SlideShare une entreprise Scribd logo

iMasters Intercon 2016 - Identity within Microservices

E
Erick Belluci Tedeschi

In this presentation you will see a little example in how to use OAuth+OpenID Connect to improve microservices based on authorization and identity

Technologie
1  sur  34
Télécharger pour lire hors ligne
Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "johndoe@gmail.com", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
Warning:  OAuth  is  not  about  authentication
Warning:  OAuth  is  not  about  authentication
How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
OpenID  Connect  Discovery  1.0
A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
Resource Owner Authorization Server Resource Server Client access
Resource Owner Authorization Server Resource Server Client access *  GET  /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Resource Owner Authorization Server Resource Server Client access
Resource Owner Authorization Server Resource Server Client access
Resource Owner Authorization Server Resource Server Client *  Location:  https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
Resource Owner Authorization Server Resource Server Client
Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request Nice
Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens
Thanks https://www.linkedin.com/in/ericktedeschi https://twitter.com/ericktedeschi http://www.slideshare.net/erickt86 erick@oerick.com

Recommandé

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 

Recommandé

2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationErick Belluci Tedeschi
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Mediacurrent
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.Carlos Catanejo
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying RESTKirsten Hunter
 

Contenu connexe

Tendances

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationErick Belluci Tedeschi
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Mediacurrent
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 

Tendances (19)

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memo
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 

Similaire à iMasters Intercon 2016 - Identity within Microservices

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Scott Brady
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...HostedbyConfluent
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresCorley S.r.l.
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerVodqaBLR
 
Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabathWSO2
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationKAI CHU CHUNG
 

Similaire à iMasters Intercon 2016 - Identity within Microservices (20)

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructures
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Drive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteerDrive chrome(headless) with puppeteer
Drive chrome(headless) with puppeteer
 
Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabath
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 

Dernier

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Dernier (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

iMasters Intercon 2016 - Identity within Microservices

  • 1. Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
  • 2. Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
  • 3. Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
  • 4. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
  • 5. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
  • 6. Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
  • 7. JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "johndoe@gmail.com", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
  • 8. The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
  • 9. OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
  • 10. Warning:  OAuth  is  not  about  authentication
  • 11. Warning:  OAuth  is  not  about  authentication
  • 12. How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
  • 13. OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
  • 14. How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
  • 16. A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
  • 17. Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
  • 23. Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  • 24. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
  • 26. Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  • 27. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  • 30. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
  • 31. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
  • 32. Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
  • 33. References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens