Identity Management (IdM) is an umbrella term for all of the core logic around identity. That means manage provisioning (assigning identities to user), account management (maintaining those identities), identity governance (assigning them to groups and roles and adjusting permissions as needed), authentication, authorization, identity federation (ensuring users can use the same identification data to access resources on related domains). A login is more than a Single Sign On, we can use Passwordless, Federated Identity (FB, GitHub), Multifactor Authentication, improving our users experience.

1. VERSION 1.4
Modern Identity Management
in the era of Serverless and Microservices

2. Modern Identity Management
in the era of Serverless and Microservices

3. @itrjwyss

4. @itrjwyss
Had Been Uploaded
38,000
Driver’s Licenses
3,200
Passport Details

5. @itrjwyss
Had Stolen
146.6 million
Names and Dates
of Birth
145.5 million
Social Security
Numbers
99 million
Address
209,000 Payment
Card Numbers and
Expiration Dates

6. @itrjwyss

7. @itrjwyss
Security is a Team Effort

8. @itrjwyss
Agenda
• Rest API Design / OAuth
• JWT
• User Credentials Problem
• Identity Management (IdM)
• Identity and Access Management (IAM)
• How to have a successful Identity Management Project
• IdM in Serverless and Microservices Architectures
• Identity as a Service (IDaaS)

9. Mercedes Wyss
@itrjwyss
Community Leader
Devs+502 & JDuchess Chapter Guatemala
Ex-JUG Member
Guatemala Java Users Group (GuateJUG)
Chief Technology Officer (CTO) at Produactivity
Full Stack Developer
Auth0 Ambassador &
Oracle Groundbreaker Ambassador

10. @itrjwyss
Bad API Design
Username
Password

11. @itrjwyss
OAuth
Client App
Client App OAuth Server
OAuth Server
Resource Server
Resource Server

12. @itrjwyss

13. @itrjwyss
Is an open standard (RFC 7519) that defines a
compact and self-contained way for securely
transmitting information between parties as a
JSON object.

14. @itrjwyss
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ
9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmF
tZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRy
dWV9.TJVA95OrM7E2cBab30RMHrHDc
EfxjoYZgeFONFh7HgQ
Header
Claims

15. @itrjwyss
JSON Web Signature
JWT + JWS

16. @itrjwyss
Signature Algorithms

17. @itrjwyss
Exploring JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJqdGkiOiI1MWQ4NGFjMS1kYjMxLTRjM2ItOTQwOS1lNjMwZWJiYj
gzZGYiLCJ1c2VybmFtZSI6Imh1bnRlcjIiLCJzY29wZXMiOlsicmVw
bzpyZWFkIiwiZ2lzdDp3cml0ZSJdLCJpc3MiOiIxNDUyMzQzMzcyIi
wiZXhwIjoiMTQ1MjM0OTM3MiJ9
.
cS5KkPxtEJ9eonvsGvJBZFIamDnJA7gSz3HZBWv6S1Q

18. @itrjwyss
Exploring JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJqdGkiOiI1MWQ4NGFjMS1kYjMxLTRjM2ItOTQwOS1lNjMwZWJiYj
gzZGYiLCJ1c2VybmFtZSI6Imh1bnRlcjIiLCJzY29wZXMiOlsicmVw
bzpyZWFkIiwiZ2lzdDp3cml0ZSJdLCJpc3MiOiIxNDUyMzQzMzcyIi
wiZXhwIjoiMTQ1MjM0OTM3MiJ9
.
cS5KkPxtEJ9eonvsGvJBZFIamDnJA7gSz3HZBWv6S1Q
Header
Claims
Signature

19. @itrjwyss
Exploring JWT
{
"alg": "HS256",
"typ": "JWT"
}
.
{
"jti": "51d84ac1-db31-4c3b-9409-e630ebbb83df",
“sub": "hunter2",
"scopes": ["repo:read", "gist:write"],
"iss": "1452343372",
"exp": "1452349372"
}
.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)

