Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a digital ID card for authentication

Jens Segers
May 03, 2018
32

Building a digital ID card for authentication

When we need to identify ourselves in the real world, we use our ID card as a proof of identity. We trust it, because is issued by the government. Could we build a digital ID card, based on the same principles, that we can use in our application instead of relying on cookies and sessions?

Spoiler alert; we'll talk about Microservices, Cryptography, JSON Web Tokens and OAuth2.

Jens Segers

May 03, 2018
Tweet

Transcript

  1. XML

  2. !

  3. OUR ID CARD JSON DATA { "iss": "Belgian Government", "sub":

    "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }
  4. SIGNATURE VALIDATION 1. Also base64 encode and hash the original

    message 2. Decrypt the signature with the sender's public key 3. Compare own hash with decrypted hash from signature
  5. DIGITAL ID CARD CHECKLIST • Data easily readable by applica0ons?

    • Can we easily validate the issuer? • Protected against fake id cards? • Protected against data tampering? • Can we pass it to other microservices?
  6. OAUTH2 + JWT JWT access tokens containing a user iden2fier

    and scopes. { "iss": "teamleader", "sub": "123456", "iat": 1483708050, "exp": 1483711650, "scopes": ["companies", "contacts"] }
  7. OAUTH2 + JWT • No need for an access token

    table • The client can check if the token is expired • No database calls to validate the access token, get the user id, scopes, ... • Possibility to share tokens across micro-services
  8. DOWNSIDES • Access tokens can't easily be revoked, unless you

    keep a list of tokens to revoke • Token data can go stale • Best prac;ce to have short TTL • The more embedded data, the bigger the JWT • Not encrypted, unless you use JWE
  9. TEMPORARY LINKS { "sub": 1234567890, "exp": 1483711650, "version": 1 }

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ. NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc
  10. JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed

    (league/oauth2-server) • Separated OAuth2 micro-service, share access tokens across micro-services API's • Temporary access links