Authentication & Authorization for Microservices and Web APIs

Slide 1

Slide 1 text

AUTHENTICATION & AUTHORIZATION  FOR MICROSERVICES & WEB APIS NIKO KÖBLER (@DASNIKO)

Slide 2

Slide 2 text

ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ (german)  serverlessbuch.de ▸ Twitter: @dasniko

Slide 3

Slide 3 text

SECURITY OWASP (TOP10)

Slide 4

Slide 4 text

AUTHENTICATION AUTHORIZATION

Slide 5

Slide 5 text

AUTHENTICATION I don’t know who you are. AUTHORIZATION I know who you are, but you’re not allowed.

Slide 6

Slide 6 text

HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN means Unauthorized

Slide 7

Slide 7 text

DISTRIBUTED APIS

Slide 8

Slide 8 text

DISTRIBUTED APIS ONE CENTRALIZED APPROACH FOR DISTRIBUTED SYSTEMS WHEN IT COMES TO AUTH*? YES, IT’S CALLED SINGLE SIGN ON!

Slide 9

Slide 9 text

SIMPLY —————————————————— SECURE

Slide 10

Slide 10 text

HOW DO YOU AUTHENTICATE?

Slide 11

Slide 11 text

TOKEN!

Slide 12

Slide 12 text

SAML - SECURITY ASSERTION MARKUP LANGUAGE https://idp.example.org/SAML2 ... 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 ...

Slide 13

Slide 13 text

OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012

Slide 14

Slide 14 text

OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Token Web, Apps

Slide 15

Slide 15 text

OAUTH2 ABSTRACT PROTOCOL FLOW

Slide 16

Slide 16 text

ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }

Slide 17

Slide 17 text

OPEN ID CONNECT NOT OPEN ID! AUTHENTICATION LAYER ON TOP OF OAUTH 2.0 ‣ verify the identity of an end-user ‣ obtain basic proﬁle information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014

Slide 18

Slide 18 text

OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN

Slide 19

Slide 19 text

JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

Slide 20

Slide 20 text

JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ BASE64 ENCODED

Slide 21

Slide 21 text

JSON WEB TOKEN

Slide 22

Slide 22 text

JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp": 1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp

Slide 23

Slide 23 text

OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

Slide 24

Slide 24 text

ACCESS TOKEN { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "identity_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }

Slide 25

Slide 25 text

TOKEN USAGE

Slide 26

Slide 26 text

TOKEN USAGE

Slide 27

Slide 27 text

TOKENS ‣ Base for access on secured resources. ‣ A token is signed and contains all necessary information about the user and its roles. ‣ Kinds: Identity-, Refresh-, (Ofﬂine-) & Accesstokens ‣ Send in Bearer format:  Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ‣ Have a TTL! ‣ Must be revocable!

Slide 28

Slide 28 text

WHAT DOES  JAVA OFFER?

Slide 29

Slide 29 text

WHAT DOES JAVA OFFER? ‣ Java EE / Jakarta EE: Java Security API (JSR-375) ‣ Spring Security 5: OAuth became First Class Citizen ‣ Apache Shiro: no OAuth2/OIDC/JWT ‣ Apache Oltu: OAuth2/OIDC/JWT, but who knows? ‣ and many more…

Slide 30

Slide 30 text

JWT LIBRARIES (JAVA) ‣ github.com/auth0/java-jwt ‣ bitbucket.org/b_c/jose4j ‣ bitbucket.org/connect2id/nimbus-jose-jwt ‣ github.com/jwtk/jjwt ‣ and many more…

Slide 31

Slide 31 text

WHAT DOES THE  ECOSYSTEM OFFER?

Slide 32

Slide 32 text

WHAT DOES THE ECOSYSTEM OFFER? ‣ Auth0 ‣ AWS Cognito ‣ Stormpath ‣ and many more… ‣ BUT: you have to outsource your users personal data (and passwords)!

Slide 33

Slide 33 text

Open Source Identity and Access Management for Modern Applications and Services MIGHT(!) BE A GOOD FIT keycloak.org

Slide 34

Slide 34 text

LET’S DO SOME  DEMO!

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

THANK YOU. ANY QUESTIONS? Niko Köbler | www.n-k.de | [email protected] | @dasniko AUTH* FOR MICROSERVICES & WEB APIS