Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

OAuth and OpenID Connect for Microservices

Nordic APIs Platform Summit 2014.
Presenter: Jacob Ideskog

  • Soyez le premier à commenter

OAuth and OpenID Connect for Microservices

  1. 1. OAuth and OpenID Connect for Microservices A homogenous solution for a heterogeneous problem! Jacob Ideskog – Identity Specialist at Twobo Technologies! Copyright © 2014 Twobo Technologies AB. All rights reserved
  2. 2. Copyright © 2014 Twobo Technologies AB. All rights reserved A Traditional Service
  3. 3. With Traditional Subsystems Copyright © 2014 Twobo Technologies AB. All rights reserved Component C Component D Component A Component B
  4. 4. … and traditional scalability Copyright © 2014 Twobo Technologies AB. All rights reserved
  5. 5. But this is not always how we build systems Copyright © 2014 Twobo Technologies AB. All rights reserved
  6. 6. A microservice Copyright © 2014 Twobo Technologies AB. All rights reserved
  7. 7. Many microservices Copyright © 2014 Twobo Technologies AB. All rights reserved
  8. 8. Scaling microservices Copyright © 2014 Twobo Technologies AB. All rights reserved
  9. 9. So what’s the problem? Copyright © 2014 Twobo Technologies AB. All rights reserved
  10. 10. Securing a traditional service Copyright © 2014 Twobo Technologies AB. All rights reserved
  11. 11. Securing a traditional service Copyright © 2014 Twobo Technologies AB. All rights reserved User repository
  12. 12. So for microservices that would mean Copyright © 2014 Twobo Technologies AB. All rights reserved User repository
  13. 13. Not fantastic! Copyright © 2014 Twobo Technologies AB. All rights reserved
  14. 14. Lets talk about OAuth It’s not for Authentication …and not for Authorization OAuth is a scalable delegation protocol Copyright © 2014 Twobo Technologies AB. All rights reserved
  15. 15. OAuth has 4 actors Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  16. 16. The client requests access Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  17. 17. The AS requires the RO to authenticate Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  18. 18. The AS issues the tokens Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  19. 19. The Client presents the token to the RS Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  20. 20. The RS validates the Token Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  21. 21. Access! Resource Owner (RO) Authorization Server (AS) ClientResource Server (RS) Copyright © 2014 Twobo Technologies AB. All rights reserved
  22. 22. One very important thing" " - The Client knows nothing about the user Copyright © 2014 Twobo Technologies AB. All rights reserved
  23. 23. Open ID Connect" (Simplified) Copyright © 2014 Twobo Technologies AB. All rights reserved
  24. 24. Request Access Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS) ClientResource Server (RS) Sessions MyMail.com
  25. 25. Get Redirected to AS Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS) ClientResource Server (RS) Sessions MyMail.com
  26. 26. Challenged Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS) ClientResource Server (RS) Sessions MyMail.com
  27. 27. Now – an ID Token ( ) is also given Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS) ClientResource Server (RS) Sessions MyMail.com
  28. 28. Sessions can be created (SSO) Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS) ClientResource Server (RS) Sessions MyMail.com
  29. 29. Tada! Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS) ClientResource Server (RS) Sessions MyMail.com
  30. 30. What was interesting there? Copyright © 2014 Twobo Technologies AB. All rights reserved
  31. 31. TRUST Copyright © 2014 Twobo Technologies AB. All rights reserved
  32. 32. The ID Token is a JWT" (JSON Web Token) Copyright © 2014 Twobo Technologies AB. All rights reserved
  33. 33. A signed JSON document { } { "iss": "https://fs.oidc.net", "x5t": "5F0A1359B4BB9FBB104155908DEC1FDCB5AC8865", "typ": "JWT", "alg": "RS256” "sub": "janedoe", "name" : "Jane Doe", "email" : "jane@doe.com", "phone_number" "+46 (0) 12345678", "aud": "https://mymail.com", "iss": "https://fs.oidc.net", "nbf": 1409213888783, "jti": "622a9973-­‐fc4d-­‐4797-­‐be31-­‐7c2116f549df", "exp": 1409213890583, "iat": 1409213888783 } Copyright © 2014 Twobo Technologies AB. All rights reserved Certificate Signature orQOOKvXN3jbEpBSl0RHAyaQNxcx9DFgtMsJJgMxm9Az6QJMKKy6m0 WvP1UzXZA_nsK16g9etg2yEW9IXbQU0RbSQktUtObRB9SxHtW_AcCk6 93XDAz15Y4aP9DeD62nROzd1MS4FZTmY3Cgzo1-3- sqW6_4Rgzs94aLO3aLP_zoVtJycCUKtJQhGhPTyjXXYWMsp0E4uTtL8Ri f7cWu4olme_XNFlAs73pOrfzsQYc1GD2dB70l1M8SDaJZFURr9jAAaavX 7Xqs_FPXY1PZLXLbc3ARXFmRf_- Z4B6uLCGI2shzl12ni54Yun6dflL9rQwaxXYuNZZodUWchID2cA
  34. 34. OAuth Access Tokens can also be JWTs Copyright © 2014 Twobo Technologies AB. All rights reserved
  35. 35. 2 types of tokens Copyright © 2014 Twobo Technologies AB. All rights reserved 123XYZ Jane Doe By Value By Reference
  36. 36. By Reference Contains NO information outside the network Copyright © 2014 Twobo Technologies AB. All rights reserved 123XYZ Jane Doe
  37. 37. Contains ALL necessary information Copyright © 2014 Twobo Technologies AB. All rights reserved By Value
  38. 38. External vs. Internal By ReferenceBy Value 123XYZ Outside the network Inside the network Copyright © 2014 Twobo Technologies AB. All rights reserved API Firewall / Reverse Proxy API
  39. 39. Token Translation By ReferenceBy Value 123XYZ Outside the network Inside the network Copyright © 2014 Twobo Technologies AB. All rights reserved API Firewall / Reverse Proxy API
  40. 40. Back to Microservices Copyright © 2014 Twobo Technologies AB. All rights reserved
  41. 41. 2 Problems" " - Identifying the user" - Creating sessions" Copyright © 2014 Twobo Technologies AB. All rights reserved
  42. 42. Leave authentication to the OAuth/OIDC server Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Authorization Server (AS)
  43. 43. Let all Microservices accept JWTs Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved
  44. 44. BUT…" " Translate! Copyright © 2014 Twobo Technologies AB. All rights reserved
  45. 45. Let all Microservices accept JWTs Resource Owner (RO) Copyright © 2014 Twobo Technologies AB. All rights reserved Reverse Proxy 123 XYZ
  46. 46. - everything is self contained" - standards based" - non-reputable" - scalable Copyright © 2014 Twobo Technologies AB. All rights reserved Conclusion
  47. 47. Copyright © 2014 Twobo Technologies AB. All rights reserved Thank you!

×