusts IDP

@_andreasgrimm serverless.cat CAT API identity provider access token We Need
a Token From IDP

@_andreasgrimm serverless.cat CAT API identity provider single page app single
page app SPA Is Operated by a Human User

@_andreasgrimm serverless.cat CAT API identity provider single page app single
page app password user name SPA Sends User's Credentials To IDP

@_andreasgrimm IDP Sends Token to Back to SPA serverless.cat CAT
API identity provider single page app single page app access token

@_andreasgrimm serverless.cat CAT API identity provider single page app access
token access token JWT Token Is Valid CatAPI Validates Token

@_andreasgrimm serverless.cat CAT API identity provider single page app access
token CatAPI Sends Cat Picture

@_andreasgrimm Interactive Client not related to serverless browser or native
app

@_andreasgrimm API runs in FaaS where to validate JWT ?

@_andreasgrimm JWT Validation in Function

@_andreasgrimm npm package based on "express-jwt"

@_andreasgrimm Wrap main function with higher order function.

@_andreasgrimm Azure Function Bindings declare actions without writing code e.g.
get item from a DB

@_andreasgrimm https://serverless.cat/?id=myCatID

@_andreasgrimm Azure Function Bindings bindings run before the function code
-> IO (costs) before JWT validation

@_andreasgrimm DDOS Attacks Could Ruin You

@_andreasgrimm JWT Validation in Function ⚠ only together with API
key (functions key)

@_andreasgrimm JWT Validation in Function App "Function App": group of
functions deployed together sharing one identity

@_andreasgrimm Function App Auth JWT Validation happens before Bindings no
additional costs AAD only

@_andreasgrimm JWT Validation in Azure API Management

@_andreasgrimm Azure API Management pay-per-request: ✅

@_andreasgrimm Azure API Management AAD only

@_andreasgrimm JWT Validation in Cloudflare Workers

@_andreasgrimm Like an API Gateway .. that runs code https://developers.cloudﬂare.com/workers/about/

@_andreasgrimm ... but in 190+ Data Centers #EdgeComputing deployment region:
world

@_andreasgrimm Cloudflare Workers pay-per-use: ✅ pay-per-transaction: ❌

@_andreasgrimm Cloudflare Workers free tier

@_andreasgrimm Validate JWT forward JWT payload

@_andreasgrimm In function: Just consume payload

@_andreasgrimm Authenticated Origin Pulls using shared secret (aka apikey) or
certiﬁcate-based

@_andreasgrimm How to access ? (from FaaS) APIs

@_andreasgrimm We (Still) Want The Cat Picture ...

@_andreasgrimm backend 1 API 1 serverless.cat CAT API ... But
This Time in Our Backend

@_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP
GET Send "GET Request" to CatAPI

@_andreasgrimm backend 1 API 1 serverless.cat CAT API > HTTP
✋ JWT Token missing 401 CatAPI Responds 401

@_andreasgrimm backend 1 API 1 identity provider serverless.cat CAT API
CatAPI (still) trusts IDP

@_andreasgrimm backend 1 API 1 serverless.cat CAT API identity provider
access token We Need a Token From IDP

@_andreasgrimm You Pay Per Token

machine- to-machine client machine- to-machine client client secret client id No Human, Only Machine Is Involved

machine- to-machine client client secret client id If We Send Client Credentials To IDP ... client secret client id

@_andreasgrimm ... And IDP Verifies Client Credentials ... backend 1
API 1 serverless.cat CAT API identity provider machine- to-machine client client secret client id client secret client id = ? ! access token

machine- to-machine client access token ... Then We Get Token From IDP

machine- to-machine client client secret How To Store & Access Secrets?

@_andreasgrimm How To Store & Access Secrets?

@_andreasgrimm Hardcoded Secrets ? ?

@_andreasgrimm Hardcoded Secrets ... are easy & simple to use
☺

@_andreasgrimm ❌ Hardcoded Secrets are VERY insecure because can easily
be leaked stays forever in VCS

@_andreasgrimm Environment Variables / On- Demand how to provide in
a secure way?

@_andreasgrimm Secrets Management System

@_andreasgrimm Secrets Management System what is it? why use it?

