Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Identity	
  within	
  Microservices
Erick	
  Belluci Tedeschi
@ericktedeschi
São	
  Paulo,	
  Oct	
  22	
  2016
Who?
• PHP	
  Developer	
  since	
  2003
• Application	
  Security	
  since	
  2007
• Biker
• Maker
• Help	
  devs deliver...
Agenda
• Microservice architecture	
  Version	
  1
• About	
  Tokens
• OAuth	
  2.0
• OpenID	
  Connect
• Authorization	
 ...
Microservice Architecture	
  V1
API	
  GatewayOAuth	
  Server*
Account
GET	
  /my/{user_id}
Transfer
POST	
  /transferto/{...
Microservice Architecture	
  V1
API	
  GatewayOAuth	
  Server*
Account
GET	
  /my/{user_id}
Transfer
POST	
  /transferto/{...
Now,	
  let’s	
  take	
  a	
  look	
  at	
  the:	
  Token
• A	
  piece	
  of stamped metal used	
  as	
  a substitute for ...
JWT	
  – JSON	
  Web	
  Token
eyJ0eXAiOiJKV1QiL
CJhbGciOiJIUzI1NiJ
9.eyJpc3MiOiJodH
RwczovL215LnNlcn
ZpY2UuY29tIiwiaW
F0Ij...
The	
  OAuth	
  2.0	
  Authorization	
  Framework
The	
  OAuth	
  2.0	
  enables	
  a	
  third-­‐party	
  application	
  t...
OAuth	
  2.0	
  – Protocol	
  or	
  Framework?
• RFC	
  5849:	
  The	
  OAuth	
  1.0	
  Protocol
• RFC	
  6749:	
  The	
  ...
Warning:	
  OAuth	
  is	
  not	
  about	
  authentication
Warning:	
  OAuth	
  is	
  not	
  about	
  authentication
How	
  an	
  access_token looks	
  like?	
  (by	
  value	
  -­‐ JWT)
// JWT Payload
{
"sub": "alice", // user id
"cid": "0...
OpenID	
  Connect
OpenID	
  Connect	
  1.0	
  is	
  a	
  simple	
  identity	
  layer	
  on	
  top	
  of	
  the	
  OAuth	
 ...
How	
  an	
  id_token looks	
  like?	
  (by	
  value	
  -­‐ JWT)
{
"iss": ”InstIdentRicardoGumbletonDaunt", // who issued
...
OpenID	
  Connect	
  Discovery	
  1.0
A	
  complete	
  Authorization	
  Server
• /authorize
• /token
• /introspection	
  (check	
  access_token)
• /token_info (...
Let’s	
  see	
  how	
  to	
  get	
  both	
  access_token and	
  
id_token using	
  Authorization	
  Code	
  Flow
Resource
Owner
Authorization
Server
Resource
Server
Client
access
Resource
Owner
Authorization
Server
Resource
Server
Client
access
*	
  GET	
  /authorize?response_type=code&client_id=s6Bh...
Resource
Owner
Authorization
Server
Resource
Server
Client
access
Resource
Owner
Authorization
Server
Resource
Server
Client
access
Resource
Owner
Authorization
Server
Resource
Server
Client
*	
  Location:	
  https://client.example.com/cb?code=SplxlOBeZQ...
Resource
Owner
Authorization
Server
Resource
Server
Client
POST	
  /token	
  HTTP/1.1
Host:	
  server.example.com
Authoriz...
Resource
Owner
Authorization
Server
Resource
Server
Client
HTTP/1.1	
  200	
  OK
Content-­‐Type:	
  application/json;chars...
Resource
Owner
Authorization
Server
Resource
Server
Client
Resource
Owner
Authorization
Server
Resource
Server
Client
POST	
  /introspect	
  HTTP/1.1
Host:	
  server.example.com
Aut...
Resource
Owner
Authorization
Server
Resource
Server
Client
HTTP/1.1	
  200	
  OK
Content-­‐Type:	
  application/json
{
"ac...
Resource
Owner
Authorization
Server
Resource
Server
Client
https://tools.ietf.org/search/rfc7662 OAuth	
  2.0	
  Token	
  ...
Resource
Owner
Authorization
Server
Resource
Server
Client
https://tools.ietf.org/search/rfc7662 OAuth	
  2.0	
  Token	
  ...
Microservice Architecture	
  NG!!!
API	
  Gateway
Authorization
Server
Account
GET	
  /my
GET	
  /pvt/{account}
Transfer
P...
Microservice Architecture	
  NG!!!
API	
  Gateway
Authorization
Server
Account
GET	
  /my
GET	
  /pvt/{account}
Transfer
P...
Don’t	
  start	
  from	
  scratch
• OpenSource
• Connect2ID	
  http://connect2id.com/
• Keycloak http://www.keycloak.org/
...
References	
  and	
  Links
• OAuth	
  2.0:	
  https://tools.ietf.org/html/rfc6749
• OAuth	
  2.0	
  Bearer	
  Token	
  Usa...
Thanks
https://www.linkedin.com/in/ericktedeschi
https://twitter.com/ericktedeschi
http://www.slideshare.net/erickt86
eric...
Upcoming SlideShare
Loading in …5
×

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

225 views

Published on

Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/

Published in: Technology
  • Be the first to comment

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

  1. 1. Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
  2. 2. Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
  3. 3. Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
  4. 4. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
  5. 5. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
  6. 6. Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
  7. 7. JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "johndoe@gmail.com", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
  8. 8. The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
  9. 9. OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
  10. 10. Warning:  OAuth  is  not  about  authentication
  11. 11. Warning:  OAuth  is  not  about  authentication
  12. 12. How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
  13. 13. OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
  14. 14. How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
  15. 15. OpenID  Connect  Discovery  1.0
  16. 16. A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
  17. 17. Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
  18. 18. Resource Owner Authorization Server Resource Server Client access
  19. 19. Resource Owner Authorization Server Resource Server Client access *  GET  /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
  20. 20. Resource Owner Authorization Server Resource Server Client access
  21. 21. Resource Owner Authorization Server Resource Server Client access
  22. 22. Resource Owner Authorization Server Resource Server Client *  Location:  https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
  23. 23. Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  24. 24. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
  25. 25. Resource Owner Authorization Server Resource Server Client
  26. 26. Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  27. 27. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  28. 28. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  29. 29. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request Nice
  30. 30. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
  31. 31. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
  32. 32. Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
  33. 33. References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens
  34. 34. Thanks https://www.linkedin.com/in/ericktedeschi https://twitter.com/ericktedeschi http://www.slideshare.net/erickt86 erick@oerick.com

×