Tweet
Tweet

Slide 1

Slide 1 text

DIGITAL PROOF OF IDENTITY JENS SEGERS

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

SUCKS FOR MICRO-SERVICE ARCHITECTURES

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

XML

Slide 14

Slide 14 text

!

Slide 15

Slide 15 text

JSON

Slide 16

Slide 16 text

{ "iss": "Belgian Government" }

Slide 17

Slide 17 text

{ "iss": "Belgian Government", "sub": "89.08.19-123.45" }

Slide 18

Slide 18 text

{ "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800 }

Slide 19

Slide 19 text

{ "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

BLOCKCHAIN?

Slide 23

Slide 23 text

ASSYMETRIC CRYPTOGRAPHY

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

OUR ID CARD JSON DATA { "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }

Slide 27

Slide 27 text

BASE64 ENCODE ewogICAgImlzcyI6ICJCZWxnaWFuIEdvdmVybm1lbnQiLAo gICAgInN1YiI6ICI4OS4wOC4xOS0xMjMuNDUiLAogICAgIm lhdCI6IDE0NTE2MDY0MDAsCiAgICAiZXhwIjogMTU3NzgzN jgwMCwKICAgICJuYW1lIjogIkplbnMgU2VnZXJzIiwKICAg ICJnZW5kZXIiOiAiTSIKfQ==

Slide 28

Slide 28 text

CREATE SHA256 HASH 1217b3c09be5c32c33c71078a6653481617e91e77dfcda0159463eb2d637185b

Slide 29

Slide 29 text

ENCRYPT WITH ISSUER PRIVATE KEY 7n_TNcPNUJlDL6N1byA4dxcnpkVC6vxyOzCNy-9Nzu4

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

SIGNATURE VALIDATION 1. Also base64 encode and hash the original message 2. Decrypt the signature with the sender's public key 3. Compare own hash with decrypted hash from signature

Slide 32

Slide 32 text

DIGITAL ID CARD CHECKLIST • Data easily readable by applica0ons? • Can we easily validate the issuer? • Protected against fake id cards? • Protected against data tampering? • Can we pass it to other microservices?

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

JSON WEB TOKENS AKA. JWT

Slide 35

Slide 35 text

JWT STRUCTURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ 1. Header 2. Payload 3. Signature

Slide 36

Slide 36 text

HEADER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "alg": "HS256", "typ": "JWT" }

Slide 37

Slide 37 text

PAYLOAD (CLAIMS) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "iss": "Belgian Government", "sub": "89.08.19-123.45", "iat": 1451606400, "exp": 1577836800, "name": "Jens Segers", "gender": "M" }

Slide 38

Slide 38 text

SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Calculated based on the header.payload, using symmetric or asymmetric cryptography

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

USE CASES

Slide 42

Slide 42 text

STATELESS AUTHENTICATION

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

JWT Standard for transmi-ng informa/on

Slide 47

Slide 47 text

OAUTH2 Standard for authoriza.on

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

OAUTH2 + JWT JWT access tokens containing a user iden2fier and scopes. { "iss": "teamleader", "sub": "123456", "iat": 1483708050, "exp": 1483711650, "scopes": ["companies", "contacts"] }

Slide 50

Slide 50 text

OAUTH2 + JWT • No need for an access token table • The client can check if the token is expired • No database calls to validate the access token, get the user id, scopes, ... • Possibility to share tokens across micro-services

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

DOWNSIDES • Access tokens can't easily be revoked, unless you keep a list of tokens to revoke • Token data can go stale • Best prac;ce to have short TTL • The more embedded data, the bigger the JWT • Not encrypted, unless you use JWE

Slide 54

Slide 54 text

TEMPORARY LINKS public.acme.com/mQsh79zqGb9pxGz2...

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

TEMPORARY LINKS { "sub": 1234567890, "exp": 1483711650, "version": 1 } eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ. NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc

Slide 57

Slide 57 text

JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed (league/oauth2-server) • Separated OAuth2 micro-service, share access tokens across micro-services API's • Temporary access links

Slide 58

Slide 58 text

Ques%ons?

Slide 59

Slide 59 text

Jens Segers @jenssegers

Slide 60

Slide 60 text

jobs.teamleader.eu