Tweet
Tweet

Slide 1

Slide 1 text

Paris API Meetup Jan 2018 Modern API Authentication 101

Slide 2

Slide 2 text

Léo Unbekandt @Soulou CTO, Scalingo

Slide 3

Slide 3 text

Scalingo v1: Single API Token Web dashboard, CLI, other clients → same token

Slide 4

Slide 4 text

Scalingo Next-Gen API Authentication Multizone

Slide 5

Slide 5 text

Scalingo Next-Gen API Authentication Microservices

Slide 6

Slide 6 text

Scalingo Next-Gen API Authentication - Horizontally scalable - Third-party application authentication - Convenient for developers - … Secure obviously

Slide 7

Slide 7 text

Auth Method #1 - API Tokens Algolia Dashboard

Slide 8

Slide 8 text

Auth Method #1 - API Tokens

Slide 9

Slide 9 text

- Great for monoliths - Great for intelligent reverse-proxies - No delegation $ curl --user ‘:’ https://api.scalingo.com # HTTP Header: ‘Authorization: Basic base64(token)’ $ curl https://app-name.algolianet.com?x-algolia-api-key=token # /!\ Token in URL, beware of the logs Developers love it! Auth Method #1 - API Tokens

Slide 10

Slide 10 text

Auth Method #2 - OAuth2

Slide 11

Slide 11 text

Auth Method #2 - OAuth2

Slide 12

Slide 12 text

OAuth2 ② token ③ token ④ token + algolia app secret ⑤ access token ⑥ OK - authenticated Resource Owner ① algolia app id + user + password + consent Client Auth + Resource server

Slide 13

Slide 13 text

OAuth2 - Login with GitHub $ POST https://www.algolia.com/auth/github/ → 302 https://github.com/login/oauth/authorize? client_id=& redirect_uri=https://www.algolia.com/auth/github/callback& response_type=code& scope=user:email - Login - Consent of scope

Slide 14

Slide 14 text

OAuth2 - Login with GitHub # Validate form → 302 https://www.algolia.com/auth/github/callback? code= ### Server-side $ POST https://github.com/login/oauth/access_token { "client_id": "", "client_secret": "", "code": "", } → 201 { "access_token":"", "scope":"user:email", "token_type":"bearer" } ### Client-side again → 302 https://www.algolia.com/dashboard

Slide 15

Slide 15 text

Auth Method #2 - OAuth2 → Allow a service to query an API What about… authenticating the users themselves?

Slide 16

Slide 16 text

Auth Method #2 bis ② credentials ③ authenticated request Soulou Auth API ① user + password

Slide 17

Slide 17 text

$ POST https://www.algolia.com/auth/github/ → 302 https://github.com/login/oauth/authorize? client_id=& redirect_uri=https://www.algolia.com/auth/github/callback& response_type=code& scope=user:email OAuth2 - Login with GitHub - Reminder code → is not alone out there

Slide 18

Slide 18 text

OAuth2 - Authentication client-server $ POST https://my.scalingo.com/login → 302 https://auth.scalingo.com/login/oauth/authorize? client_id=& redirect_uri=https://my.scalingo.com/auth/callback& response_type=token → 201 { "access_token": "", "expires_in": "3600", "token_type": "bearer" }

Slide 19

Slide 19 text

OAuth2 ② access token Soulou Auth ① user + password logs ③ authenticated request Token valid? ③ authenticated request API

Slide 20

Slide 20 text

OAuth2 ② access token Soulou Auth ① user + password logs ③ authenticated request Token valid? ③ authenticated request API

Slide 21

Slide 21 text

Here comes JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3O DkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 HEADER: {"alg": "HS512", "typ": "JWT"} eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3ODkwIn0K PAYLOAD: {"exp": 1516641851, "sub": "1234567890"} -xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM SIGNATURE: HMACSHA512(base64(header) + "." + base64(payload), secret)

Slide 22

Slide 22 text

Auth Method #3 - OAuth2 + JWT $ POST https://my.scalingo.com/login → 302 https://auth.scalingo.com/login/oauth/authorize? client_id=& redirect_uri=https://my.scalingo.com/auth/callback& response_type=token& state= → 201 { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwg InN1YiI6ICIxMjM0NTY3ODkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM", "expires_in": "3600", "token_type": "bearer" }

Slide 23

Slide 23 text

② access token ③ authenticated request Soulou Auth API ① user + password logs ③ authenticated request Auth Method #3 - OAuth2 + JWT

Slide 24

Slide 24 text

JWT Security 101 - Short lifetime (max 1h) - Disable NONE algorithm - Rotate secret key eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3O DkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM HEADER: {"alg": "HS512", "typ": "JWT"} PAYLOAD: {"exp": 1516641851, "sub": "1234567890"} SIGNATURE: HMACSHA512(base64(header) + "." + base64(payload), secret)

Slide 25

Slide 25 text

OAuth2 - Login GitHub done ### Server-side $ POST https://github.com/login/oauth/access_token { "client_id": "", "client_secret": "", "code": "", } → 201 { "access_token": "", "scope":"user:email", "token_type":"bearer" }

Slide 26

Slide 26 text

OAuth2 + JWT - Back to code response type ### Server-side $ POST https://auth.scalingo.com/login/oauth/access_token { "client_id": "", "client_secret": "", "code": "", } → 201 { "access_token":"", "scope":"", "token_type":"bearer", "expires_in": 3600, "refresh_token": "" }

Slide 27

Slide 27 text

To take away - API keys: Best developers experience - Difficult to distribute - OAuth2: Auth delegation - Standard protocol - OAuth2 + JWT: Distributed validation - Stateless > Methods are not exclusive (ie. GitHub)

Slide 28

Slide 28 text

References & Credits https://tools.ietf.org/html/rfc6749 - OAuth2 https://tools.ietf.org/html/rfc7519 - JWT https://tools.ietf.org/html/rfc7515 - JWS (Signature) https://tools.ietf.org/html/rfc7516 - JWE (Encrypted) Icons (licensed CCBY from Noun Project): Icon User: By Tony Wallström, SE Icon Datacenter: By Vectors Market Icon Gears: By Danil Polshin, RU Icon Key: By Andrejs Kirma, LV

Slide 29

Slide 29 text

Questions? (Let’s speak about JWT revocation) Léo Unbekandt @Soulou