Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SPRINGONE2GX
WASHINGTON, DC
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed u...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a
Creative Commons Attr...
Upcoming SlideShare
Loading in …5
×

Securing Microservices with Spring Cloud Security

32,033 views

Published on

Recorded at SpringOne2GX 2015
Presenter: Will Tran
Cloud Native Track

This talk will walk through the authentication and authorization scenarios that you may encounter once you start building out microservices. We'll go over OAuth2, OpenID Connect, and how to leverage those standards with Spring Cloud Security, so you can build out secure services that can be easily consumed by both Spring and non-Spring clients.

Published in: Technology
  • Be the first to comment

Securing Microservices with Spring Cloud Security

  1. 1. SPRINGONE2GX WASHINGTON, DC Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing Microservices with Spring Cloud Security By Will Tran twitter.com/fivetenwill
  2. 2. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Will > About 2
  3. 3. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ About Me •  Spring user since Spring 2.0 •  Works for Pivotal •  Currently on Spring Cloud Services •  Formerly on Pivotal SSO, CF UAA, PCF Mobile Services •  2nd time speaker at SpringOne 2GX •  Based in Toronto, Canada 3
  4. 4. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservices? 4
  5. 5. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What are Microservices? •  “A loosely coupled service oriented architecture with bounded contexts” – Adrian Cockroft •  Loosely coupled •  Services can be updated independently •  Bounded context •  Services are responsible for a well defined business function •  And care little about the services that surround it •  ie. “Do one thing and do it well” 5
  6. 6. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What are Microservices? •  Microservice Architectures are •  HTTP based (or communicate via other open standards) •  Containerized •  Independently deployable and scalable •  Self-sufficient o  Makes as little assumptions as possible on the external environment 6
  7. 7. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What about security? 7
  8. 8. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing the monolith 8 Network LB App Server(s) HTTPS HTTP(S) fn1 fn3 fn2 auth
  9. 9. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing the monolith is EASY(er)! •  You only need to auth the request once per user request •  No session? o  Verify user credentials o  Get the users roles o  Start a user session •  Yes session? o  Verify session not expired •  Request/response is handled in process •  You can trust method calls 9
  10. 10. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing the monolith is EASY(er)! •  Pros •  Limited attack surface •  Cons •  The app has all the credentials it needs to do anything it wants to the DB •  Break the process and you get it all 10
  11. 11. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing a Microservice Architecture 11 LB auth HTTPS fn3 fn2fn1 Gateway
  12. 12. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Is Harder •  Win! •  Principal of least privilege o  Every component only has access to what it needs to perform its function •  Lose •  Much larger attack surface (especially for internal threats) •  How do other services know who’s accessing them? •  How can other services trust each other? 12
  13. 13. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Implementations API Gateway / Perimeter security •  Requests are authenticated and authorized by the gateway •  The public LB cannot send requests to apps directly •  Apps trust all traffic they receive by assumption •  Pros •  Network setup can virtually guarantee assumptions •  Apps have stateless security (assumption is stateless) •  Cons •  Does nothing for internal threats 13
  14. 14. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing a Microservice Architecture 14 LB HTTPS fn2fn1 fn3
  15. 15. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Implementations Everybody can auth (with HTTP Basic) •  All apps get to do authentication and authorization themselves •  Basic credentials are passed along in every request •  Pros: •  Stateless (authenticate every time) •  Easy •  Cons: •  How do you store and lookup the credentials? •  How do you manage authorization? •  User’s credentials can unlock all functionality (until user updates password) 15
  16. 16. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Securing a Microservice Architecture 16 LB HTTPS fn2fn1 fn3 Auth DB
  17. 17. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Implementations Basic + Central Auth DB •  All apps get to do authentication and authorization themselves •  Basic credentials are passed along in every request •  Credentials are verified against a central DB •  Pros: •  Central user store •  Stateless (authenticate every time) •  Cons: •  Auth DB is hit every request •  DB lookup logic needs to be implemented everywhere •  User’s credentials can unlock all functionality 17
  18. 18. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Implementations Sessions Everywhere •  Same as before but each app gets to maintain a session with the client device •  Pros: •  Auth DB is hit once per session •  Cons: •  Hard to manage all the sessions •  No single sign on •  DB lookup logic needs to be implemented everywhere •  User’s credentials can unlock all functionality 18
  19. 19. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Implementations API Tokens •  Username and password is exchanged for a token at a centralized auth server •  Apps validate the token for each request by hitting the auth server •  Pros: •  Apps don’t see user credentials •  Cons: •  Auth server bottleneck •  Token provides all or nothing access 19
  20. 20. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Implementations SAML •  Identity provider provides signed assertions to apps •  Apps can trust the assertions because they’re signed •  Pros: •  Standard trust model •  Self verification of assertions •  Cons: •  XML is big and stinky •  Difficult for non-browser (eg mobile) clients 20
