Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

REST Service Authetication with TLS & JWTs

7,292 views

Published on

Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.

Published in: Software
  • Be the first to comment

REST Service Authetication with TLS & JWTs

  1. 1. Jon Todd @JonToddDotCom REST Service Auth with JWTs Wils Dawson @WilsDawson
  2. 2. About Okta Okta is the foundation for secure connections between people and technology
  3. 3. Used in 185 countries
  4. 4. Our stack
  5. 5. Goals 1. Demystify claims based auth with Json Web Tokens (JWT) 2. Learn how we solve service auth @Okta 3. Real world code example using Dropwizard
  6. 6. 1 Background • Concepts • The service auth problem 2 Service Auth 3 User Auth
  7. 7. Concepts
  8. 8. Verifying you are who you say you are (AuthN) Authentication
  9. 9. What you are allowed to do (AuthZ) Authorization
  10. 10. Authentication & authorization Auth
  11. 11. Identity attributes about a user provided by a trusted issuer Examples: kerberos ticket, SAML assertion, JWT Claims
  12. 12. Boarding pass is a signed set of claims made by the airline about you • Issued by airline • Claims • Name (authentication) • Flight Date/Time, Number and Seating Priority (authorization) • Bar code/magnetic strip (signature) • Proves that the pass was issued by the airline and is not a forgery (authenticity). Claims example
  13. 13. OK, I get claims. But why use JWTs?
  14. 14. Service protocol shift to REST
  15. 15. JSON <…/> {…}
  16. 16. JSON Object Signing & Encryption (JOSE) Working group: https://datatracker.ietf.org/wg/jose/charter/ • JWS – JSON Web Signatures • JWT – JSON Web Token (pronounced “jot”) • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "karl@example.com", "email_verified": true } Claims
  17. 17. Single authentication trusted across multiple separate systems Examples: WS-Federation, SAML, OpenID Connect Federation
  18. 18. Federation example • At ticket counter trade credentials for ticket (authentication broker) • Passport • Driver’s license • Agent at counter verifies credentials • ID issued by trusted source (trust) • Scans barcode and verifies photo (authentication) • Verifies flight is paid for and seat assigned (authorization) • Agent issues ticket (claims) • Ticket is accepted by multiple, independent parties (federation) • Security line entry • TSA check • Gate agent
  19. 19. Microservices https://www.pinterest.com/pin/205828645447534387/ http://www.bennysbaker.com/poop-emoji-cupcakes/
  20. 20. Federation standards shift https://www.flickr.com/photos/robbies/693510178 • JWS – JSON Web Signatures • JWT – JSON Web Token • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JW-
  21. 21. Use cases Delegated access OAuth 2.0 Identity claims JOSE OpenID ConnectFederation
  22. 22. OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange (PKCE) RFC 7636 Simple Authentication and Security Layer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
  23. 23. The service auth problem
  24. 24. Monolithic auth model Security Interceptors C o n t e x t GET https://myapplication.com/home AuthN Module Mobile Web API
  25. 25. Monolithic auth model GET https://myapplication.com/home Security Interceptors C o n t e x tUser Module Events Module AuthN Module Homepage Module Log eventsLookup user Mobile Web API
  26. 26. Services auth model - context Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <token> GET https://myapplication.com/home Authorization: Bearer <token> Authorization: Bearer<token> C o n t e x t Lookup user ID with token  Mobile Web API
  27. 27. Services auth model - claims Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <jwt> Authorization: Bearer <jwt> Authorization: Bearer <jwt> { “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ” } Issues access jwt after authN Claims example Concepts • Claims • Authentication broker • Federation Mobile Web API
  28. 28. Layers of security Perimeter Service Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <claims_token> User
  29. 29. 1 Background 2 Service Auth • TLS overview • Adding AuthZ • Demo 3 User Auth
  30. 30. TLS overview
  31. 31. What is TLS? • Secure Sockets Layer (SSL)  Transport Layer Security (TLS) • Symmetric cryptography for data encryption • Protection against failure via MAC • Identity of communicating parties via asymmetric cryptography
