Authentication & Authorization for Microservices and Web APIs

Transcript

1. AUTHENTICATION & AUTHORIZATION

   FOR MICROSERVICES & WEB APIS
   NIKO KÖBLER (@DASNIKO)
   

   View Slide

2. ABOUT ME
   ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de
   ▸ Doing stuff with & without computers, writing Software, ~ 20 yrs
   ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA)
   ▸ Speaker at international Tech Conferences
   ▸ Author of „Serverless Computing in AWS Cloud“ (german)

   serverlessbuch.de
   ▸ Twitter: @dasniko
   

   View Slide

3. SECURITY
   OWASP (TOP10)
   

   View Slide

4. AUTHENTICATION
   AUTHORIZATION
   

   View Slide

5. AUTHENTICATION
   I don’t know who you are.
   AUTHORIZATION
   I know who you are, but you’re not allowed.
   

   View Slide

6. HTTP STATUS CODES
   401 UNAUTHORIZED
   means Not authenticated
   403 FORBIDDEN
   means Unauthorized
   

   View Slide

7. DISTRIBUTED APIS
   

   View Slide

8. DISTRIBUTED APIS
   ONE CENTRALIZED APPROACH
   FOR DISTRIBUTED SYSTEMS
   WHEN IT COMES TO AUTH*?
   YES, IT’S CALLED SINGLE SIGN ON!
   

   View Slide

9. SIMPLY
   ——————————————————
   SECURE
   

   View Slide

10. HOW DO YOU
    AUTHENTICATE?
    

    View Slide

11. TOKEN!
    

    View Slide

12. SAML - SECURITY ASSERTION MARKUP LANGUAGE
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
    Version="2.0"
    IssueInstant="2004-12-05T09:22:05">
    https://idp.example.org/SAML2
    ...
    
    
    3f7b3dcf-1674-4ecd-92c8-1544f346baf8
    
    
    InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
    Recipient="https://sp.example.com/SAML2/SSO/POST"
    NotOnOrAfter="2004-12-05T09:27:05"/>
    
    
    ...
    
    

    View Slide

13. OAUTH2
    AUTHORIZATION, NOT AUTHENTICATION!
    The OAuth 2.0 authorization framework enables
    a 3rd-party application to obtain limited access
    to an HTTP service.
    IETF, RFC 6749, 2012
    

    View Slide

14. OAUTH2 GRANT TYPES
    GRANT TYPE APPS
    Authorization Code Web, Apps
    Implicit JavaScript, etc.
    Resource Owner Password Credentials Apps
    Client Credentials Web
    Refresh Token Web, Apps
    

    View Slide

15. OAUTH2 ABSTRACT PROTOCOL FLOW
    

    View Slide

16. ACCESS TOKEN
    {
    "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0"
    }
    

    View Slide

17. OPEN ID CONNECT
    NOT OPEN ID!
    AUTHENTICATION LAYER ON TOP OF OAUTH 2.0
    ‣ verify the identity of an end-user
    ‣ obtain basic profile information about the user
    ‣ RESTful HTTP API, using JSON as data format
    ‣ allows clients of all types (web-based, mobile, JavaScript)
    OPENID FOUNDATION, 2014
    

    View Slide

18. OIDC
    {
    "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",
    "token_type": "Bearer",
    "expires_in": 3600,
    "identity_token": "???",
    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0"
    }
    OPENID CONNECT ADDS THE IDENTITY TOKEN
    

    View Slide

19. JWT
    JSON WEB TOKEN
    RFC 7519 STANDARD, 2015
    

    View Slide

20. JWT
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi
    IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY
    WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH
    DcEfxjoYZgeFONFh7HgQ
    BASE64 ENCODED
    

    View Slide

21. JSON WEB TOKEN
    

    View Slide

22. JWT PAYLOAD
    {
    "sub": "1234567890",
    "iss": "https://sso.myapi.com",
    "aud": "myApi",
    "exp": 1479814753,
    "name": "John Doe",
    "admin": true
    }
    RESERVED CLAIMS:
    sub, iss, aud, exp
    

    View Slide

23. OPEN ID CONNECT STANDARD CLAIMS
    http://openid.net/specs/openid-connect-core-1_0.html
    

    View Slide

24. ACCESS TOKEN
    {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "identity_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
    }
    

    View Slide

25. TOKEN USAGE
    

    View Slide

26. TOKEN USAGE
    

    View Slide

27. TOKENS
    ‣ Base for access on secured resources.
    ‣ A token is signed and contains all necessary information about the
    user and its roles.
    ‣ Kinds: Identity-, Refresh-, (Offline-) & Accesstokens
    ‣ Send in Bearer format:

    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
    ‣ Have a TTL!
    ‣ Must be revocable!
    

    View Slide

28. WHAT DOES

    JAVA OFFER?
    

    View Slide

29. WHAT DOES JAVA OFFER?
    ‣ Java EE / Jakarta EE: Java Security API (JSR-375)
    ‣ Spring Security 5: OAuth became First Class Citizen
    ‣ Apache Shiro: no OAuth2/OIDC/JWT
    ‣ Apache Oltu: OAuth2/OIDC/JWT, but who knows?
    ‣ and many more…
    

    View Slide

30. JWT LIBRARIES (JAVA)
    ‣ github.com/auth0/java-jwt
    ‣ bitbucket.org/b_c/jose4j
    ‣ bitbucket.org/connect2id/nimbus-jose-jwt
    ‣ github.com/jwtk/jjwt
    ‣ and many more…
    

    View Slide

31. WHAT DOES THE

    ECOSYSTEM OFFER?
    

    View Slide

32. WHAT DOES THE ECOSYSTEM OFFER?
    ‣ Auth0
    ‣ AWS Cognito
    ‣ Stormpath
    ‣ and many more…
    ‣ BUT: you have to outsource your users personal data (and
    passwords)!
    

    View Slide

33. Open Source Identity and Access Management
    for Modern Applications and Services
    MIGHT(!) BE A GOOD FIT
    keycloak.org
    

    View Slide

34. LET’S DO SOME

    DEMO!
    

    View Slide

35. View Slide

36. View Slide

37. View Slide

38. View Slide

39. THANK YOU.
    ANY QUESTIONS?
    Niko Köbler | www.n-k.de | [email protected] | @dasniko
    AUTH* FOR MICROSERVICES & WEB APIS
    

    View Slide