Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication & Authorization for Microservices and Web APIs

395d9a1bac6f64d04bbd713d5b6bc433?s=47 Niko Köbler
November 27, 2017

Authentication & Authorization for Microservices and Web APIs

395d9a1bac6f64d04bbd713d5b6bc433?s=128

Niko Köbler

November 27, 2017
Tweet

Transcript

  1. AUTHENTICATION & AUTHORIZATION
 FOR MICROSERVICES & WEB APIS NIKO KÖBLER

    (@DASNIKO)
  2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

    with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ (german)
 serverlessbuch.de ▸ Twitter: @dasniko
  3. SECURITY OWASP (TOP10)

  4. AUTHENTICATION AUTHORIZATION

  5. AUTHENTICATION I don’t know who you are. AUTHORIZATION I know

    who you are, but you’re not allowed.
  6. HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN

    means Unauthorized
  7. DISTRIBUTED APIS

  8. DISTRIBUTED APIS ONE CENTRALIZED APPROACH FOR DISTRIBUTED SYSTEMS WHEN IT

    COMES TO AUTH*? YES, IT’S CALLED SINGLE SIGN ON!
  9. SIMPLY —————————————————— SECURE

  10. HOW DO YOU AUTHENTICATE?

  11. TOKEN!

  12. SAML - SECURITY ASSERTION MARKUP LANGUAGE <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac" Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05"/> </saml:SubjectConfirmation> </saml:Subject> ... </saml:Assertion>
  13. OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables

    a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012
  14. OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps

    Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Token Web, Apps
  15. OAUTH2 ABSTRACT PROTOCOL FLOW

  16. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "e339b569-6d95-482d-9534-5c0147136ab0" }
  17. OPEN ID CONNECT NOT OPEN ID! AUTHENTICATION LAYER ON TOP

    OF OAUTH 2.0 ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014
  18. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN
  19. JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

  20. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ BASE64 ENCODED

  21. JSON WEB TOKEN

  22. JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp":

    1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp
  23. OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

  24. ACCESS TOKEN { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "identity_token":

    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }
  25. TOKEN USAGE

  26. TOKEN USAGE

  27. TOKENS ‣ Base for access on secured resources. ‣ A

    token is signed and contains all necessary information about the user and its roles. ‣ Kinds: Identity-, Refresh-, (Offline-) & Accesstokens ‣ Send in Bearer format:
 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ‣ Have a TTL! ‣ Must be revocable!
  28. WHAT DOES
 JAVA OFFER?

  29. WHAT DOES JAVA OFFER? ‣ Java EE / Jakarta EE:

    Java Security API (JSR-375) ‣ Spring Security 5: OAuth became First Class Citizen ‣ Apache Shiro: no OAuth2/OIDC/JWT ‣ Apache Oltu: OAuth2/OIDC/JWT, but who knows? ‣ and many more…
  30. JWT LIBRARIES (JAVA) ‣ github.com/auth0/java-jwt ‣ bitbucket.org/b_c/jose4j ‣ bitbucket.org/connect2id/nimbus-jose-jwt ‣

    github.com/jwtk/jjwt ‣ and many more…
  31. WHAT DOES THE
 ECOSYSTEM OFFER?

  32. WHAT DOES THE ECOSYSTEM OFFER? ‣ Auth0 ‣ AWS Cognito

    ‣ Stormpath ‣ and many more… ‣ BUT: you have to outsource your users personal data (and passwords)!
  33. Open Source Identity and Access Management for Modern Applications and

    Services MIGHT(!) BE A GOOD FIT keycloak.org
  34. LET’S DO SOME
 DEMO!

  35. None
  36. None
  37. None
  38. None
  39. THANK YOU. ANY QUESTIONS? Niko Köbler | www.n-k.de | niko@n-k.de

    | @dasniko AUTH* FOR MICROSERVICES & WEB APIS