AUTHENTICATION & AUTHORIZATION
FOR MICROSERVICES & WEB APIS
NIKO KÖBLER (@DASNIKO)
Slide 2
Slide 2 text
ABOUT ME
▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de
▸ Doing stuff with & without computers, writing Software, ~ 20 yrs
▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA)
▸ Speaker at international Tech Conferences
▸ Author of „Serverless Computing in AWS Cloud“ (german)
serverlessbuch.de
▸ Twitter: @dasniko
Slide 3
Slide 3 text
SECURITY
OWASP (TOP10)
Slide 4
Slide 4 text
AUTHENTICATION
AUTHORIZATION
Slide 5
Slide 5 text
AUTHENTICATION
I don’t know who you are.
AUTHORIZATION
I know who you are, but you’re not allowed.
Slide 6
Slide 6 text
HTTP STATUS CODES
401 UNAUTHORIZED
means Not authenticated
403 FORBIDDEN
means Unauthorized
Slide 7
Slide 7 text
DISTRIBUTED APIS
Slide 8
Slide 8 text
DISTRIBUTED APIS
ONE CENTRALIZED APPROACH
FOR DISTRIBUTED SYSTEMS
WHEN IT COMES TO AUTH*?
YES, IT’S CALLED SINGLE SIGN ON!
Slide 9
Slide 9 text
SIMPLY
——————————————————
SECURE
Slide 10
Slide 10 text
HOW DO YOU
AUTHENTICATE?
Slide 11
Slide 11 text
TOKEN!
Slide 12
Slide 12 text
SAML - SECURITY ASSERTION MARKUP LANGUAGE
https://idp.example.org/SAML2
...
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
...
Slide 13
Slide 13 text
OAUTH2
AUTHORIZATION, NOT AUTHENTICATION!
The OAuth 2.0 authorization framework enables
a 3rd-party application to obtain limited access
to an HTTP service.
IETF, RFC 6749, 2012
Slide 14
Slide 14 text
OAUTH2 GRANT TYPES
GRANT TYPE APPS
Authorization Code Web, Apps
Implicit JavaScript, etc.
Resource Owner Password Credentials Apps
Client Credentials Web
Refresh Token Web, Apps
OPEN ID CONNECT
NOT OPEN ID!
AUTHENTICATION LAYER ON TOP OF OAUTH 2.0
‣ verify the identity of an end-user
‣ obtain basic profile information about the user
‣ RESTful HTTP API, using JSON as data format
‣ allows clients of all types (web-based, mobile, JavaScript)
OPENID FOUNDATION, 2014
TOKENS
‣ Base for access on secured resources.
‣ A token is signed and contains all necessary information about the
user and its roles.
‣ Kinds: Identity-, Refresh-, (Offline-) & Accesstokens
‣ Send in Bearer format:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
‣ Have a TTL!
‣ Must be revocable!
Slide 28
Slide 28 text
WHAT DOES
JAVA OFFER?
Slide 29
Slide 29 text
WHAT DOES JAVA OFFER?
‣ Java EE / Jakarta EE: Java Security API (JSR-375)
‣ Spring Security 5: OAuth became First Class Citizen
‣ Apache Shiro: no OAuth2/OIDC/JWT
‣ Apache Oltu: OAuth2/OIDC/JWT, but who knows?
‣ and many more…
Slide 30
Slide 30 text
JWT LIBRARIES (JAVA)
‣ github.com/auth0/java-jwt
‣ bitbucket.org/b_c/jose4j
‣ bitbucket.org/connect2id/nimbus-jose-jwt
‣ github.com/jwtk/jjwt
‣ and many more…
Slide 31
Slide 31 text
WHAT DOES THE
ECOSYSTEM OFFER?
Slide 32
Slide 32 text
WHAT DOES THE ECOSYSTEM OFFER?
‣ Auth0
‣ AWS Cognito
‣ Stormpath
‣ and many more…
‣ BUT: you have to outsource your users personal data (and
passwords)!
Slide 33
Slide 33 text
Open Source Identity and Access Management
for Modern Applications and Services
MIGHT(!) BE A GOOD FIT
keycloak.org
Slide 34
Slide 34 text
LET’S DO SOME
DEMO!
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
THANK YOU.
ANY QUESTIONS?
Niko Köbler | www.n-k.de | [email protected] | @dasniko
AUTH* FOR MICROSERVICES & WEB APIS