Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

An Authentication and Authorization Architecture for a Microservices World

10 855 vues

Publié le

SpringOne Platform 2016
Speaker: David Ferriera; Director, Cloud Technology, Forgerock

Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

Publié dans : Technologie
  • Soyez le premier à commenter

An Authentication and Authorization Architecture for a Microservices World

  1. 1. © 2016 ForgeRock. All rights reserved. An Authentication and Authorization Architecture for a Microservices World David Ferriera, Director – Cloud Technology, Forgerock david.ferriera@forgerock.com Presented at SpringOnePlatform 2016 1
  2. 2. © 2016 ForgeRock. All rights reserved. The Identity Layers Who or What Layer App/API Consumers (Browser, REST) Service (API, MySql, Redis, OpenAM) Platform (cf push, DevMgr, CI/CD pipeline) System (OpsMgr, BOSH,SSH) Users Devices Things Applications Services Developers Operators Services External ServicesApplications
  3. 3. © 2016 ForgeRock. All rights reserved. Microservices Pivotal Cloud Foundry
  4. 4. © 2016 ForgeRock. All rights reserved. OpenAM Authorization too A A A A A A A A A A A A A A Policies  CONTEXT AWARE USING ENVIRONMENTAL ATTRIBUTES  RULES EVALUATED IN REAL TIME BY THE AUTHORIZATION ENGINE  FINE GRAINED ACCESS CONTROL  ROLE NAMES MIGHT BE SEEN AS ATTRIBUTES PIP ATTRIBUTE BASED ACCESS CONTROL
  5. 5. © 2016 ForgeRock. All rights reserved. Protocols Oauth 2 – RFC 6749: “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” OpenID Connect (OIDC) : “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” Oauth 2 – Bearer Token usage - RFC 6750: “This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.
  6. 6. © 2016 ForgeRock. All rights reserved. Tokens: Types/Format Access Token • Part of Oauth, presented with each transaction • can be opaque or JWT • can be stateful or stateless • Shorter TTL Refresh Token • Part of Oauth, received along with first access token after authentication to the auth server • Used to request a new access token from the auth server, no credentials required • Longer TTL • Must be stored securely ID Token • Part of OIDC • Contains Identity information about authenticated user • Received in addition to the 2 oauth tokens • Must be JW • Longer TTL JSON Web Tokens (JWT) • Token format specified by OpenID Connect for the Identity Token • Multiple levels of security possible (JWE, JWS, JOSE) • Usually stateless
  7. 7. © 2016 ForgeRock. All rights reserved. Tokens: Performance vs. Security Stateful • Sessions stored on server • Token is opaque • Tokens must be validated with the server • Server handles authorization • Better logout Stateless • Sessions not stored on server • Token may be introspected • Tokens validated locally • Microservice must handle authorization • Tokens difficult to revoke before TTL Token Performance Security State Stateless Statefull Encrypt JWT Body No Yes Validate w/Auth server No Yes Validate all tokens No Yes TTL’s Longer Shorter
  8. 8. © 2016 ForgeRock. All rights reserved. Tokens: OpenAM response stateless response { "access_token": "eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic3ViIjogImRlbW8iLCAiYXVkaXRUcmFja2luZ0lkIjogImQ3M2U5MzkwLTUyYWEtNDU5 Ni04NzgxLWZkZjFlNTI0YTE0MCIsICJpc3MiOiAiaHR0cDovL2thanZtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsICJ0b2tlbk5hbW UiOiAiYWNjZXNzX3Rva2VuIiwgInRva2VuX3R5cGUiOiAiQmVhcmVyIiwgImF1dGhHcmFudElkIjogIjU4MjhkODczLWU4NmMtNGJhYi05ZTQwLT kwMDFkYjlhYzYyZCIsICJhdWQiOiAiY2xpZW50IiwgIm5iZiI6IDE0Njc3MzU3NjcsICJzY29wZSI6IFsgInNjb3BlIiBdLCAicmVhbG0iOiAiLyIsICJleH AiOiAxNDY3NzM5MzY3LCAiaWF0IjogMTQ2NzczNTc2NywgImV4cGlyZXNfaW4iOiAzNjAwMDAwLCAianRpIjogIjBmMDE2Zjk3LWMwYjItNGIx