SlideShare a Scribd company logo

Elasticsearch JSON web token authentication | Search Guard

Jochen Kressin
Jochen Kressin

How to configure JSON web token authentication for Elasticsearch using the Search Guard security suite.

Software
1 of 18
Download to read offline
SEARCH GUARD JSON WEB TOKEN AUTHENTICATION © 2018 floragunn GmbH - All Rights Reserved
© 2018 floragunn GmbH - All Rights Reserved WHY TOKEN BASED AUTHENTICATION Traditional approach: Session-based User logs in to an application The server validates credentials and sets up a server-side session The browser saves session ID in a cookie and sends it with each request Drawbacks Scalability: Sessions are server-bound Overhead: Sessions are kept in-memory Security: CSRF Portability: CORS 01.
© 2018 floragunn GmbH - All Rights Reserved WHY TOKEN BASED AUTHENTICATION Token-based authentication User logs in to an application or Identity Provider (IdP) Application or IdP creates a signed token containing all user information Client application saves token and sends it with each request Advantages Scalability: Stateless architecture Overhead: No state is stored on the server Standards-based: JWT RFC 7519 Portability: Token can be used for multiple applications 02.
© 2018 floragunn GmbH - All Rights Reserved JSON WEB TOKENS JSON-based open standard for creating access tokens Access tokens assert a number of claims Standard claims: subject (user), issuer, expiration date, etc. Non-standard claims: roles, permissions, etc. Base64 encoded JSON string Verified by a message authentication hash Symmetric: HMAC Asymmetric: RSA and ECDSA Self-contained, all user information stored in the token 03.
© 2018 floragunn GmbH - All Rights Reserved ANATOMY OF A JSON WEB TOKEN Token consists of three parts Header Payload Signature Base64 encoded, separated by a dot 04. Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. Payload eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9. Signature gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpy
© 2018 floragunn GmbH - All Rights Reserved HEADER Information about the used signing mechanism Algorithm / cryptographic hash function Type (“static”, JWT) 05. { "alg": "HS256", "typ": "JWT" }
© 2018 floragunn GmbH - All Rights Reserved PAYLOAD Consists of claims Any piece of information that was verified by the server / IdP Standard claims (“registered claims”) Non-standard claims 06. { "iss": "search-guard.com", "sub": "1234567890", "name": "John Doe", "username": "jdoe", "roles": ["devops", "it"] }
© 2018 floragunn GmbH - All Rights Reserved SIGNATURE Calculated by a cryptographic hash function using: Symmetric: Shared secret Asymmetric: Private key Appended to header and payload 07. Pseudo-code (symmetric): encoded = base64UrlEncode(header) + "." + base64UrlEncode(payload) signature = HMACSHA256(encoded, 'secretkey'); jwt = encoded + "." + base64UrlEncode(signature) Result: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2 Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
© 2018 floragunn GmbH - All Rights Reserved HTTP BEARER AUTHENTICATION HTTP authentication schema “Grant access to the bearer of this token” The token is added to each request as HTTP header Default header name: “Authorization” Token is prepended with “Bearer” 08. Authorization: Bearer <token> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFz …
© 2018 floragunn GmbH - All Rights Reserved SEARCH GUARD CONFIGURATION JWT is self-contained All user information present in JWT No authentication backend necessary No authorization backend necessary Simple configuration Symmetric: shared secret Asymmetric: public key Claims containing username (mandatory) and roles (optional) 09.
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE: SYMMETRIC KEY 11. jwt_auth_domain: enabled: true order: 0 http_authenticator: type: jwt challenge: false config: signing_key: "bjBkNDBjYjg0LWJlZTMtMTFlNi1hZjdjLWNiOWFiYTM1YWJjNQ==" jwt_header: "Authorization" roles_key: roles subject_key: username authentication_backend: type: noop
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ASYMMETRIC KEY 12. jwt_auth_domain: enabled: true order: 0 http_authenticator: type: jwt challenge: false config: signing_key: |- -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2WDCucZF9dVw9j0T6Sp ... -----END PUBLIC KEY----- jwt_header: "Authorization" roles_key: roles subject_key: username authentication_backend: type: noop
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE: CURL CALL 13. curl -Ss -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW…” -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty { user: "User [name=jdoe, roles=[devops, it], requestedTenant=null]", user_name: "jdoe", backend_roles: ["devops", "it"], sg_roles: ["sg_devops", "sg_it"], ... } { "name": "John Doe", "username": "jdoe", "roles": ["devops", "it"] }
© 2018 floragunn GmbH - All Rights Reserved ALTERNATIVE: URL PARAMETER The token is added to each request as URL parameter Non-standard Parameter name can be chosen freely 14. https://sgssl-0.example.com:9200/_searchguard/authinfo?urltoken=eyJhbGciOiJIUzI1 …
© 2018 floragunn GmbH - All Rights Reserved EXAMPLE: URL PARAMETER 15. jwt_auth_domain: enabled: true order: 0 http_authenticator: type: jwt challenge: false config: signing_key: "bjBkNDBjYjg0LWJlZTMtMTFlNi1hZjdjLWNiOWFiYTM1YWJjNQ==" jwt_url_parameter: "urltoken" roles_key: roles subject_key: username authentication_backend: type: noop
© 2018 floragunn GmbH - All Rights Reserved RESOURCES Search Guard website https://search-guard.com/ Documentation https://docs.search-guard.com/latest/json-web-tokens Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom 16.
SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved SEND US A MESSAGE 17
© 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.

