Authentication & Authorization for Microservices and Web APIs

Transcript

1. AUTHENTICATION & AUTHORIZATION
 FOR MICROSERVICES & WEB APIS NIKO KÖBLER

   (@DASNIKO)

2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

   with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ (german)
 serverlessbuch.de ▸ Twitter: @dasniko

3. SECURITY OWASP (TOP10)

4. AUTHENTICATION AUTHORIZATION

5. AUTHENTICATION I don’t know who you are. AUTHORIZATION I know

   who you are, but you’re not allowed.

6. HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN

   means Unauthorized

7. DISTRIBUTED APIS

8. DISTRIBUTED APIS ONE CENTRALIZED APPROACH FOR DISTRIBUTED SYSTEMS WHEN IT

   COMES TO AUTH*? YES, IT’S CALLED SINGLE SIGN ON!

9. SIMPLY —————————————————— SECURE

10. HOW DO YOU AUTHENTICATE?

11. TOKEN!

12. SAML - SECURITY ASSERTION MARKUP LANGUAGE <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac" Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05"/> </saml:SubjectConfirmation> </saml:Subject> ... </saml:Assertion>

13. OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables

    a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012

14. OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps

    Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Token Web, Apps

15. OAUTH2 ABSTRACT PROTOCOL FLOW

16. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "e339b569-6d95-482d-9534-5c0147136ab0" }

17. OPEN ID CONNECT NOT OPEN ID! AUTHENTICATION LAYER ON TOP

    OF OAUTH 2.0 ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014

18. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN

19. JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

20. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ BASE64 ENCODED

21. JSON WEB TOKEN

22. JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp":

    1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp

23. OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

24. ACCESS TOKEN { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "identity_token":

    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }

25. TOKEN USAGE

26. TOKEN USAGE

27. TOKENS ‣ Base for access on secured resources. ‣ A

    token is signed and contains all necessary information about the user and its roles. ‣ Kinds: Identity-, Refresh-, (Offline-) & Accesstokens ‣ Send in Bearer format:
 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ‣ Have a TTL! ‣ Must be revocable!

28. WHAT DOES
 JAVA OFFER?

29. WHAT DOES JAVA OFFER? ‣ Java EE / Jakarta EE:

    Java Security API (JSR-375) ‣ Spring Security 5: OAuth became First Class Citizen ‣ Apache Shiro: no OAuth2/OIDC/JWT ‣ Apache Oltu: OAuth2/OIDC/JWT, but who knows? ‣ and many more…

30. JWT LIBRARIES (JAVA) ‣ github.com/auth0/java-jwt ‣ bitbucket.org/b_c/jose4j ‣ bitbucket.org/connect2id/nimbus-jose-jwt ‣

    github.com/jwtk/jjwt ‣ and many more…

31. WHAT DOES THE
 ECOSYSTEM OFFER?

32. WHAT DOES THE ECOSYSTEM OFFER? ‣ Auth0 ‣ AWS Cognito

    ‣ Stormpath ‣ and many more… ‣ BUT: you have to outsource your users personal data (and passwords)!

33. Open Source Identity and Access Management for Modern Applications and

    Services MIGHT(!) BE A GOOD FIT keycloak.org

34. LET’S DO SOME
 DEMO!

35. None
36. None
37. None
38. None

39. THANK YOU. ANY QUESTIONS? Niko Köbler | www.n-k.de | [email protected]

    | @dasniko AUTH* FOR MICROSERVICES & WEB APIS