Successfully reported this slideshow.

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

4

Share

Loading in …3
×
1 of 34
1 of 34

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

4

Share

Download to read offline

Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/

Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/

More Related Content

More from iMasters

Related Books

Free with a 14 day trial from Scribd

See all

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

  1. 1. Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
  2. 2. Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
  3. 3. Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
  4. 4. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
  5. 5. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
  6. 6. Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
  7. 7. JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "johndoe@gmail.com", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
  8. 8. The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
  9. 9. OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
  10. 10. Warning:  OAuth  is  not  about  authentication
  11. 11. Warning:  OAuth  is  not  about  authentication
  12. 12. How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
  13. 13. OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
  14. 14. How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
  15. 15. OpenID  Connect  Discovery  1.0
  16. 16. A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
  17. 17. Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
  18. 18. Resource Owner Authorization Server Resource Server Client access
  19. 19. Resource Owner Authorization Server Resource Server Client access *  GET  /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
  20. 20. Resource Owner Authorization Server Resource Server Client access
  21. 21. Resource Owner Authorization Server Resource Server Client access
  22. 22. Resource Owner Authorization Server Resource Server Client *  Location:  https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
  23. 23. Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  24. 24. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
  25. 25. Resource Owner Authorization Server Resource Server Client
  26. 26. Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  27. 27. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  28. 28. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  29. 29. Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request Nice
  30. 30. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
  31. 31. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
  32. 32. Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
  33. 33. References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens
  34. 34. Thanks https://www.linkedin.com/in/ericktedeschi https://twitter.com/ericktedeschi http://www.slideshare.net/erickt86 erick@oerick.com

×