InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço
Report
Share
•4 likes•1,239 views
![JWT
– JSON
Web
Token
eyJ0eXAiOiJKV1QiL
CJhbGciOiJIUzI1NiJ
9.eyJpc3MiOiJodH
RwczovL215LnNlcn
ZpY2UuY29tIiwiaW
F0IjoxNDM1MTc5N
jAzLCJleHAiOjE0Mz
UxODE0MjEsImF1Z
CI6Ind3dy5zZXJ2a
WNlLmNvbSIsInN1
YiI6ImpvaG5kb2VA
Z21haWwuY29tIiwi
Um9sZSI6WyJhcHB
yb3ZlciIsInZpZXdlci
JdfQ.91GLvtMhhnI
Cmqlf_RVONGw5I
M9i8eeAPx2s_Wp
MObU
{
"typ":
"JWT",
"alg":
"HS256"
}
{
"iss":
"https://my.service.com",
"iat":
1435179603,
"exp":
1435181421,
"aud":
"www.service.com",
"sub":
"johndoe@gmail.com",
"Role":
[
"approver",
"viewer"
]
}
HMACSHA256(
base64UrlEncode(header)
+
"."
+
base64UrlEncode(payload),sharedsecret)
JWT
Header
JWT
Payload
JWT
Signature](https://image.slidesharecdn.com/14h00ericktedeschi-161026201405/75/intercon-2016-segurana-de-identidade-digital-levando-em-considerao-uma-arquitetura-de-microservio-7-2048.jpg?cb=1670409492)
![How
an
access_token looks
like?
(by
value
-‐ JWT)
// JWT Payload
{
"sub": "alice", // user id
"cid": "000123", // client id
"iss": "https://as.domain.com", // who issued
"aud": "https://rs.domain.com",
"exp": 1460345736, // expiration date
"scp": ["openid","email","profile"] // scopes
}](https://image.slidesharecdn.com/14h00ericktedeschi-161026201405/75/intercon-2016-segurana-de-identidade-digital-levando-em-considerao-uma-arquitetura-de-microservio-12-2048.jpg?cb=1670409492)
![How
an
id_token looks
like?
(by
value
-‐ JWT)
{
"iss": ”InstIdentRicardoGumbletonDaunt", // who issued
"sub": ”4.444.444", // user identification
"aud": ["cops","bank"], // where it’s used
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970, // 10 years
"iat": 1311280970,
"auth_time": 1311280969,
"amr": "sign+fingerprint” //auth-methods-ref
}](https://image.slidesharecdn.com/14h00ericktedeschi-161026201405/75/intercon-2016-segurana-de-identidade-digital-levando-em-considerao-uma-arquitetura-de-microservio-14-2048.jpg?cb=1670409492)
InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço
•4 likes•1,239 views
Report
Share
Download to read offline
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016. Saiba mais em http://intercon2016.imasters.com.br/
Recommended
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=384&fit=bounds)
More Related Content
What's hot
What's hot(19)
Viewers also liked
Viewers also liked(11)
Similar to InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço
![[LDAPCon 2015] The OpenID Connect Protocol](https://cdn.slidesharecdn.com/ss_thumbnails/ldapcon2015openidconnect-151117105614-lva1-app6892-thumbnail.jpg?width=384&fit=bounds)
Similar to InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço(20)
![[LDAPCon 2015] The OpenID Connect Protocol](https://cdn.slidesharecdn.com/ss_thumbnails/ldapcon2015openidconnect-151117105614-lva1-app6892-thumbnail.jpg?width=768&fit=bounds)
![[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho](https://cdn.slidesharecdn.com/ss_thumbnails/cb16rianchoen-161109050650-thumbnail.jpg?width=768&fit=bounds)
More from iMasters
More from iMasters(20)
Recently uploaded
Recently uploaded(20)
InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço
- 1. Identity within Microservices Erick Belluci Tedeschi @ericktedeschi São Paulo, Oct 22 2016
- 2. Who? • PHP Developer since 2003 • Application Security since 2007 • Biker • Maker • Help devs delivery Secure Applications • Help business to keep clients data secure
- 3. Agenda • Microservice architecture Version 1 • About Tokens • OAuth 2.0 • OpenID Connect • Authorization Code Flow Example • Microservice architecture NG!!!