20. @itrjwyss
Exploring JWT
{
"alg": "HS256",
"typ": "JWT"
}
.
{
"jti": "51d84ac1-db31-4c3b-9409-e630ebbb83df",
“sub": "hunter2",
"scopes": ["repo:read", "gist:write"],
"iss": "1452343372",
"exp": "1452349372"
}
.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)

21. @itrjwyss
Exploring JWT
{
"alg": "HS256",
"typ": "JWT"
}
.
{
"jti": "51d84ac1-db31-4c3b-9409-e630ebbb83df",
“sub": "hunter2",
"scopes": ["repo:read", "gist:write"],
"iss": "1452343372",
"exp": "1452349372"
}
.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)

22. @itrjwyss
Exploring JWT
{
"alg": "HS256",
"typ": "JWT"
}
.
{
"jti": "51d84ac1-db31-4c3b-9409-e630ebbb83df",
“sub": "hunter2",
"scopes": ["repo:read", "gist:write"],
"iss": "1452343372",
"exp": "1452349372"
}
.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)

23. @itrjwyss
Registered Claims
iss The issuer of the token
sub The subject of the token
aud The audience of the token
exp The expiration in NumericDate value
nbf sbt configuration files
iat The time the JWT was issued
jti Unique identifier for the JWT

24. @itrjwyss
Registered Claims
iss The issuer of the token
sub The subject of the token
aud The audience of the token
exp The expiration in NumericDate value
nbf sbt configuration files
iat The time the JWT was issued
jti Unique identifier for the JWT

25. @itrjwyss
Registered Claims
iss The issuer of the token
sub The subject of the token
aud The audience of the token
exp The expiration in NumericDate value
nbf sbt configuration files
iat The time the JWT was issued
jti Unique identifier for the JWT

26. @itrjwyss
Registered Claims
iss The issuer of the token
sub The subject of the token
aud The audience of the token
exp The expiration in NumericDate value
nbf sbt configuration files
iat The time the JWT was issued
jti Unique identifier for the JWT

27. @itrjwyss
Registered Claims
iss The issuer of the token
sub The subject of the token
aud The audience of the token
exp The expiration in NumericDate value
nbf sbt configuration files
iat The time the JWT was issued
jti Unique identifier for the JWT

28. @itrjwyss
What problems does JWT solve?
• Authentication
• Authorization
• Federated Identity
• Information Exchange
• Client-side Sessions (“stateless” sessions)
• Client-side Secrets

29. @itrjwyss
What problems does JWT solve?
• Authentication
• Authorization
• Federated Identity
• Information Exchange
• Client-side Sessions (“stateless” sessions)
• Client-side Secrets

30. @itrjwyss
Auth0 (June 2017) h/ps://cdn.auth0.com/content/jwt/jwt-diagram.png
Client Server

31. @itrjwyss
Auth0 (June 2017) h/ps://cdn.auth0.com/content/jwt/jwt-diagram.png
Client Server
Authentication
Process

32. @itrjwyss
Auth0 (June 2017) h/ps://cdn.auth0.com/content/jwt/jwt-diagram.png
Client Server
Authorization
Process

33. @itrjwyss

34. @itrjwyss

35. @itrjwyss
Improve API Design
Token
JWT

36. @itrjwyss
User Credentials Problem

37. @itrjwyss

38. @itrjwyss

39. @itrjwyss

40. @itrjwyss

41. @itrjwyss

42. @itrjwyss

43. @itrjwyss

44. @itrjwyss
What we can do to improve this process?
Making it safer and easier.

45. @itrjwyss
Identity Management (IdM)
• Is an umbrella term for all of the core logic around identity in a corporate
environment.
• Provisioning
• Account management
• Identity governance

46. @itrjwyss
IdM: Provisioning

47. @itrjwyss
IdM: Provisioning

48. @itrjwyss
IdM: Account Management
• Maintain those identities
• How safe those data?
• Encryption, Which one, which keys?
• What happens when an Entity erase their account?
• What happens when an Entity is longer inactive?