  32. 32. TLS handshake Client Server 2 Server Hello (with cert) 4 Finished 5 Finished Secured Channel Client Hello 1 3 Calculate Symmetric Key 3 • Hello • Key Exchange • Finished https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie- Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png
  33. 33. Who’s authenticated? Event ServiceUser Service Homepage Service Hello Hello, here’s my certificate Secured Channel User Service
  34. 34. TLS client authentication Client Server 2 Client Certificate Request 4 Certificate Verify 5 Calculate Key and Finish Secured Channel Hello 1 3 Client Certificate 1 5 • Client talking to authentic server • Server talking to known client • Requires client to have certificate
  35. 35. That’s a lot of certificates Event ServiceUser Service Homepage Service • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating User CA requires change only to User Service • Enable revocation checking Root CA (offline) User CA Event CA Homepage CA
  36. 36. Problem solved? Event ServiceUser Service Homepage Service User Service ISS: Root CA Event Service ISS: Root CA Homepage Service ISS: Root CA
  37. 37. Adding AuthZ
  38. 38. Hostname verification • Standard (RFC 2818) • Match hostname of client to certificate • Hard when services share hosts like in a cluster manager Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com Homepage Service
  39. 39. Service-name verification • Tie certificates to services rather than hosts • Better portability • Simpler deployments • No standard • Application level Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service Homepage Service
  40. 40. TLS client authentication for internal services http://developer.okta.com/blog/ More info?
  41. 41. Demo
  42. 42. So we’re done right? Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Mobile Web API
  43. 43. 1 Background 2 Service Auth 3 User Auth • JOSE • In practice • Demo
  44. 44. JOSE
  45. 45. JWT format { "alg": "RS256" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "joe@example.com", "email_verified": true } Header Claims Signature
  46. 46. JWT encoding base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW 1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdll sYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEV qZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYz MDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxN DQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb 20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq pR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EA puY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPD LLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 Header Claims Signature
  47. 47. JWA - signature types HMAC (Symmetric) Digital Signature (Asymmetric)
  48. 48. JWS – symmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Symmetric Key
  49. 49. JWS – asymmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
  50. 50. JOSE onion claims signed claims encrypted claims • JWS – JSON Web Signatures • JWT – JSON Web • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JWT – Composes: JWA & JWK JWS JWE Reference
  51. 51. In practice
  52. 52. Iterative rollout Mobile Web API Security Interceptors C o n t e x tEvents Module AuthN Module Homepage Module User Service Security Interceptors Authorization: Bearer <JWT> Generate JWT
  53. 53. Iterative rollout Security Interceptors AuthN Service User Service Security Interceptors Authorization: Bearer <JWT> Event Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <JWT> Authorization: Bearer <JWT> Cookie / Token Mobile Web API
  54. 54. Key Rotation • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating AuthN CA requires change only AuthN service • Enable revocation checking Root CA (offline) Auth CA Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
  55. 55. JWT Java Libraries https://openid.net/developers/libraries/#jwt • Jose4j • Nimbus JOSE + JWT • Java JWT • Resteasy • Apache Oltu - JOSE
  56. 56. Demo
  57. 57. Final thoughts
  58. 58. Recap • Service auth with TLS • Transport level privacy and authentication • Service level authorization • User auth with JWTs • JWT • Stateless • Scalable • Authentication broker • Converts existing external identity attributes into internal claims • Internal claims enable federation across microservices • Code: https://github.com/wdawson/dropwizard-auth- example
  59. 59. How can Okta help? Universal Directory Single Sign-On Provisioning Adaptive Multi-factor Authentication Social Authentication Inbound Federation AD and LDAP Integration
  60. 60. Thank You Jon Todd @JonToddDotCom Wils Dawson @WilsDawson

×