@_andreasgrimm Secrets Management System - single, central place to securely
store secrets encrypted - distribution of secrets to the end-application - updating / revoking secrets ("key rotation") in case of compromise

@_andreasgrimm SE Radio Podcast "Secrets Management System" https://www.se-radio.net/2017/12/se-radio-episode-311-armon-dadgar-on-secrets- management/

@_andreasgrimm Secrets Management System ... but serverless, please!

@_andreasgrimm Azure Key Vault

@_andreasgrimm Azure Key Vault Pricing pay-per-use: ✅ pay-per-transaction: ❌ $0.03/10,000
transactions

@_andreasgrimm Why use Key Vault? secret-less access, based on identity
ideal for "stateless" environments

@_andreasgrimm serverless.cat CAT API identity provider backend 1 API 1
machine- to-machine client Is a Token Cached in Memory ? Look-up Token in Memory

machine- to-machine client No Cached Token in Memory

machine- to-machine client azure key vault Look-up Token in Key Vault function app identity

machine- to-machine client azure key vault No Cached Token in Key Vault 404

@_andreasgrimm Key Vault Auth? - secret zero / bootstrapping?

@_andreasgrimm Azure Managed Identiy has to be activated for the
Function App

@_andreasgrimm Function App's Privileges In Key Vault - least privilege
- consider many KeyVaults per resource

@_andreasgrimm Function App's Privileges In Key Vault - solves "secret
zero / bootstrapping" problem - "zero trust" applied

@_andreasgrimm Azure Key Vault - Secrets (serverless) secrets management system

machine- to-machine client azure key vault Client Secret Is in Key Vault function app identity client secret

machine- to-machine client azure key vault Get Token from IDP client secret client id access token

@_andreasgrimm Cache Token in Memory serverless.cat CAT API identity provider
backend 1 API 1 machine- to-machine client azure key vault access token access token

@_andreasgrimm Cache Token in Key Vault serverless.cat CAT API identity
provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token

@_andreasgrimm Why To Cache The Token?

@_andreasgrimm Get Cat Picture from CatAPI serverless.cat CAT API identity
provider backend 1 API 1 machine- to-machine client azure key vault access token access token access token

@_andreasgrimm "Second" Request ✌

@_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1
API 1 machine- to-machine client azure key vault access token access token access token

@_andreasgrimm "Second" Request serverless.cat CAT API identity provider backend 1
API 1 machine- to-machine client azure key vault access token access token

@_andreasgrimm Scaling Happens ...

@_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend
1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client

@_andreasgrimm Scaling Backend Instances serverless.cat CAT API identity provider backend
1 API 1 machine- to-machine client access token azure key vault access token backend 1 API 1 machine- to-machine client function app identity access token

@_andreasgrimm Machine-to-Machine Client runs in FaaS stateless environment (partially) where
to store secrets?

@_andreasgrimm How to Access Key Vault From Code?

@_andreasgrimm Secret via Env Var not hardcoded ☝

@_andreasgrimm Key Vault References @Microsoft.KeyVault(SecretUri=https://serviceful-cloud.vault.azure.net/secrets/auth-m2m- client-secret-auth0/b01787d0082f49448744cabfe1bab7ad)

@_andreasgrimm Get Token From IDP Function does not know about
Key Vault at all

@_andreasgrimm Get Data From API

@_andreasgrimm Demo

@_andreasgrimm Summary - JWT Validation On Top of API key
- Use Central SMS (Secrets Management System, e.g. Key Vault) - Cache Tokens (In-Memory &) in SMS - SMS Enables Key Rotation

@_andreasgrimm ___________.__ __ \__ ___/| |__ _____ ____ | |
__ ______ | | | | \\__ \ / \| |/ / / ___/ | | | Y \/ __ \| | \ < \___ \ |____| |___| (____ /___| /__|_ \/____ > \/ \/ \/ \/ \/ ___( ) ( _) (_ __)) (( _____) (_________)----' _/ / / _/ _/ / / __/ _/ / /__/ // /' - Twitter: @_andreasgrimm - LinkedIn: linkedin.com/in/andreas-grimm/ - Blog: andreasgrimm.com - Meetups: @DDDBER, @FullstackJS, @ServerlessBER

Praktikable Authentifizierung in Serverless-Umg...

Praktikable Authentifizierung in Serverless-Umgebungen

More Decks by Andreas Grimm

Other Decks in Programming

Featured

Transcript