Authentication for Apps and Services: Keymaster

1,626 views

Published on

Authentication for Apps and Services: Keymaster was originally presented at Lookout's Scaling for Mobile event on July 25, 2013. Ariel Salomon is a Principal Software Engineer at Lookout, Inc. Ariel's talk focused on setting up authentication between mobile apps and services. He gives a great overview of Keymaster. Lookout has grown immensely in the last year. We've doubled the size of the company—added more than 80 engineers to the team, support 45+ million users, have over 1000 machines in production, see over 125,000 QPS and more than 2.6 billion requests/month. Our analysts use Hadoop, Hive, and MySQL to interactively manipulate multibillion row tables. With that, there are bound to be some growing pains and lessons learned.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,626
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Authentication for Apps and Services: Keymaster

  1. 1. AUTHENTICATION FOR APPS AND SERVICES: KEYMASTER ARIEL SALOMON, LOOKOUT, INC.
  2. 2. SO YOU’RE BUILDING AN APP
  3. 3. SO YOU’RE BUILDING AN APP WITH A BACK-END IN THE CLOUD
  4. 4. HOW DO YOU AUTHENTICATE REQUESTS?
  5. 5. AUTH(ENTICATION) VS. AUTH(ORIZATION) • Authentication is about validating that you are who you say you are • Verify that a credential is correct • Authorization is about what you are allowed to do • In general, Authorization is closely tied to your application
  6. 6. SIMPLE AUTHENTICATION SCHEME • App knows some username and password • Every time you need to do anything, include that in the request
  7. 7. WHY NOT?
  8. 8. PROBLEMS W/ SIMPLE AUTH • The app needs to keep it’s credentials secure • Every request embeds the credentials; can they be snooped? • What happens as we scale up the system
  9. 9. • Your system is getting more complicated • More than one service providing functionality • They all need to share authentication • AUTHORIZATION will vary SCALING UP App Service B Service A
  10. 10. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A
  11. 11. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A Service B Service B Service B Service B Service B Service B Service B Service Z
  12. 12. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A • Create yet another service, ask it.. • Do some caching? SCALING UP App Service B Service A Auth Service
  13. 13. A BETTER WAY • Signed tokens verify that authentication has happened • One service knows how to authenticate for apps, and provides tokens • Any service can receive the tokens and verify a client without any other network traffic
  14. 14. • App gets a long-lasting token • Services don’t take a network hit to handle authentication SCALING UP WITH TOKENS App Service B Service A Auth Service
  15. 15. KEYMASTER TOKENS • Signed tokens based on Java Web Token (JWT) standard [in process at IETF] • Each token contains claims: • sub: Subject, the device or account being identified • iss: The token Issuer • exp: Expiration date-time • From the device (app) perspective, they are opaque
  16. 16. KEYMASTER • To validate tokens, a service must know public keys for other services • Keymaster service can provide this: • Use the issuer embedded in the token to identify the key • Ask Keymaster for a public key • cache this for a long time
  17. 17. KEYMASTER BETWEEN SERVICES • Any service can generate tokens • Can include information in the tokens that should be signed, encrypted
  18. 18. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/scaling-for-mobile

×