SSO for Microservices and Distributed Java Apps

Transcript

1. FOR MICROSERVICES AND DISTRIBUTED (JAVA EE) APPLICATIONS SINGLE-SIGN-ON Niko Köbler

   So ware-Architect, Developer & Trainer | | [email protected] www.n-k.de @dasniko

2. @dasniko

3. SECURITY OWASP

4. AUTHENTICATION I don't know who you are! AUTHORIZATION I know

   who you are, but you're not allowed!

5. SECURITY Same approach for Microservices AND Monoliths? Centralized?

6. SIMPLY SECURE

7. None

8. OAUTH2 Authorization, NOT Authentication! The OAuth 2.0 authorization framework enables

   a 3rd-party application to obtain limited access to an HTTP service. IETF

9. OIDC OpenID Connect - NOT OpenID Authentication layer on top

   of OAuth 2.0 verify the identity of an end-user obtain basic profile information about the end-user RESTful HTTP API, using JSON as data format allows clients of all types (web-based, mobile, JavaScript) OpenID Foundation

10. BUT, WANTS TO THEIR ENTERPRISE TO GOOGLE/TWITTER/FACEBOOK? WHO STORE USER

    DATA Plus, additional: LDAP / AD other Directories other Database Tables need to be integrated!

11. DO IT ON !? YOUR OWN for each and every

    application password recovery registration remember me user/email verification ...? And your users should login (and authenticate) themselves at each of your applications? Over and over again? With different passwords?

12. FRUSTRATING!

13. WHAT ABOUT ? DISTRIBUTED ENVIRONMENTS

14. DISTRIBUTED ENVIRONMENTS Microservices REST-only Services Single Page Applications Mobile Apps

    Offline option

15. TOKEN TO THE RESCUE

16. TOKEN TO THE RESCUE OAuth2, , SAML, X.509 JWT

17. SAML <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac" Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature

    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signatu <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" <saml:SubjectConfirmationData InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05"/> </saml:SubjectConfirmation> </saml:Subject> ... </saml:Assertion> OASIS Standard, 2005

18. JWT JSON WEB TOKEN Standard, 2015 RFC 7519 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. .TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

    eyJzdWIiOiIxMjM0N TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV 9

19. JSON WEB TOKEN jwt.io

20. TOKENS Base for access on secured resources. A is and

    contains all necessary about the user and its roles. token signed information Kinds: , Refresh-, Offline- and Identity- Accesstokens Hava a TTL! Must be revocable!

21. WHAT DOES OFFER? JAVA

22. WHAT DOES JAVA OFFER? JAVA EE nothing useful so far

    JAAS? (proprietary) perhaps Java EE 8 (Security API, JSR-375)

23. WHAT DOES JAVA OFFER? SPRING SECURITY good, powerful Spring Cloud

    Security / OAuth2

24. WHAT DOES JAVA OFFER? APACHE SHIRO https://shiro.apache.org OAuth2? / OIDC?

25. WHAT DOES JAVA OFFER? APACHE OLTU https://oltu.apache.org/ OAuth2 / OIDC

    / JWT

26. WHAT DOES JAVA OFFER? PAC4J http://www.pac4j.org The to protect all

    your web applications. Java security engine Available for most frameworks/tools: J2E • Spring Web MVC (Spring Boot) • Spring Security (Spring Boot) • Shiro Play 2.x • Vertx • Spark Java • Ratpack • Undertow CAS server • JAX-RS • Dropwizard • Knox • Jooby

27. WHAT DOES JAVA OFFER? JWT LIBRARIES github.com/auth0/java-jwt bitbucket.org/b_c/jose4j bitbucket.org/connect2id/nimbus-jose-jwt github.com/jwtk/jjwt

28. AND THE ? ECOSYSTEM SAAS? AAAS? Auth0 auth0.com AWS Cognito

    aws.amazon.com/cognito Stormpath stormpath.com But again, you have to outsource your users personal data!

29. So, what to do? Develop on your own? How? Much

    effort!

30. INTEGRATED AND FOR BROWSER APPS AND RESTFUL WEB SERVICES SSO

    IDM

31. KEYCLOAK JBoss since ~2013 Open Source So ware hosted at

    GitHub very active Community (commits, pullrequests, mailinglists) constant and regular feature- and bugfix-releases current version: 2.3.0.Final good & comprehensive documentation

32. DISTRIBUTIONS Demo Appliance Standalone Server Overlay for JBoss EAP/Wildfly Docker

    Image OpenShi Cloud Service (SaaS)

33. #FEATURES Single-Sign-On, Single-Sign-Out, Self-Registration, Forgot Password, Verify User/Email, TOTP, various

    Verification (Work-)Flows, Customer Attributes, Custom Federation Provider, SPIs, Social Logins, Custom Themes, JWT, OAuth2, Bearer Token, Open ID Connect (OIDC), SAML, Account Management, Management Console, CORS handling, Impersonation, etc...
34. None

35. STANDARDS SAML 2.0 OASIS 2005 OAuth 2.0 RFC 6749 2012

    OpenID Connect 1.0 OpenID Foundation 2014 JWT RFC 7519 2015

36. ARCHITECTURE

37. ADAPTERS (I) JBoss EAP (6, 7) / Wildfly (9, 10)

    Tomcat (6, 7, 8) Jetty (8.1.x, 9.x) JBoss Fuse Apache Karaf Spring Boot Spring Security Servlet Adapter JavaScript own implementation

38. ADAPTERS (II) OAuth2, OpenIDC, Tokenvalidation libraries/modules/frameworks own implementation of OAuth2/OIDC

    Apache mod openid connect Keycloak Proxy

39. S FLOW

40. SINGLE-SIGN-ON

41. LOGIN not logged in, secured resource or login

42. LOGIN redirect to Keycloak, user not logged in, login form

43. LOGIN credentials

44. LOGIN create session, set cookies, back to application, handle tokens,

    application delivers resource

45. LOGIN secured resource or login

46. LOGIN redirect to Keycloak, user logged in, back to application,

    handle tokens, application delivers resource

47. SINGLE-SIGN-OUT

48. LOGOUT logout on Keycloak

49. LOGOUT redirect to application, delete cookies, kill session, back to

    application, application delivers resource

50. LOGOUT k_logout event to all configured admin URLs

51. DEMO Spring Boot ("full" web app) dasniko/keycloak-springboot-demo Java EE (JBoss

    Wildfly, REST-only services) dasniko/keycloak-javaee-demo React.JS SPA (JavaScript client app)

52. THANK ! YOU ANY ? QUESTIONS Niko Köbler So ware-Architect,

    Developer & Trainer | | [email protected] www.n-k.de @dasniko