Tweet
Tweet

Slide 1

Slide 1 text

FOR WEB APIS Niko Köbler So ware-Architect, Developer & Trainer | | SINGLE-SIGN-ON niko@n-k.de www.n-k.de @dasniko

Slide 2

Slide 2 text

@dasniko

Slide 3

Slide 3 text

# BUCH / entwickler. / ~ autumn 2017 SERVERLESS serverlessbuch.de @serverlessbuch press

Slide 4

Slide 4 text

OWASP SECURITY

Slide 5

Slide 5 text

AUTHENTICATION I don't know who you are! AUTHORIZATION I know who you are, but you're not allowed!

Slide 6

Slide 6 text

Same centralized approach for Web-APIs, Microservices and Monoliths!? SECURITY

Slide 7

Slide 7 text

SIMPLY SECURE

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

APIS ARE OFTEN DISTRIBUTED

Slide 10

Slide 10 text

TO THE RESCUE TOKEN

Slide 11

Slide 11 text

OASIS Standard, 2005 SAML https://idp.example.org/SAML2 ... ...

Slide 12

Slide 12 text

OAUTH Authorization, NOT Authentication! , RFC 6749, 2 The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service. IETF 2012

Slide 13

Slide 13 text

ABSTRACT FLOW PROTOCOL

Slide 14

Slide 14 text

TYPES Grant Type Apps Authorization Code Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Token Web, Apps GRANT

Slide 15

Slide 15 text

TOKEN ACCESS { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }

Slide 16

Slide 16 text

OIDC OpenID Connect - NOT OpenID Authentication layer on top of OAuth 2.0 verify the identity of an end-user obtain basic profile information about the end-user RESTful HTTP API, using JSON as data format allows clients of all types (web-based, mobile, JavaScript) , 2014 OpenID Foundation

Slide 17

Slide 17 text

OIDC OpenID Connect adds the IDENTITY TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }

Slide 18

Slide 18 text

JSON WEB TOKEN Standard, 2015 JWT RFC 7519

Slide 19

Slide 19 text

JSON WEB TOKEN eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. .TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Base64 encoded eyJzdWIiOiIxMjM0N TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV 9

Slide 20

Slide 20 text

JSON WEB TOKEN

Slide 21

Slide 21 text

JSON WEB TOKEN PAYLOAD DATA Reserved claims: sub, iss, aud, exp { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi" "exp": 1479814753, "name": "John Doe", "admin": true }

Slide 22

Slide 22 text

TOKEN ACCESS { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "identity_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }

Slide 23

Slide 23 text

TOKENS Base for access on secured resources. A is and contains all necessary about the user and its roles. Kinds: , Refresh-, Offline- and Send in format: Have a TTL! Must be revocable! token signed information Identity- Accesstokens Bearer Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Slide 24

Slide 24 text

TOKEN Stateless sessions Passing identity to 3rd parties Token exchange USAGE

Slide 25

Slide 25 text

WHAT DOES OFFER? JAVA

Slide 26

Slide 26 text

WHAT DOES JAVA OFFER? JAVA nothing useful so far JAAS? (proprietary) Java EE 8 with Security API, JSR-375 EE

Slide 27

Slide 27 text

WHAT DOES JAVA OFFER? SPRING good, powerful Spring Cloud Security / OAuth2 SECURITY

Slide 28

Slide 28 text

WHAT DOES JAVA OFFER? APACHE OAuth2? / OIDC? SHIRO https://shiro.apache.org

Slide 29

Slide 29 text

WHAT DOES JAVA OFFER? APACHE OAuth2 / OIDC / JWT Who knows this project? OLTU https://oltu.apache.org/

Slide 30

Slide 30 text

WHAT DOES JAVA OFFER? Available for most frameworks/tools: J2E • Spring Web MVC (Spring Boot) • Spring Security (Spring Boot) • Shiro Play 2.x • Vertx • Spark Java • Ratpack • Undertow CAS server • JAX-RS • Dropwizard • Knox • Jooby PAC4J http://www.pac4j.org The to protect all your web applications. Java security engine

Slide 31

Slide 31 text

WHAT DOES JAVA OFFER? JWT LIBRARIES github.com/auth0/java-jwt bitbucket.org/b_c/jose4j bitbucket.org/connect2id/nimbus-jose-jwt github.com/jwtk/jjwt

Slide 32

Slide 32 text

AND THE ? SAAS? AAAS? Auth0 AWS Cognito Stormpath BUT: you have to outsource your users personal data! ECOSYSTEM auth0.com aws.amazon.com/cognito stormpath.com

Slide 33

Slide 33 text

So, what to do? How? Much effort! Develop on your own?

Slide 34

Slide 34 text

INTEGRATED AND FOR BROWSER APPS AND RESTFUL WEB SERVICES SSO IAM

Slide 35

Slide 35 text

JBoss since ~2013 Open Source So ware hosted at GitHub very active Community (commits, pullrequests, mailinglists) constant and regular feature- and bugfix-releases current version: 3.1.0.Final good & comprehensive documentation KEYCLOAK

Slide 36

Slide 36 text

# , Single-Sign-Out, Self-Registration, Forgot Password, Verify User/Email, TOTP, various Verification (Work-)Flows, Customer Attributes, , , Social Logins, Custom Themes, , , , Open ID Connect ( ), SAML, , Account Management, Management Console, CORS handling, Impersonation, etc... FEATURES Single-Sign-On Custom Federation Provider SPIs JWT OAuth2 Bearer Token OIDC LDAP/AD- Integration

Slide 37

Slide 37 text

# JBoss EAP / , Tomcat, Jetty, JBoss Fuse, , Spring Security, , Apache Karaf, Servlet Adapter, Apache mod openid connect, Keycloak Proxy Server, own implementations ADAPTERS Wildfly Spring Boot JavaScript

Slide 38

Slide 38 text

DEMOS Spring Boot ("full" web app) Java EE (JBoss Wildfly, REST-only services) React.JS SPA (JavaScript client app) dasniko/keycloak-springboot-demo dasniko/keycloak-javaee-demo dasniko/keycloak-reactjs-demo

Slide 39

Slide 39 text

AMAZON API GATEWAY AWS IAM Amazon Cognito / STS Custom Authorizer (AWS Lambda) CLOUD

Slide 40

Slide 40 text

AUTHORIZER Verify token send in HTTP Header Lambda function will be invoked with event: CUSTOM { "type": "TOKEN", "authorizationToken": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd "methodArn": "arn:aws:execute-api:eu-central-1:012345678910:v7towmtj68/p }

Slide 41

Slide 41 text

CUSTOM Lambda function will create a Principal and an AWS Policy: will be cached AUTHORIZER { "principal": "1234567890", "policy": { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": "Allow", "Resource": "arn:aws:execute-api:eu-central-1:012345678910:v7towmt } ] } }

Slide 42

Slide 42 text

API GATEWAY AUTHORIZATION

Slide 43

Slide 43 text

DEMO Custom Authorizr AWS Lambda Function dasniko/jwtAuthorizr

Slide 44

Slide 44 text

THANK ! ANY ? Slides: Niko Köbler So ware-Architect, Developer & Trainer | | YOU QUESTIONS http://bit.ly/sso-jax-2017 niko@n-k.de www.n-k.de @dasniko