SSO for Microservices and Distributed Java Apps

Slide 1

Slide 1 text

FOR MICROSERVICES AND DISTRIBUTED (JAVA EE) APPLICATIONS SINGLE-SIGN-ON Niko Köbler So ware-Architect, Developer & Trainer | | niko@n-k.de www.n-k.de @dasniko

Slide 2

Slide 2 text

@dasniko

Slide 3

Slide 3 text

SECURITY OWASP

Slide 4

Slide 4 text

AUTHENTICATION I don't know who you are! AUTHORIZATION I know who you are, but you're not allowed!

Slide 5

Slide 5 text

SECURITY Same approach for Microservices AND Monoliths? Centralized?

Slide 6

Slide 6 text

SIMPLY SECURE

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

OAUTH2 Authorization, NOT Authentication! The OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service. IETF

Slide 9

Slide 9 text

OIDC OpenID Connect - NOT OpenID Authentication layer on top of OAuth 2.0 verify the identity of an end-user obtain basic profile information about the end-user RESTful HTTP API, using JSON as data format allows clients of all types (web-based, mobile, JavaScript) OpenID Foundation

Slide 10

Slide 10 text

BUT, WANTS TO THEIR ENTERPRISE TO GOOGLE/TWITTER/FACEBOOK? WHO STORE USER DATA Plus, additional: LDAP / AD other Directories other Database Tables need to be integrated!

Slide 11

Slide 11 text

DO IT ON !? YOUR OWN for each and every application password recovery registration remember me user/email verification ...? And your users should login (and authenticate) themselves at each of your applications? Over and over again? With diﬀerent passwords?

Slide 12

Slide 12 text

FRUSTRATING!

Slide 13

Slide 13 text

WHAT ABOUT ? DISTRIBUTED ENVIRONMENTS

Slide 14

Slide 14 text

DISTRIBUTED ENVIRONMENTS Microservices REST-only Services Single Page Applications Mobile Apps Oﬀline option

Slide 15

Slide 15 text

TOKEN TO THE RESCUE

Slide 16

Slide 16 text

TOKEN TO THE RESCUE OAuth2, , SAML, X.509 JWT

Slide 17

Slide 17 text

SAML https://idp.example.org/SAML2 ... ... OASIS Standard, 2005

Slide 18

Slide 18 text

JWT JSON WEB TOKEN Standard, 2015 RFC 7519 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. .TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ eyJzdWIiOiIxMjM0N TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV 9

Slide 19

Slide 19 text

JSON WEB TOKEN jwt.io

Slide 20

Slide 20 text

TOKENS Base for access on secured resources. A is and contains all necessary about the user and its roles. token signed information Kinds: , Refresh-, Oﬀline- and Identity- Accesstokens Hava a TTL! Must be revocable!

Slide 21

Slide 21 text

WHAT DOES OFFER? JAVA

Slide 22

Slide 22 text

WHAT DOES JAVA OFFER? JAVA EE nothing useful so far JAAS? (proprietary) perhaps Java EE 8 (Security API, JSR-375)

Slide 23

Slide 23 text

WHAT DOES JAVA OFFER? SPRING SECURITY good, powerful Spring Cloud Security / OAuth2

Slide 24

Slide 24 text

WHAT DOES JAVA OFFER? APACHE SHIRO https://shiro.apache.org OAuth2? / OIDC?

Slide 25

Slide 25 text

WHAT DOES JAVA OFFER? APACHE OLTU https://oltu.apache.org/ OAuth2 / OIDC / JWT

Slide 26

Slide 26 text

WHAT DOES JAVA OFFER? PAC4J http://www.pac4j.org The to protect all your web applications. Java security engine Available for most frameworks/tools: J2E • Spring Web MVC (Spring Boot) • Spring Security (Spring Boot) • Shiro Play 2.x • Vertx • Spark Java • Ratpack • Undertow CAS server • JAX-RS • Dropwizard • Knox • Jooby

Slide 27

Slide 27 text

WHAT DOES JAVA OFFER? JWT LIBRARIES github.com/auth0/java-jwt bitbucket.org/b_c/jose4j bitbucket.org/connect2id/nimbus-jose-jwt github.com/jwtk/jjwt

Slide 28

Slide 28 text

AND THE ? ECOSYSTEM SAAS? AAAS? Auth0 auth0.com AWS Cognito aws.amazon.com/cognito Stormpath stormpath.com But again, you have to outsource your users personal data!

Slide 29

Slide 29 text

So, what to do? Develop on your own? How? Much eﬀort!

Slide 30

Slide 30 text

INTEGRATED AND FOR BROWSER APPS AND RESTFUL WEB SERVICES SSO IDM

Slide 31

Slide 31 text

KEYCLOAK JBoss since ~2013 Open Source So ware hosted at GitHub very active Community (commits, pullrequests, mailinglists) constant and regular feature- and bugfix-releases current version: 2.3.0.Final good & comprehensive documentation

Slide 32

Slide 32 text

DISTRIBUTIONS Demo Appliance Standalone Server Overlay for JBoss EAP/Wildfly Docker Image OpenShi Cloud Service (SaaS)

Slide 33

Slide 33 text

#FEATURES Single-Sign-On, Single-Sign-Out, Self-Registration, Forgot Password, Verify User/Email, TOTP, various Verification (Work-)Flows, Customer Attributes, Custom Federation Provider, SPIs, Social Logins, Custom Themes, JWT, OAuth2, Bearer Token, Open ID Connect (OIDC), SAML, Account Management, Management Console, CORS handling, Impersonation, etc...

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

STANDARDS SAML 2.0 OASIS 2005 OAuth 2.0 RFC 6749 2012 OpenID Connect 1.0 OpenID Foundation 2014 JWT RFC 7519 2015

Slide 36

Slide 36 text

ARCHITECTURE

Slide 37

Slide 37 text

ADAPTERS (I) JBoss EAP (6, 7) / Wildfly (9, 10) Tomcat (6, 7, 8) Jetty (8.1.x, 9.x) JBoss Fuse Apache Karaf Spring Boot Spring Security Servlet Adapter JavaScript own implementation

Slide 38

Slide 38 text

ADAPTERS (II) OAuth2, OpenIDC, Tokenvalidation libraries/modules/frameworks own implementation of OAuth2/OIDC Apache mod openid connect Keycloak Proxy

Slide 39

Slide 39 text

S FLOW

Slide 40

Slide 40 text

SINGLE-SIGN-ON

Slide 41

Slide 41 text

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Slide 44

Slide 44 text

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Slide 47

Slide 47 text

SINGLE-SIGN-OUT

Slide 48

Slide 48 text

LOGOUT logout on Keycloak

Slide 49

Slide 49 text

LOGOUT redirect to application, delete cookies, kill session, back to application, application delivers resource

Slide 50

Slide 50 text

LOGOUT k_logout event to all configured admin URLs

Slide 51

Slide 51 text

DEMO Spring Boot ("full" web app) dasniko/keycloak-springboot-demo Java EE (JBoss Wildfly, REST-only services) dasniko/keycloak-javaee-demo React.JS SPA (JavaScript client app)

Slide 52

Slide 52 text

THANK ! YOU ANY ? QUESTIONS Niko Köbler So ware-Architect, Developer & Trainer | | niko@n-k.de www.n-k.de @dasniko