Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication & Authorization for Microservice...

Niko Köbler
November 27, 2017

Authentication & Authorization for Microservices and Web APIs

Niko Köbler

November 27, 2017
Tweet

More Decks by Niko Köbler

Other Decks in Programming

Transcript

  1. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

    with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ (german)
 serverlessbuch.de ▸ Twitter: @dasniko
  2. DISTRIBUTED APIS ONE CENTRALIZED APPROACH FOR DISTRIBUTED SYSTEMS WHEN IT

    COMES TO AUTH*? YES, IT’S CALLED SINGLE SIGN ON!
  3. SAML - SECURITY ASSERTION MARKUP LANGUAGE <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac" Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05"/> </saml:SubjectConfirmation> </saml:Subject> ... </saml:Assertion>
  4. OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables

    a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012
  5. OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps

    Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Token Web, Apps
  6. OPEN ID CONNECT NOT OPEN ID! AUTHENTICATION LAYER ON TOP

    OF OAUTH 2.0 ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014
  7. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN
  8. JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp":

    1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp
  9. ACCESS TOKEN { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "identity_token":

    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }
  10. TOKENS ‣ Base for access on secured resources. ‣ A

    token is signed and contains all necessary information about the user and its roles. ‣ Kinds: Identity-, Refresh-, (Offline-) & Accesstokens ‣ Send in Bearer format:
 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ‣ Have a TTL! ‣ Must be revocable!
  11. WHAT DOES JAVA OFFER? ‣ Java EE / Jakarta EE:

    Java Security API (JSR-375) ‣ Spring Security 5: OAuth became First Class Citizen ‣ Apache Shiro: no OAuth2/OIDC/JWT ‣ Apache Oltu: OAuth2/OIDC/JWT, but who knows? ‣ and many more…
  12. WHAT DOES THE ECOSYSTEM OFFER? ‣ Auth0 ‣ AWS Cognito

    ‣ Stormpath ‣ and many more… ‣ BUT: you have to outsource your users personal data (and passwords)!
  13. Open Source Identity and Access Management for Modern Applications and

    Services MIGHT(!) BE A GOOD FIT keycloak.org
  14. THANK YOU. ANY QUESTIONS? Niko Köbler | www.n-k.de | [email protected]

    | @dasniko AUTH* FOR MICROSERVICES & WEB APIS