  21. 21. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Concerns Common concerns •  Central user store bottleneck •  Single sign on •  Statelessness •  User credentials == pure pwnage •  Fine grained authorization •  Interoperability with non browser clients 21
  22. 22. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Enter OAuth2 + OpenID Connect 22
  23. 23. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is OAuth2? Delegated Authorization •  A protocol for conveying authorization decisions (via a token) •  Standard means of obtaining a token (aka the 4 OAuth2 grant types) •  Authorization Code •  Resource Owner Password Grant •  Implicit •  Client Credentials •  Users and Clients are separate entities •  “I am authorizing this app to preform these actions on my behalf” 23
  24. 24. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is OAuth2 Not? OAuth2 is not Authentication •  The user must be authenticated to obtain a token •  How the user is authenticated is outside of the spec •  How the token is validated is outside the spec •  What the token contains is outside the spec •  Read more: http://oauth.net/articles/authentication/ 24
  25. 25. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is OpenID Connect? Delegated Authentication •  A protocol for conveying user identity (via a signed JWT ) •  Built on top of OAuth2 •  Standard means of obtaining an ID token •  The same 4 OAuth2 grant types are supported •  Standard means of verifying ID tokens •  “Will is authorizing this app to preform these actions on his behalf” •  And here’s his email address in case you need it 25
  26. 26. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is OpenID Connect Not? Authentication •  Still doesn’t say how users are to be authenticated •  This is good: there’s lots of ways to authenticate users •  Internal DB •  Another Identity Provider o  SAML o  LDAP •  Multi-factor 26
  27. 27. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 27 Web App Auth server REST API Actors: •  User - Resource Owner •  Web App - Client •  REST API - Resource Server •  Auth server – OpenID Connect Provider (eg Google) Setup: •  User has no session with the auth server or web app Use case: •  User wants to place an order on the REST API using the web app
  28. 28. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 28 Web App Auth server REST API Step 1: User accesses web app and does not have a session with it.
  29. 29. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 29 Web App Auth server REST API Step 2: Web app redirects user to the authorize endpoint on the auth server. The redirect URL contains the scopes openid and order.me This means that the web app is requesting a token that allows apps to view the users identity (openid) and place orders on the user’s behalf (order.me).
  30. 30. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 30 Web App Auth server REST API Step 3: Auth server redirects user to its login page because the user isn’t logged in
  31. 31. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 31 Web App Auth server REST API Step 4: User logs in, starts a session with the auth server, and is redirected back to the authorize endpoint. Control is given back to the user, who sees a page asking if the user permits the web app to access the their identity and manage their orders on their behalf.
  32. 32. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 32 Web App Auth server REST API Step 5: User authorizes access. Auth server redirects the user back to the web app with a one time code in the query params of the redirect
  33. 33. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 33 Web App Auth server REST API Step 6: Web App hits the token endpoint with the one time code in the query params. Auth server validates the code.
  34. 34. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to get tokens Authorization Code Flow 34 Web App Auth server REST API Step 7: Auth server responds with an access token (random string), and ID token (signed JWT). Web app verifies the ID token, consumes its contents, and starts an authenticated session, and saves the access token in session
  35. 35. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 35 Web App Auth server REST API Step 8: Web app now gives control back to the user and responds with an order form.
  36. 36. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 36 Web App Auth server REST API Step 9: User fills out and submits the order form
  37. 37. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 37 Web App Auth server REST API Step 10: The web app submits the order to the REST API with the access token that was stored in session.
  38. 38. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 38 Web App Auth server REST API Step 11: The REST API needs validate the token. It sends the token to the Auth server’s token verification endpoint.
  39. 39. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 39 Web App Auth server REST API Step 12: The Auth server responds with the permissions (scopes) that the token grants. The REST API now knows that the request is authorized.
  40. 40. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 40 Web App Auth server REST API Step 13: But wait! Before saving the order, the REST API wants to populate it with other user information not contained in the request, eg address, phone number. The REST API make a request with that same token to the /userinfo endpoint
  41. 41. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 41 Web App Auth server REST API Step 14: The Auth server responds with the user’s information. The REST API can now save the order.
  42. 42. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to use tokens The Resource Server 42 Web App Auth server REST API Step 15: Control is now given back to the user.
  43. 43. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to SSO Single Sign On 43 Web App Auth server REST API Step 16: User wants to use Web App 2 to track their order and is not authenticated with it. Web App 2
