Building a digital ID card for authentication

B4e6cd606ce4f2122d78f259e46ea64a?s=47 Jens Segers
May 03, 2018
10

Building a digital ID card for authentication

When we need to identify ourselves in the real world, we use our ID card as a proof of identity. We trust it, because is issued by the government. Could we build a digital ID card, based on the same principles, that we can use in our application instead of relying on cookies and sessions?

Spoiler alert; we'll talk about Microservices, Cryptography, JSON Web Tokens and OAuth2.

B4e6cd606ce4f2122d78f259e46ea64a?s=128

Jens Segers

May 03, 2018
Tweet

Transcript

  1. DIGITAL PROOF OF IDENTITY JENS SEGERS

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. SUCKS FOR MICRO-SERVICE ARCHITECTURES

  9. None
  10. None
  11. None
  12. None
  13. XML

  14. !

  15. JSON

  16. { "iss": "Belgian Government" }

  17. { "iss": "Belgian Government", "sub": "89.08.19-123.45" }

  18. { "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800

    }
  19. { "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800,

    "name": "Jens Segers", "gender": "M" }
  20. None
  21. None
  22. BLOCKCHAIN?

  23. ASSYMETRIC CRYPTOGRAPHY

  24. None
  25. None
  26. OUR ID CARD JSON DATA { "iss": "Belgian Government", "sub":

    "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }
  27. BASE64 ENCODE ewogICAgImlzcyI6ICJCZWxnaWFuIEdvdmVybm1lbnQiLAo gICAgInN1YiI6ICI4OS4wOC4xOS0xMjMuNDUiLAogICAgIm lhdCI6IDE0NTE2MDY0MDAsCiAgICAiZXhwIjogMTU3NzgzN jgwMCwKICAgICJuYW1lIjogIkplbnMgU2VnZXJzIiwKICAg ICJnZW5kZXIiOiAiTSIKfQ==

  28. CREATE SHA256 HASH 1217b3c09be5c32c33c71078a6653481617e91e77dfcda0159463eb2d637185b

  29. ENCRYPT WITH ISSUER PRIVATE KEY 7n_TNcPNUJlDL6N1byA4dxcnpkVC6vxyOzCNy-9Nzu4

  30. None
  31. SIGNATURE VALIDATION 1. Also base64 encode and hash the original

    message 2. Decrypt the signature with the sender's public key 3. Compare own hash with decrypted hash from signature
  32. DIGITAL ID CARD CHECKLIST • Data easily readable by applica0ons?

    • Can we easily validate the issuer? • Protected against fake id cards? • Protected against data tampering? • Can we pass it to other microservices?
  33. None
  34. JSON WEB TOKENS AKA. JWT

  35. JWT STRUCTURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ 1. Header 2. Payload 3.

    Signature
  36. HEADER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "alg": "HS256", "typ": "JWT" }

  37. PAYLOAD (CLAIMS) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "iss": "Belgian Government", "sub":

    "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }
  38. SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Calculated based on the header.payload, using

    symmetric or asymmetric cryptography
  39. None
  40. None
  41. USE CASES

  42. STATELESS AUTHENTICATION

  43. None
  44. None
  45. None
  46. JWT Standard for transmi-ng informa/on

  47. OAUTH2 Standard for authoriza.on

  48. None
  49. OAUTH2 + JWT JWT access tokens containing a user iden2fier

    and scopes. { "iss": "teamleader", "sub": "123456", "iat": 1483708050, "exp": 1483711650, "scopes": ["companies", "contacts"] }
  50. OAUTH2 + JWT • No need for an access token

    table • The client can check if the token is expired • No database calls to validate the access token, get the user id, scopes, ... • Possibility to share tokens across micro-services
  51. None
  52. None
  53. DOWNSIDES • Access tokens can't easily be revoked, unless you

    keep a list of tokens to revoke • Token data can go stale • Best prac;ce to have short TTL • The more embedded data, the bigger the JWT • Not encrypted, unless you use JWE
  54. TEMPORARY LINKS public.acme.com/mQsh79zqGb9pxGz2...

  55. None
  56. TEMPORARY LINKS { "sub": 1234567890, "exp": 1483711650, "version": 1 }

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ. NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc
  57. JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed

    (league/oauth2-server) • Separated OAuth2 micro-service, share access tokens across micro-services API's • Temporary access links
  58. Ques%ons?

  59. Jens Segers @jenssegers

  60. jobs.teamleader.eu