Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

326 views

Published on

Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/

Published in: Technology
  • Be the first to comment

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

  1. 1. Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
  2. 2. Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
  3. 3. Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
  4. 4. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
  5. 5. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
  6. 6. Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
  7. 7. JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "johndoe@gmail.com", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
  8. 8. The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
  9. 9. OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
  10. 10. Warning:  OAuth  is  not  about  authentication
  11. 11. Warning:  OAuth  is  not  about  authentication
  12. 12. How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
  13. 13. OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
  14. 14. How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
  15. 15. OpenID  Connect  Discovery  1.0
  16. 16. A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
  17. 17. Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
  18. 18. Resource Owner Authorization Server Resource Server Client access
  19. 19. Resource Owner Authorization Server Resource Server Client access *  GET  /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
  20. 20. Resource Owner Authorization Server Resource Server Client access
  21. 21. Resource Owner Authorization Server Resource Server Client access
  22. 22. Resource Owner Authorization Server Resource Server Client *  Location:  https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
  23. 23. Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  24. 24. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
  25. 25. Resource Owner Authorization Server Resource Server Client
  26. 26. Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  27. 27. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  28. 28. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  29. 29. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request Nice
  30. 30. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
  31. 31. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
  32. 32. Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
  33. 33. References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens
  34. 34. Thanks https://www.linkedin.com/in/ericktedeschi https://twitter.com/ericktedeschi http://www.slideshare.net/erickt86 erick@oerick.com

×