Your SlideShare is downloading. ×
0
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Authentication for Apps and Services: Keymaster
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Authentication for Apps and Services: Keymaster

1,169

Published on

Authentication for Apps and Services: Keymaster was originally presented at Lookout's Scaling for Mobile event on July 25, 2013. Ariel Salomon is a Principal Software Engineer at Lookout, Inc. Ariel's …

Authentication for Apps and Services: Keymaster was originally presented at Lookout's Scaling for Mobile event on July 25, 2013. Ariel Salomon is a Principal Software Engineer at Lookout, Inc. Ariel's talk focused on setting up authentication between mobile apps and services. He gives a great overview of Keymaster. Lookout has grown immensely in the last year. We've doubled the size of the company—added more than 80 engineers to the team, support 45+ million users, have over 1000 machines in production, see over 125,000 QPS and more than 2.6 billion requests/month. Our analysts use Hadoop, Hive, and MySQL to interactively manipulate multibillion row tables. With that, there are bound to be some growing pains and lessons learned.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,169
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AUTHENTICATION FOR APPS AND SERVICES: KEYMASTER ARIEL SALOMON, LOOKOUT, INC.
  • 2. SO YOU’RE BUILDING AN APP
  • 3. SO YOU’RE BUILDING AN APP WITH A BACK-END IN THE CLOUD
  • 4. HOW DO YOU AUTHENTICATE REQUESTS?
  • 5. AUTH(ENTICATION) VS. AUTH(ORIZATION) • Authentication is about validating that you are who you say you are • Verify that a credential is correct • Authorization is about what you are allowed to do • In general, Authorization is closely tied to your application
  • 6. SIMPLE AUTHENTICATION SCHEME • App knows some username and password • Every time you need to do anything, include that in the request
  • 7. WHY NOT?
  • 8. PROBLEMS W/ SIMPLE AUTH • The app needs to keep it’s credentials secure • Every request embeds the credentials; can they be snooped? • What happens as we scale up the system
  • 9. • Your system is getting more complicated • More than one service providing functionality • They all need to share authentication • AUTHORIZATION will vary SCALING UP App Service B Service A
  • 10. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A
  • 11. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A Service B Service B Service B Service B Service B Service B Service B Service Z
  • 12. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A • Create yet another service, ask it.. • Do some caching? SCALING UP App Service B Service A Auth Service
  • 13. A BETTER WAY • Signed tokens verify that authentication has happened • One service knows how to authenticate for apps, and provides tokens • Any service can receive the tokens and verify a client without any other network traffic
  • 14. • App gets a long-lasting token • Services don’t take a network hit to handle authentication SCALING UP WITH TOKENS App Service B Service A Auth Service
  • 15. KEYMASTER TOKENS • Signed tokens based on Java Web Token (JWT) standard [in process at IETF] • Each token contains claims: • sub: Subject, the device or account being identified • iss: The token Issuer • exp: Expiration date-time • From the device (app) perspective, they are opaque
  • 16. KEYMASTER • To validate tokens, a service must know public keys for other services • Keymaster service can provide this: • Use the issuer embedded in the token to identify the key • Ask Keymaster for a public key • cache this for a long time
  • 17. KEYMASTER BETWEEN SERVICES • Any service can generate tokens • Can include information in the tokens that should be signed, encrypted
  • 18. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/scaling-for-mobile

×