Using JWT to Authenticate Microservices

Using JWT to Authenticate
Microservices

View Slide

Who?
Mark Wolfe
Devops Engineer at Versent
Versent is Hiring

View Slide

What is a JWT?
JSON Web Token
Header, metadata for the JWT
Claims, the information encode in the JWT
A dictionary of standard ﬁelds
Encouraged to add new ﬁelds
JSON Web Signature (JWS)

View Slide

What inside a JWT?
{
"alg": "HS256",
"typ": "JWT"
}
{
"name": "Mark Wolfe",
"email": "[email protected]",
"sub": "1234567890",
"user_id": "123-123-123"
}
Header
Payload

View Slide

After Encoding
eyJhbGciOiJIUzI1NiIsInR5cCI6Ik
pXVCJ9
eyJuYW1lIjoiTWFyayBXb2xmZSIsIm
VtYWlsIjoibWFya0B3b2xmZS5pZC5h
dSIsInN1YiI6IjEyMzQ1Njc4OTAiLC
J1c2VyX2lkIjoiMTIzLTEyMy0xMjMi
fQ
Header
Payload
Signature z_pa9VMxUrtLdB-
YT940iUW4Ea9c0Wp-D5Ju27g9zCs

View Slide

Warning!

View Slide

View Slide

Claims?
iss, issuer
sub, subject
aud, audience
exp, expiry which is a unix timestamp!
nbf, not before, another unix timestamp
iat, issued at, no points for guessing what format this is..
jti, JWT ID which can be used to protect against replay attacks

View Slide

Algorithms?
HS256, uses HMAC 256
RS256, uses RSA PKCS#1 signature and SHA-256
ES256, ECDSA with the P-256 curve and SHA-256

View Slide

Security?
JWTs are NOT encrypted, they are Signed
Base64 is not an encryption, it is an encoding
Just because we can’t read something doesn’t mean it
is secure
JWT can hold some juicy tidbits of information, email
addresses, names ect

View Slide

Using JWT for
Microservices?

View Slide

View Slide

Very Brief Overview of Spec
Uses RS256
Public Keys available to resource servers using a key repository (S3
Bucket)
Private Key held by a client
Client can sign JWTs and attach these to requests to resource server(s)
Resource server(s) can verify the JWT and check which Service sent
the request
Uses various claim ﬁelds as mentioned earlier

View Slide

Typical OAuth2 Service
Resource Server
Identity Server
Bearer Token
Creds to Login

View Slide

OAuth + Microservices + JWT
Region: ap-southeast-2
Resource Server
Identity Server
Bearer Token
Credentials to
Login
JWT
JWT
Timeseries
Microservice
Video
Microservice
{
"sub": "1234567890",
"user_id": "123-123-123"
}
{
"sub": "1234567890",
"user_id": "123-123-123"
}

View Slide

In Review
Trust, every resource server has its own key pair
Traceable, JWT ID (jti) can be logged and passed down
through layers for end to end auditing
Example user_id claim is also passed down through
layers to identify the owner of the original request and
used as a ﬁlter where necessary
Keep it simple

View Slide

In Review Continued..
Review solutions with your peers
Meetups are a great place to do this
Open Speciﬁcations
Don’t bet the bank on this, start small, iterate and
LEARN
Keep it simple

View Slide

Only HTTP?
Can be used with MQTT
Used in place of a username in the Connect Request
Packet
Enables rotating “logins” with shorted time to live
Can also be used to sign entire content message and
be transmitted over AMQP, UDP, carrier pigeon..

View Slide

Questions
[email protected]
@wolfeidau on Twitter
https://github.com/wolfeidau
http://www.wolfe.id.au
Versent is Hiring! http://www.versent.com.au
Level3 @level3space http://level3.space/

View Slide

References
https://jwt.io/ lots of good information about the
standard and implementations
http://s2sauth.bitbucket.org/spec/ by Atlassian
https://tools.ietf.org/html/rfc7519 RFC for JWT
https://tools.ietf.org/html/rfc7515 RFC for JWS

View Slide

Using JWT to Authenticate Microservices

Using JWT to Authenticate Microservices

Mark Wolfe

More Decks by Mark Wolfe

Other Decks in Technology

Featured

Transcript