- 4. Microservice Architecture V1 API GatewayOAuth Server* Account GET /my/{user_id} Transfer POST /transferto/{src_account}/{dst_account} Receipt GET /receipts/{user_id} End-‐User Bank API (Public) GET /my POST /transferto/{dst_account} GET /receipts /token /authorize Basic auth Basic auth No auth
- 5. Microservice Architecture V1 API GatewayOAuth Server* Account GET /my/{user_id} Transfer POST /transferto/{src_account}/{dst_account} Receipt GET /receipts/{user_id} End-‐User Bank API (Public) GET /my POST /transferto/{dst_account} GET /receipts /token /authorize Basic auth Basic auth No auth • Poor logging (audit trail) • Poor identification on microservices (X-‐User-‐Logged L) • Authorization centralized on API Gateway • Microservices are more like CRUDs APIs • Microservices have ”micro user repositories” or don’t have authentication/authorization • API Gateway have more responsibility than necessary
- 6. Now, let’s take a look at the: Token • A piece of stamped metal used as a substitute for money; a voucher that can be exchanged for goods or services (https://en.wiktionary.org/wiki/token) • Token By Reference • An opaque string generated randomly • Ex.: 2YotnFZFEjr1zCsicMWpAA • Token By Value • A JWT that contains claims about the context of the token • Ex.: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
- 7. JWT – JSON Web Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ": "JWT", "alg": "HS256" } { "iss": "https://my.service.com", "iat": 1435179603, "exp": 1435181421, "aud": "www.service.com", "sub": "johndoe@gmail.com", "Role": [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload),sharedsecret) JWT Header JWT Payload JWT Signature
- 8. The OAuth 2.0 Authorization Framework The OAuth 2.0 enables a third-‐party application to obtain limited access to an HTTP service on behalf of a resource owner...
- 9. OAuth 2.0 – Protocol or Framework? • RFC 5849: The OAuth 1.0 Protocol • RFC 6749: The OAuth 2.0 Authorization Framework https://tools.ietf.org/html/rfc5849 … contract, pact, deal https://tools.ietf.org/html/rfc6749 … structure, skeleton, chassis
- 10. Warning: OAuth is not about authentication
- 11. Warning: OAuth is not about authentication
- 12. How an access_token looks like? (by value -‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
- 13. OpenID Connect OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.
- 14. How an id_token looks like? (by value -‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
- 15. OpenID Connect Discovery 1.0
- 16. A complete Authorization Server • /authorize • /token • /introspection (check access_token) • /token_info (get more information about identity) • /revocation
- 17. Let’s see how to get both access_token and id_token using Authorization Code Flow
- 23. Resource Owner Authorization Server Resource Server Client POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-‐Type: application/x-‐www-‐form-‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
- 24. Resource Owner Authorization Server Resource Server Client HTTP/1.1 200 OK Content-‐Type: application/json;charset=UTF-‐8 Cache-‐Control: no-‐store Pragma: no-‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
- 26. Resource Owner Authorization Server Resource Server Client POST /introspect HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-‐Type: application/x-‐www-‐form-‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection Introspection Request
- 27. Resource Owner Authorization Server Resource Server Client HTTP/1.1 200 OK Content-‐Type: application/json { "active": true, "client_id": "l238j323ds-‐23ij4", "username": "jdoe", "scope": ”openid profile email", "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", "iss": "https://server.example.com/", "exp": 1419356238, "iat": 1419350238, "extension_field": "twenty-‐seven” } https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection Introspection Request
- 28. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection Introspection Request
- 29. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection Introspection Request Nice
- 30. Microservice Architecture NG!!! API Gateway Authorization Server Account GET /my GET /pvt/{account} Transfer POST /transferto/{dst_account} Receipt GET /receipts OAuth Filter OAuth Filter OAuth Filter OAuth Filter Resource Owner Introspection/validation Bank API (Public) GET /my POST /transferto/{dst_account} GET /receipts /token /authorize /introspect /revoke /token_info ”offline introspection/validation” ”offline introspection/validation”
- 31. Microservice Architecture NG!!! API Gateway Authorization Server Account GET /my GET /pvt/{account} Transfer POST /transferto/{dst_account} Receipt GET /receipts OAuth Filter OAuth Filter OAuth Filter OAuth Filter Resource Owner Introspection/validation Bank API (Public) GET /my POST /transferto/{dst_account} GET /receipts /token /authorize /introspect /revoke /token_info ”offline introspection/validation” ”offline introspection/validation” • Audit Trail Improved • Microservices can make decision based on the end-‐user identity • Fine grained authorization across the services • The whole environment have a central user identity repository (OAuth+OpenID Connect Server) • API Gateway is clean/slim
- 32. Don’t start from scratch • OpenSource • Connect2ID http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect https://github.com/mitreid-‐connect/OpenID-‐Connect-‐Java-‐ Spring-‐Server • WSO2 Identity Server http://wso2.com/products/identity-‐server/
- 33. References and Links • OAuth 2.0: https://tools.ietf.org/html/rfc6749 • OAuth 2.0 Bearer Token Usage: https://tools.ietf.org/html/rfc6750 • OpenID Connect Core: http://openid.net/specs/openid-‐connect-‐core-‐1_0.html • OpenID Connect Discovery: https://openid.net/specs/openid-‐connect-‐discovery-‐1_0.html • JOSÉ (JSON Object Signing and Encryption) • JSON Web Signature (JWS) https://tools.ietf.org/html/rfc7515 • JSON Web Encryption (JWE) https://tools.ietf.org/html/rfc7516 • JSON Web Key (JWK) https://tools.ietf.org/html/rfc7517 • JSON Web Algorithms (JWA) https://tools.ietf.org/html/rfc7518 • JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-‐jose-‐jwt/examples/validating-‐jwt-‐access-‐tokens