Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using JWT to Authenticate Microservices

Using JWT to Authenticate Microservices

Talk I gave at API Days 2016 in Melbourne

Mark Wolfe

March 02, 2016

More Decks by Mark Wolfe

Other Decks in Technology


  1. What is a JWT? JSON Web Token Header, metadata for

    the JWT Claims, the information encode in the JWT A dictionary of standard fields Encouraged to add new fields JSON Web Signature (JWS)
  2. What inside a JWT? { "alg": "HS256", "typ": "JWT" }

    { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } Header Payload
  3. Claims? iss, issuer sub, subject aud, audience exp, expiry which

    is a unix timestamp! nbf, not before, another unix timestamp iat, issued at, no points for guessing what format this is.. jti, JWT ID which can be used to protect against replay attacks
  4. Algorithms? HS256, uses HMAC 256 RS256, uses RSA PKCS#1 signature

    and SHA-256 ES256, ECDSA with the P-256 curve and SHA-256
  5. Security? JWTs are NOT encrypted, they are Signed Base64 is

    not an encryption, it is an encoding Just because we can’t read something doesn’t mean it is secure JWT can hold some juicy tidbits of information, email addresses, names ect
  6. Very Brief Overview of Spec Uses RS256 Public Keys available

    to resource servers using a key repository (S3 Bucket) Private Key held by a client Client can sign JWTs and attach these to requests to resource server(s) Resource server(s) can verify the JWT and check which Service sent the request Uses various claim fields as mentioned earlier
  7. OAuth + Microservices + JWT Region: ap-southeast-2 Resource Server Identity

    Server Bearer Token Credentials to Login JWT JWT Timeseries Microservice Video Microservice { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" }
  8. In Review Trust, every resource server has its own key

    pair Traceable, JWT ID (jti) can be logged and passed down through layers for end to end auditing Example user_id claim is also passed down through layers to identify the owner of the original request and used as a filter where necessary Keep it simple
  9. In Review Continued.. Review solutions with your peers Meetups are

    a great place to do this Open Specifications Don’t bet the bank on this, start small, iterate and LEARN Keep it simple
  10. Only HTTP? Can be used with MQTT Used in place

    of a username in the Connect Request Packet Enables rotating “logins” with shorted time to live Can also be used to sign entire content message and be transmitted over AMQP, UDP, carrier pigeon..
  11. References https://jwt.io/ lots of good information about the standard and

    implementations http://s2sauth.bitbucket.org/spec/ by Atlassian https://tools.ietf.org/html/rfc7519 RFC for JWT https://tools.ietf.org/html/rfc7515 RFC for JWS