Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using JWT to Authenticate Microservices

Using JWT to Authenticate Microservices

Talk I gave at API Days 2016 in Melbourne

Ebf974e0dbcfe88c508df6f395661a4b?s=128

Mark Wolfe

March 02, 2016
Tweet

Transcript

  1. Using JWT to Authenticate Microservices

  2. Who? Mark Wolfe Devops Engineer at Versent Versent is Hiring

  3. What is a JWT? JSON Web Token Header, metadata for

    the JWT Claims, the information encode in the JWT A dictionary of standard fields Encouraged to add new fields JSON Web Signature (JWS)
  4. What inside a JWT? { "alg": "HS256", "typ": "JWT" }

    { "name": "Mark Wolfe", "email": "mark@wolfe.id.au", "sub": "1234567890", "user_id": "123-123-123" } Header Payload
  5. After Encoding eyJhbGciOiJIUzI1NiIsInR5cCI6Ik pXVCJ9 eyJuYW1lIjoiTWFyayBXb2xmZSIsIm VtYWlsIjoibWFya0B3b2xmZS5pZC5h dSIsInN1YiI6IjEyMzQ1Njc4OTAiLC J1c2VyX2lkIjoiMTIzLTEyMy0xMjMi fQ Header

    Payload Signature z_pa9VMxUrtLdB- YT940iUW4Ea9c0Wp-D5Ju27g9zCs
  6. Warning!

  7. None
  8. Claims? iss, issuer sub, subject aud, audience exp, expiry which

    is a unix timestamp! nbf, not before, another unix timestamp iat, issued at, no points for guessing what format this is.. jti, JWT ID which can be used to protect against replay attacks
  9. Algorithms? HS256, uses HMAC 256 RS256, uses RSA PKCS#1 signature

    and SHA-256 ES256, ECDSA with the P-256 curve and SHA-256
  10. Security? JWTs are NOT encrypted, they are Signed Base64 is

    not an encryption, it is an encoding Just because we can’t read something doesn’t mean it is secure JWT can hold some juicy tidbits of information, email addresses, names ect
  11. Using JWT for Microservices?

  12. None
  13. Very Brief Overview of Spec Uses RS256 Public Keys available

    to resource servers using a key repository (S3 Bucket) Private Key held by a client Client can sign JWTs and attach these to requests to resource server(s) Resource server(s) can verify the JWT and check which Service sent the request Uses various claim fields as mentioned earlier
  14. Typical OAuth2 Service Resource Server Identity Server Bearer Token Creds

    to Login
  15. OAuth + Microservices + JWT Region: ap-southeast-2 Resource Server Identity

    Server Bearer Token Credentials to Login JWT JWT Timeseries Microservice Video Microservice { "name": "Mark Wolfe", "email": "mark@wolfe.id.au", "sub": "1234567890", "user_id": "123-123-123" } { "name": "Mark Wolfe", "email": "mark@wolfe.id.au", "sub": "1234567890", "user_id": "123-123-123" }
  16. In Review Trust, every resource server has its own key

    pair Traceable, JWT ID (jti) can be logged and passed down through layers for end to end auditing Example user_id claim is also passed down through layers to identify the owner of the original request and used as a filter where necessary Keep it simple
  17. In Review Continued.. Review solutions with your peers Meetups are

    a great place to do this Open Specifications Don’t bet the bank on this, start small, iterate and LEARN Keep it simple
  18. Only HTTP? Can be used with MQTT Used in place

    of a username in the Connect Request Packet Enables rotating “logins” with shorted time to live Can also be used to sign entire content message and be transmitted over AMQP, UDP, carrier pigeon..
  19. Questions mark@wolfe.id.au @wolfeidau on Twitter https://github.com/wolfeidau http://www.wolfe.id.au Versent is Hiring!

    http://www.versent.com.au Level3 @level3space http://level3.space/
  20. References https://jwt.io/ lots of good information about the standard and

    implementations http://s2sauth.bitbucket.org/spec/ by Atlassian https://tools.ietf.org/html/rfc7519 RFC for JWT https://tools.ietf.org/html/rfc7515 RFC for JWS