Mi04NjMzLWQwMTQ1Yjk0NDMxYyIgfQ.pq5yJtq1kGi4VaGIMOtusRD2G_f2VJrq2FKx0mhS2rQ", "refresh_token": "eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic3ViIjogImRlbW8iLCAiYXVkaXRUcmFja2luZ0lkIjogImQ5ZmYzMGYwLTUxM2ItNDgw MS05ZmNlLTFhYzZlNGFiMTNmMyIsICJpc3MiOiAiaHR0cDovL2thanZtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsICJ0b2tlbk5h bWUiOiAicmVmcmVzaF90b2tlbiIsICJhdXRoTW9kdWxlcyI6ICJEYXRhU3RvcmUiLCAidG9rZW5fdHlwZSI6ICJCZWFyZXIiLCAiYXV0aEdyYW50 SWQiOiAiNTgyOGQ4NzMtZTg2Yy00YmFiLTllNDAtOTAwMWRiOWFjNjJkIiwgImF1ZCI6ICJjbGllbnQiLCAibmJmIjogMTQ2NzczNTc2NywgInNjb 3BlIjogWyAic2NvcGUiIF0sICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0NjgzNDA1NjcsICJpYXQiOiAxNDY3NzM1NzY3LCAiZXhwaXJlc19pbiI6IDYwN DgwMDAwMCwgImp0aSI6ICI0OWMyMzhkNC1jNmY5LTQzMzMtYTZiMC04YzEzMjNlNGU0MTIiIH0.5TQnJQXqIpW_bG6jbqDX9VdulJByNZm PTvOmI1Ui6c8", "scope": "scope", "token_type": "Bearer", "expires_in": 3599 }
  9. 9. © 2016 ForgeRock. All rights reserved. Tokens: Decoded @ jwt.io
  10. 10. © 2016 ForgeRock. All rights reserved. Service to Service: Oauth Bearer token - stateful mservice-1 OpenAM mservice-2 {Client Credentials} Request Token {access token, refresh token, metadata} Response {Access Token} Service Request {Client Credentials, access token} Token Validation Request {token_expires} Response {data payload} Response
  11. 11. © 2016 ForgeRock. All rights reserved. Microservice Tiers – An Identity View Tier-2-service Exposed external and internal Consumer and service identities High level of security Internal Consumer and service identities required Internal service identities only Tier-1-service Tier-2-service Tier-1-service Tier-3-service Tier-3-service
  12. 12. © 2016 ForgeRock. All rights reserved. Tier 1 and 2 microservices - stateless Tier-1- application OpenAM Tier-2- service {Client Credentials} Request Token {access token, refresh token, metadata} Response {consumer Access Tokenconsumer IDToken, service access token Service Request {data payload} Response External Consumer 302 redirect – Auth server 302 redirect – w/ auth code Request protected app {username,password} + consent {Auth code} {access token, refresh token, ID Token metadata} {data payload} Stateless token validated by microservice
  13. 13. © 2016 ForgeRock. All rights reserved. Cloud Foundry Route Service Cloud Controller Service Broker Service Broker App 1 Service 1 Service 2 OpenAM Browser 1 2 3 4 5 Cloud Foundry 1. A previously logged in user makes a request to an app with a bound route service. (Could be browser flow or API flow) 2. Router sends request to the service 3. Service validates token and grabs additional data from profile and adds it to the body of the JWT, and sets the appropriate header to tell the router the request can continue. 4. Router passes the request through to the appropriate app. 5. The app, using the key it received at bind time, validates the signature of the token, unpacks the data from the body and acts accordingly. Router
  14. 14. © 2016 ForgeRock. All rights reserved. Forgerock Service Broker Roadmap Cloud Foundry Integration Release Estimate Alpha Service Broker Q2 2016 GA Service Broker – Oauth 2 Q3 2016 Pivotal Tile Q3 2016 GA Service Broker - OIDC Q4 2016 GA Route Service – SB enabled Q4 2016
  15. 15. © 2016 ForgeRock. All rights reserved. Forgerock Software Download https://backstage.forgerock.com/#!/downloads
  16. 16. © 2016 ForgeRock. All rights reserved. References OpenID Connect http://openid.net/specs/openid-connect-core-1_0.html Oauth 2 https://tools.ietf.org/html/rfc6749 https://tools.ietf.org/html/rfc6750 JSON Web Tokens https://tools.ietf.org/html/rfc7519 Javascript Object Signing and Encryption https://datatracker.ietf.org/wg/jose/documents/

×