49. @itrjwyss
IdM: Identity Governance
• Assigning them to groups and roles and adjusting permissions as needed

50. @itrjwyss
Identity and Access Management (IAM)
• Is most often used to refer not just to identification, but to the whole suite
of practices that a corporation needs to manage their users and data:
• Authentication
• Authorization
• Identity Federation

51. @itrjwyss
IAM: Authorization
• Ensuring the given user has the proper permissions to access a certain
piece of data.

52. @itrjwyss
IAM: Identity Federation
• Ensuring users can use the same identification data to access resources
on related domains.

53. @itrjwyss

54. @itrjwyss
Federated Identity
• In some way, are methods of transferring data without violating the same
origin policy.
• This way, if domain X and Y are related, and their owners want users to
move freely between the two, they can simply triangulate around an
external authorization server.

55. @itrjwyss

56. @itrjwyss

57. @itrjwyss

58. @itrjwyss
IAM: Authentication
• Ensuring that a given user is the user they identify as
• Single Sing On (SSO)
• Multi-factor Authentication (MFA)
• Passwordless

59. @itrjwyss

60. @itrjwyss

61. @itrjwyss

62. @itrjwyss

63. @itrjwyss

64. @itrjwyss

65. @itrjwyss

66. @itrjwyss

67. @itrjwyss
MFA: Biometrics
• Common methods are touch ID (fingerprint), SMS, facial recognition.
• We can have other ones:
• Iris or retina recognition
• Voice recognition (Twilio)
• Typing recognition
• DNA usage

68. @itrjwyss
MFA: Biometrics
• Common methods are touch ID (fingerprint), SMS, facial recognition.
• We can have other ones:
• Iris or retina recognition
• Voice recognition (Twilio)
• Typing recognition
• DNA usage

69. @itrjwyss
Passwordless
• It means authenticating a user by means other than having them type in a
password
• Can also evaluate user and device contexts to provide authentication
methods.

70. @itrjwyss

71. @itrjwyss
Touch ID

72. @itrjwyss
SMS Code

73. @itrjwyss
Magic Link

74. @itrjwyss

75. @itrjwyss

76. @itrjwyss
Social Federated Identity

77. @itrjwyss

78. @itrjwyss

79. @itrjwyss

80. @itrjwyss

81. @itrjwyss

82. @itrjwyss
Enterprise Federated Identity

83. @itrjwyss

84. @itrjwyss
Legal Federated Identity

85. @itrjwyss

86. @itrjwyss
How to have a successful
Identity Management Project

87. @itrjwyss
Common Oversights and Pitfalls
• Identify requirements for the entire identity management lifecycle, not
just logging in
• Plan for identity failure and change, so you are ready for such events
• Address security and compliance requirements

88. @itrjwyss@itrjwyss
1. How will user accounts be
created?

89. @itrjwyss@itrjwyss
2. Will user profiles need to be
synchronized?

90. @itrjwyss
@itrjwyss
3. Username uniqueness

91. @itrjwyss@itrjwyss
4. How will users
Log In?

92. @itrjwyss@itrjwyss
5. What devices will be used?

93. @itrjwyss@itrjwyss
6. Is single Sing-On needed?

94. @itrjwyss@itrjwyss
7. Should Multi-Factor Authentication
(MFA) be used and if so, When?

95. @itrjwyss@itrjwyss
8. What should happen when
the User decides to Log Out?

96. @itrjwyss@itrjwyss
9. How will browser configuration
influence Sessions?

97. @itrjwyss@itrjwyss
10. Session Timeouts

98. @itrjwyss@itrjwyss
11. Deprovisioning: What
happens when it’s over?

99. @itrjwyss@itrjwyss
12. Password Reset

100. @itrjwyss@itrjwyss
13. Blocked Users

101. @itrjwyss@itrjwyss
14. Anomaly Detection

102. @itrjwyss
14. Anomaly Detection
• A particular user having a large number of failed logins.
• A user logging in from two widely separated geographic locations within a
short amount of time.
• Users whose credentials have been compromised and published on the
internet in databases of hacked passwords, such as Troy Hunt’s
haveibeenpwned.

