Using JWT to Authenticate Microservices 

Who? Mark Wolfe Devops Engineer at Versent Versent is Hiring 

What is a JWT? JSON Web Token Header, metadata for the JWT Claims, the information encode in the JWT A dictionary of standard fields Encouraged to add new fields JSON Web Signature (JWS) 

What inside a JWT? { "alg": "HS256", "typ": "JWT" } { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } Header Payload 

After Encoding eyJhbGciOiJIUzI1NiIsInR5cCI6Ik pXVCJ9 eyJuYW1lIjoiTWFyayBXb2xmZSIsIm VtYWlsIjoibWFya0B3b2xmZS5pZC5h dSIsInN1YiI6IjEyMzQ1Njc4OTAiLC J1c2VyX2lkIjoiMTIzLTEyMy0xMjMi fQ Header Payload Signature z_pa9VMxUrtLdB- YT940iUW4Ea9c0Wp-D5Ju27g9zCs 

Warning! 

No content

Claims? iss, issuer sub, subject aud, audience exp, expiry which is a unix timestamp! nbf, not before, another unix timestamp iat, issued at, no points for guessing what format this is.. jti, JWT ID which can be used to protect against replay attacks 

Algorithms? HS256, uses HMAC 256 RS256, uses RSA PKCS#1 signature and SHA-256 ES256, ECDSA with the P-256 curve and SHA-256 

Security? JWTs are NOT encrypted, they are Signed Base64 is not an encryption, it is an encoding Just because we can’t read something doesn’t mean it is secure JWT can hold some juicy tidbits of information, email addresses, names ect 

Using JWT for Microservices? 

No content

Very Brief Overview of Spec Uses RS256 Public Keys available to resource servers using a key repository (S3 Bucket) Private Key held by a client Client can sign JWTs and attach these to requests to resource server(s) Resource server(s) can verify the JWT and check which Service sent the request Uses various claim fields as mentioned earlier 

Typical OAuth2 Service Resource Server Identity Server Bearer Token Creds to Login 

OAuth + Microservices + JWT Region: ap-southeast-2 Resource Server Identity Server Bearer Token Credentials to Login JWT JWT Timeseries Microservice Video Microservice { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } 

In Review Trust, every resource server has its own key pair Traceable, JWT ID (jti) can be logged and passed down through layers for end to end auditing Example user_id claim is also passed down through layers to identify the owner of the original request and used as a filter where necessary Keep it simple 

In Review Continued.. Review solutions with your peers Meetups are a great place to do this Open Specifications Don’t bet the bank on this, start small, iterate and LEARN Keep it simple 

Only HTTP? Can be used with MQTT Used in place of a username in the Connect Request Packet Enables rotating “logins” with shorted time to live Can also be used to sign entire content message and be transmitted over AMQP, UDP, carrier pigeon.. 

Questions [email protected] @wolfeidau on Twitter https://github.com/wolfeidau http://www.wolfe.id.au Versent is Hiring! http://www.versent.com.au Level3 @level3space http://level3.space/ 

References https://jwt.io/ lots of good information about the standard and implementations http://s2sauth.bitbucket.org/spec/ by Atlassian https://tools.ietf.org/html/rfc7519 RFC for JWT https://tools.ietf.org/html/rfc7515 RFC for JWS