JSON Web Tokens in a microservice architecture (PHPBenelux)

JSON Web Tokens in a microservice architecture (PHPBenelux)

In this talk I'll introduce you to JSON Web Tokens (JWT) and how they might change your view on securely transmitting data bewteen services. We'll take a look on what's inside of a JSON Web Token, what makes them secure and how you can use them in a microservice architecture,

B4e6cd606ce4f2122d78f259e46ea64a?s=128

Jens Segers

January 20, 2018
Tweet

Transcript

  1. JSON WEB TOKENS JENS SEGERS

  2. None
  3. None
  4. GITHUB PACKAGES • jenssegers/op+mus - ID obfusca+on • jenssegers/agent -

    User agent parsing, mobile & bot detec+on • jenssegers/date - Localized dates • jenssegers/imagehash - Perceptual image hashes
  5. None
  6. JSON WEB TOKENS AKA. JWT

  7. JSON WEB TOKENS AKA. JWT AKA. JOT?

  8. JWT, WHAT? JSON Web Token is an open standard that

    defines a compact and self-contained way for securely transmi>ng informa@on between par@es as a JSON object
  9. JWT, WHAT? JSON Web Token is an open standard that

    defines a compact and self-contained way for securely transmi.ng informa2on between par2es as a JSON object
  10. JWT EXAMPLE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

  11. JWT EXAMPLE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ 1. Header 2. Payload 3.

    Signature
  12. HEADER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "alg": "HS256", "typ": "JWT" }

  13. PAYLOAD (CLAIMS) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "iss": "acme.com" "sub": "1234567890",

    "exp": 1483711650, "name": "John Doe", "admin": true }
  14. SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ hash_hmac( 'sha256', base64_encode(header).'.'.base64_decode(payload), 'secret-passphrase' )

  15. SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ openssl_sign( base64_encode(header).'.'.base64_decode(payload), $signature, openssl_pkey_get_private('file://key.pem'), OPENSSL_ALGO_SHA256 )

  16. SIGNATURE PURPOSE It provides proof of authen'city and integrity for

    the JWT data.
  17. CRYPTOGRAPHY 101

  18. None
  19. None
  20. None
  21. SYMMETRIC SIGNATURES • All par(es involved share a secret key

    • The sender calculates the signature using the secret key • The receiver re-calculates the signature and compares it with the received signature
  22. None
  23. None
  24. ASYMMETRIC SIGNATURES • The sender shares his public key with

    the receiver • The sender calculates the signature by hashing the data and encryp7ng it with his private key • The receiver validates the signature by decryp7ng the signature with the public key and compares the result with the original message
  25. SIGNATURE RECAP • Authen'city: Only trusted par0es can generate and

    verify signatures • Integrity: You can't change the JWT data without regenera0ng a new signature • No secrecy! Alterna0ve: JSON Web Encryp0on (JWE)
  26. None
  27. USE CASES

  28. JWT, WHAT? JSON Web Token is an open standard that

    defines a compact and self-contained way for securely transmi.ng informa2on between par2es as a JSON object
  29. INFORMATION EXCHANGE

  30. INFORMATION EXCHANGE POST /transfer { "to": "171RaSzy9GYHCA8TuLYN5mwTWs3nnARfMZ", "amount": 1, "currency":

    "BTC" } POST /transfer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0byI6IjE3MVJhU3p5OUdZSENBOFR1TFlONW13VFdzM25uQVJmTVoiLCJhbW91bnQiOjF9. MW_K5DZTYCJADOp9ArTKIwB8m4knAG-Pdv_V9xXId2I
  31. TEMPORARY LINKS public.acme.com/mQsh79zqGb9pxGz2...

  32. None
  33. TEMPORARY LINKS { "sub": 1234567890, "exp": 1483711650, "version": 1 }

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ. NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc
  34. STATELESS AUTHENTICATION

  35. BUT FIRST ... WHAT IS STATEFUL AUTHENTICATION?

  36. STATEFUL AUTHENTICATION 1. User submits creden0als 2. Server generate a

    unique session id 3. Session informa0on is stored server side 4. Responds with cookie containing session id 5. On every request the session and user data is fetched from the database/redis
  37. STATEFUL AUTHENTICATION • Cookies are bad for caching • Cookies

    are bad for CORS • Servers need a shared session storage • Servers needs to query the storage to verify and get user/session informa<on
  38. HELLO 2018

  39. STATELESS AUTHENTICATION WITH JWT

  40. STATELESS AUTHENTICATION WITH JWT 1. User submits creden0als 2. (Authen0ca0on)

    Server response with a JWT iden0fying the user 3. On every request the client sends the received JWT in the Authoriza0on header 4. The server verifies the JWT by checking the signature
  41. OAUTH2?

  42. None
  43. OAUTH2 AND JWT JWT access tokens containing user iden2fier and

    scopes. { "iss": "teamleader", "sub": "423523:534534", "exp": 1483711650, "iat": 1483708050, "scopes": ["companies", "contacts"] }
  44. ADVANTAGES • No need for an access token table •

    The client can check if the token is expired • No database calls to validate the access token, get the user id, scopes, ... • Possibility to have shared tokens across mul>ple micro-services
  45. None
  46. None
  47. DISADVANTAGES • Access tokens can't easily be revoked, unless you

    keep a list of tokens to revoke • Best prac9ce to have short TTL • The more embedded data, the bigger the JWT. No fixed size. • Not encrypted, unless you use JWE • Token data can go stale
  48. PHP PACKAGES • league/oauth2-server • lcobucci/jwt • firebase/php-jwt

  49. MIDDLEWARE EXAMPLE $token = $this->getBearerTokenFromRequest($request); $jwt = (new \Lcobucci\JWT\Parser())->parse($token); if

    (!$jwt->verify(new \Lcobucci\JWT\Signer\Hmac\Sha256(), 'secret')) { throw new BadRequestException('Invalid token'); } $identifier = $jwt->getClaim('sub'); $scopes = $jwt->getClaim('scopes');
  50. JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed

    (league/oauth2-server) • Separated OAuth2 micro-service, accept access tokens across micro-services API's • Temporary access links • Store JWT data in cookie for some small micro-services
  51. Ques%ons?