  44. 44. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to SSO Single Sign On 44 Web App Auth server REST API Step 17: Web App 2 redirects the user to the Auth server’s /authorize endpoint Web App 2
  45. 45. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ How to SSO Single Sign On 45 Web App Auth server REST API Step 18: The user already has an authenticated session with the Auth server, so the server responds to the /authorize request with a page that asks if the user permits the web app to access the their identity and manage their orders on their behalf. (And the flow continues as before)Web App 2
  46. 46. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Enter Spring Cloud Security 46
  47. 47. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Security Features •  SSO with OAuth2 and OpenID Connect servers •  With a single annotation (and some config) •  Secure Resource Servers with tokens •  With a single annotation (and some config) •  Relay tokens between SSO enabled webapps and resource servers •  With an autoconfigured OAuth2RestTemplate 47
  48. 48. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Security Caveats •  OpenID Connect ID tokens aren’t directly consumed •  But you can use /userinfo instead •  But if the access token is a JWT containing identity claims you’re in luck 48
  49. 49. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ But I thought Access Tokens were opaque! 49 RFC 6749 OAuth 2.0 October 2012 1.4. Access Token Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client.
  50. 50. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ If Access Tokens carried information… With scopes in the token •  You can authorize the request yourself With identity claims in the token •  You know who the originator of the request is With a signed token •  You can validate the token’s authenticity yourself •  Your auth server won’t become the bottleneck 50
  51. 51. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Enter UAA 51
  52. 52. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ UAA to the rescue What is UAA •  The User Account and Authorization server •  Core component of Cloud Foundry, battle tested in production •  Apache 2 License, download the WAR and run it for free •  OAuth2 compliant, almost OpenID Connect compliant •  Supports /userinfo •  Multitenant •  Spring Security OAuth2 is based on UAA •  Spring Cloud Security is a great fit with UAA •  Because UAA produces JWT containing both scopes and identity 52
  53. 53. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ JWT to the rescue What is JWT •  JSON Web Token (RFC7519), standardized May 2015 •  Header, payload, signature •  Base64 encoded form is easy to transmit in headers •  Standardized generation and verification of signatures •  Can encapsulate any claim (scopes, identity) •  Can expire •  Enables scalable, stateless authentication and authorization •  Clients can verify tokens themselves •  With the tradeoff of losing token revocation 53
  54. 54. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Microservice Security Concerns Common concerns •  Central user store bottleneck ✔ •  Single sign on ✔ •  Statelessness ✔ •  User credentials == pure pwnage ✔ •  Fine grained authorization ✔ •  Interoperability with non browser (mobile) clients ✔ 54
  55. 55. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Let’s See It Work 55
  56. 56. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo Time 56 Follow along on GitHub: github.com/william-tran/microservice-security
  57. 57. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 1: SSO SSO with Google OpenID Connect and UAA •  The only difference is configuration 57
  58. 58. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Show Me How 58
  59. 59. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint Actors •  Freddy, owner of Freddy’s BBQ Joint, the best ribs in DC •  Frank, Freddy’s most important customer (and the most powerful man in the world) •  The Developer, works for Frank and wants to impress him with a side project Use Case •  Give Frank the ability to see the menu online and place orders •  Give Freddy the ability to manage the menu and close orders 59
  60. 60. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 60 Customer UI UAA Order REST API Admin UI Menu REST API Frank Freddy
  61. 61. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 61 UAA
  62. 62. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 62 Customer UI UAA
  63. 63. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 63 Customer UI UAA
  64. 64. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 64 Customer UI UAA Menu REST API
  65. 65. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 65 Customer UI UAA Menu REST API Frank
  66. 66. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 66 Customer UI UAA Menu REST API Frank
  67. 67. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 67 Customer UI UAA Admin UI Menu REST API Frank
  68. 68. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 68 Customer UI UAA Admin UI Menu REST API Frank Freddy
  69. 69. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 69 Customer UI UAA Order REST API Admin UI Menu REST API Frank Freddy
  70. 70. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 70 Customer UI UAA Order REST API Admin UI Menu REST API Frank Freddy
  71. 71. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 71 Customer UI UAA Order REST API Admin UI Menu REST API Frank Freddy
  72. 72. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Demo 2: Freddy’s BBQ Joint 72 Customer UI UAA Order REST API Admin UI Menu REST API Frank Freddy
  73. 73. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Fin 73
  74. 74. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Thank You Cloud Foundry Identity Team 74 Sree Tummidi Madhura Bhave Chris Dutra Filip Hanik Rob Gallagher
  75. 75. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 75 Follow me on Twitter: @fivetenwill Heckle my commits on github.com/william-tran Learn More. Stay Connected. @springcentral Spring.io/video
  76. 76. Unless otherwise indicated, these slides are © 2013-2015 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Questions? 76

×