103. @itrjwyss@itrjwyss
15. Privacy/Compliance
requirements

104. @itrjwyss@itrjwyss
16. Audit Logs

105. @itrjwyss@itrjwyss
17. Consider how Identity
Information might change over time

106. @itrjwyss
What does this have to do with
Serverless and Microservices?

107. @itrjwyss
Developing REST APIs
Authorization
Authentication

108. @itrjwyss
Developing REST APIs
Authorization
Authentication

109. @itrjwyss

110. @itrjwyss

111. @itrjwyss

112. @itrjwyss

113. @itrjwyss
Identity as a Service
IDaaS

114. @itrjwyss
IDaaS
• Comprises cloud-based solutions for IdM and IAM functions.
• Also means collecting intelligence to better understand, monitor, and
improve their behaviors.

115. @itrjwyss
Popular Clouds

116. @itrjwyss
Other Popular IDaaS

117. @itrjwyss
RSA SecurID

118. @itrjwyss
Forefront Identity Manager

119. @itrjwyss
Zoho Vault

120. @itrjwyss
OneLogin

121. @itrjwyss
LogMeIn Pro

122. @itrjwyss
Digital Persona

123. @itrjwyss
ExcelID

124. @itrjwyss
ADManager Plus

125. @itrjwyss
Centrify Identity Service

126. @itrjwyss
Intermedia AppID Enterprise

127. @itrjwyss
ForgeRock Identity Platform

128. @itrjwyss
MiniOrange

129. @itrjwyss
NetIQ IDM

130. @itrjwyss
Sail Point

131. @itrjwyss
Sticky Password

132. @itrjwyss
Express Gateway

133. @itrjwyss
Scenarios
Customers
http://customers
Order
http://orders

134. @itrjwyss
Express Gateway
$ npm i -g express-gateway
+ express-gateway@1.15.0
added 596 packages from 402 contributors in 105.983s
$ eg gateway create
? What's the name of your Express Gateway? eg-example
? Where would you like to install your Express Gateway? eg-example
? What type of Express Gateway do you want to create? Getting Started with Express Gateway
create package.json
create server.js
create config/gateway.config.yml
create config/system.config.yml
create config/models/applications.json
create config/models/credentials.json
create config/models/users.json
...
To start eg-example, run the following commands:
cd eg-example && npm start

135. @itrjwyss
gateway.config.yml
http:
port: 80
apiEndpoints:
customers:
host: customer.company.com
orders:
host: orders.company.com
other:
host: localhost
serviceEndpoints:
customers:
url: 'http://customers'
orders:
url: 'http://orders'
policies:
- jwt
- proxy
- rate-limit

136. @itrjwyss
gateway.config.yml
pipelines:
customers:
apiEndpoints:
- customers
policies:
- rate-limit:
- action:
max: 1
windowMs: 1000
- jwt:
- action:
secretOrPublicKeyFile: ./key/pubKey.pem
checkCredentialExistence: false
- proxy:
- action:
serviceEndpoint: customers
changeOrigin: true

137. @itrjwyss
gateway.config.yml
pipelines:
orders:
apiEndpoints:
- orders
policies:
- rate-limit:
- action:
max: 1
windowMs: 1000
- jwt:
- action:
secretOrPublicKeyFile: ./key/pubKey.pem
checkCredentialExistence: false
- proxy:
- action:
serviceEndpoint: customers
changeOrigin: true

138. @itrjwyss
Testing
$ curl http://customers.company.com:8080 & curl http://customers.company.com:8080
$ [1] 4495
$ Unauthorized
$ [1]+ Done
$ Too many requests, please try again later.

139. @itrjwyss
Testing
export JWT=“ey...the-rest-of-the-token"
curl -H "Authorization: Bearer "$JWT http://customers.company.com:8080

140. @itrjwyss
https://github.com/itrjwyss/ModernIdM/
https://www.facebook.com/itrjwyss
@itrjwyss