Using JWT to Authenticate Microservices

Transcript

1. Using JWT to Authenticate Microservices

2. Who? Mark Wolfe Devops Engineer at Versent Versent is Hiring

3. What is a JWT? JSON Web Token Header, metadata for

   the JWT Claims, the information encode in the JWT A dictionary of standard fields Encouraged to add new fields JSON Web Signature (JWS)

4. What inside a JWT? { "alg": "HS256", "typ": "JWT" }

   { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } Header Payload

5. After Encoding eyJhbGciOiJIUzI1NiIsInR5cCI6Ik pXVCJ9 eyJuYW1lIjoiTWFyayBXb2xmZSIsIm VtYWlsIjoibWFya0B3b2xmZS5pZC5h dSIsInN1YiI6IjEyMzQ1Njc4OTAiLC J1c2VyX2lkIjoiMTIzLTEyMy0xMjMi fQ Header

   Payload Signature z_pa9VMxUrtLdB- YT940iUW4Ea9c0Wp-D5Ju27g9zCs

6. Warning!

7. None

8. Claims? iss, issuer sub, subject aud, audience exp, expiry which

   is a unix timestamp! nbf, not before, another unix timestamp iat, issued at, no points for guessing what format this is.. jti, JWT ID which can be used to protect against replay attacks

9. Algorithms? HS256, uses HMAC 256 RS256, uses RSA PKCS#1 signature

   and SHA-256 ES256, ECDSA with the P-256 curve and SHA-256

10. Security? JWTs are NOT encrypted, they are Signed Base64 is

    not an encryption, it is an encoding Just because we can’t read something doesn’t mean it is secure JWT can hold some juicy tidbits of information, email addresses, names ect

11. Using JWT for Microservices?

12. None

13. Very Brief Overview of Spec Uses RS256 Public Keys available

    to resource servers using a key repository (S3 Bucket) Private Key held by a client Client can sign JWTs and attach these to requests to resource server(s) Resource server(s) can verify the JWT and check which Service sent the request Uses various claim fields as mentioned earlier

14. Typical OAuth2 Service Resource Server Identity Server Bearer Token Creds

    to Login

15. OAuth + Microservices + JWT Region: ap-southeast-2 Resource Server Identity

    Server Bearer Token Credentials to Login JWT JWT Timeseries Microservice Video Microservice { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" } { "name": "Mark Wolfe", "email": "[email protected]", "sub": "1234567890", "user_id": "123-123-123" }

16. In Review Trust, every resource server has its own key

    pair Traceable, JWT ID (jti) can be logged and passed down through layers for end to end auditing Example user_id claim is also passed down through layers to identify the owner of the original request and used as a filter where necessary Keep it simple

17. In Review Continued.. Review solutions with your peers Meetups are

    a great place to do this Open Specifications Don’t bet the bank on this, start small, iterate and LEARN Keep it simple

18. Only HTTP? Can be used with MQTT Used in place

    of a username in the Connect Request Packet Enables rotating “logins” with shorted time to live Can also be used to sign entire content message and be transmitted over AMQP, UDP, carrier pigeon..

19. Questions [email protected] @wolfeidau on Twitter https://github.com/wolfeidau http://www.wolfe.id.au Versent is Hiring!

    http://www.versent.com.au Level3 @level3space http://level3.space/

20. References https://jwt.io/ lots of good information about the standard and

    implementations http://s2sauth.bitbucket.org/spec/ by Atlassian https://tools.ietf.org/html/rfc7519 RFC for JWT https://tools.ietf.org/html/rfc7515 RFC for JWS