Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a digital ID card for authentication

Jens Segers
May 03, 2018
0
30

Building a digital ID card for authentication

When we need to identify ourselves in the real world, we use our ID card as a proof of identity. We trust it, because is issued by the government. Could we build a digital ID card, based on the same principles, that we can use in our application instead of relying on cookies and sessions?

Spoiler alert; we'll talk about Microservices, Cryptography, JSON Web Tokens and OAuth2.

Jens Segers

May 03, 2018
Tweet

More Decks by Jens Segers

See All by Jens Segers
JSON Web Tokens in a microservice architecture (PHPBenelux)
jenssegers
0
440
JSON Web Tokens - PHP Antwerp
jenssegers
0
180
Testing API's with Behat
jenssegers
0
260
Apps for Ghent - Realo
jenssegers
0
270
Hashids and Perceptual hashes
jenssegers
2
110
An introduction to automated development environment and Laravel Homestead
jenssegers
0
210
Git 101
jenssegers
1
170

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Optimizing for Happiness
mojombo
376
70k
Designing Experiences People Love
moore
138
23k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
It's Worth the Effort
3n
183
27k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
The Language of Interfaces
destraynor
154
24k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Scaling GitHub
holman
458
140k

Transcript

  1. DIGITAL PROOF OF IDENTITY JENS SEGERS

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None

  8. SUCKS FOR MICRO-SERVICE ARCHITECTURES

  9. None
  10. None
  11. None
  12. None

  13. XML

  14. !

  15. JSON

  16. { "iss": "Belgian Government" }

  17. { "iss": "Belgian Government", "sub": "89.08.19-123.45" }

  18. { "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800

    }

  19. { "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800,

    "name": "Jens Segers", "gender": "M" }
  20. None
  21. None

  22. BLOCKCHAIN?

  23. ASSYMETRIC CRYPTOGRAPHY

  24. None
  25. None

  26. OUR ID CARD JSON DATA { "iss": "Belgian Government", "sub":

    "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }

  27. BASE64 ENCODE ewogICAgImlzcyI6ICJCZWxnaWFuIEdvdmVybm1lbnQiLAo gICAgInN1YiI6ICI4OS4wOC4xOS0xMjMuNDUiLAogICAgIm lhdCI6IDE0NTE2MDY0MDAsCiAgICAiZXhwIjogMTU3NzgzN jgwMCwKICAgICJuYW1lIjogIkplbnMgU2VnZXJzIiwKICAg ICJnZW5kZXIiOiAiTSIKfQ==

  28. CREATE SHA256 HASH 1217b3c09be5c32c33c71078a6653481617e91e77dfcda0159463eb2d637185b

  29. ENCRYPT WITH ISSUER PRIVATE KEY 7n_TNcPNUJlDL6N1byA4dxcnpkVC6vxyOzCNy-9Nzu4

  30. None

  31. SIGNATURE VALIDATION 1. Also base64 encode and hash the original

    message 2. Decrypt the signature with the sender's public key 3. Compare own hash with decrypted hash from signature

  32. DIGITAL ID CARD CHECKLIST • Data easily readable by applica0ons?

    • Can we easily validate the issuer? • Protected against fake id cards? • Protected against data tampering? • Can we pass it to other microservices?
  33. None

  34. JSON WEB TOKENS AKA. JWT

  35. JWT STRUCTURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ 1. Header 2. Payload 3.

    Signature

  36. HEADER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "alg": "HS256", "typ": "JWT" }

  37. PAYLOAD (CLAIMS) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "iss": "Belgian Government", "sub":

    "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }

  38. SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Calculated based on the header.payload, using

    symmetric or asymmetric cryptography
  39. None
  40. None

  41. USE CASES

  42. STATELESS AUTHENTICATION

  43. None
  44. None
  45. None

  46. JWT Standard for transmi-ng informa/on

  47. OAUTH2 Standard for authoriza.on

  48. None

  49. OAUTH2 + JWT JWT access tokens containing a user iden2fier

    and scopes. { "iss": "teamleader", "sub": "123456", "iat": 1483708050, "exp": 1483711650, "scopes": ["companies", "contacts"] }

  50. OAUTH2 + JWT • No need for an access token

    table • The client can check if the token is expired • No database calls to validate the access token, get the user id, scopes, ... • Possibility to share tokens across micro-services
  51. None
  52. None

  53. DOWNSIDES • Access tokens can't easily be revoked, unless you

    keep a list of tokens to revoke • Token data can go stale • Best prac;ce to have short TTL • The more embedded data, the bigger the JWT • Not encrypted, unless you use JWE

  54. TEMPORARY LINKS public.acme.com/mQsh79zqGb9pxGz2...

  55. None

  56. TEMPORARY LINKS { "sub": 1234567890, "exp": 1483711650, "version": 1 }

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ. NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc

  57. JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed

    (league/oauth2-server) • Separated OAuth2 micro-service, share access tokens across micro-services API's • Temporary access links

  58. Ques%ons?

  59. Jens Segers @jenssegers

  60. jobs.teamleader.eu