Recommended

Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchJochen Kressin
 
Elasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardElasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardJochen Kressin
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Amazon Web Services
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Setting licenses free vs. locking them down
Setting licenses free vs. locking them downSetting licenses free vs. locking them down
Setting licenses free vs. locking them downteam-WIBU
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Amazon Web Services
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateAmazon Web Services
 

Recommended

Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchJochen Kressin
 
Elasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardElasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardJochen Kressin
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Amazon Web Services
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Setting licenses free vs. locking them down
Setting licenses free vs. locking them downSetting licenses free vs. locking them down
Setting licenses free vs. locking them downteam-WIBU
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Amazon Web Services
 
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateDEM07 Best Practices for Monitoring Amazon ECS Containers Launched with Fargate
DEM07 Best Practices for Monitoring Amazon ECS Containers Launched with FargateAmazon Web Services
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchJochen Kressin
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Amazon Web Services
 
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Amazon Web Services
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
IoT Building Blocks From Edge Devices to Analytics in the Cloud
IoT Building Blocks From Edge Devices to Analytics in the CloudIoT Building Blocks From Edge Devices to Analytics in the Cloud
IoT Building Blocks From Edge Devices to Analytics in the CloudAmazon Web Services
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010SlimTrabelsi
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010SlimTrabelsi
 
Ppl presentation 2010
Ppl presentation 2010Ppl presentation 2010
Ppl presentation 2010SlimTrabelsi
 
Total control over your protection and licensing process
Total control over your protection and licensing processTotal control over your protection and licensing process
Total control over your protection and licensing processteam-WIBU
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Puppet
 
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...Amazon Web Services
 
Black Belt Tips for IT Operations - AWS Summit Sydney 2018
Black Belt Tips for IT Operations - AWS Summit Sydney 2018Black Belt Tips for IT Operations - AWS Summit Sydney 2018
Black Belt Tips for IT Operations - AWS Summit Sydney 2018Amazon Web Services
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication APIFIDO Alliance
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 

More Related Content

Similar to Elasticsearch JSON web token authentication | Search Guard

FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchJochen Kressin
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Amazon Web Services
 
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Amazon Web Services
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
IoT Building Blocks From Edge Devices to Analytics in the Cloud
IoT Building Blocks From Edge Devices to Analytics in the CloudIoT Building Blocks From Edge Devices to Analytics in the Cloud
IoT Building Blocks From Edge Devices to Analytics in the CloudAmazon Web Services
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010SlimTrabelsi
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010SlimTrabelsi
 
Ppl presentation 2010
Ppl presentation 2010Ppl presentation 2010
Ppl presentation 2010SlimTrabelsi
 
Total control over your protection and licensing process
Total control over your protection and licensing processTotal control over your protection and licensing process
Total control over your protection and licensing processteam-WIBU
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Puppet
 
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...Amazon Web Services
 
Black Belt Tips for IT Operations - AWS Summit Sydney 2018
Black Belt Tips for IT Operations - AWS Summit Sydney 2018Black Belt Tips for IT Operations - AWS Summit Sydney 2018
Black Belt Tips for IT Operations - AWS Summit Sydney 2018Amazon Web Services
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication APIFIDO Alliance
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 

Similar to Elasticsearch JSON web token authentication | Search Guard (20)

FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for Elasticsearch
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
Securing and Managing IoT Devices at Scale (SEC367-R1) - AWS re:Invent 2018
 
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
Best Practices for AWS IoT Core (IOT347-R1) - AWS re:Invent 2018
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
IoT Building Blocks From Edge Devices to Analytics in the Cloud
IoT Building Blocks From Edge Devices to Analytics in the CloudIoT Building Blocks From Edge Devices to Analytics in the Cloud
IoT Building Blocks From Edge Devices to Analytics in the Cloud
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010
 
PPL presentation 2010
PPL presentation 2010PPL presentation 2010
PPL presentation 2010
 
Ppl presentation 2010
Ppl presentation 2010Ppl presentation 2010
Ppl presentation 2010
 
Total control over your protection and licensing process
Total control over your protection and licensing processTotal control over your protection and licensing process
Total control over your protection and licensing process
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
 
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
IoT at scale - Monitor and manage devices with AWS IoT Device Management - SV...
 
Black Belt Tips for IT Operations - AWS Summit Sydney 2018
Black Belt Tips for IT Operations - AWS Summit Sydney 2018Black Belt Tips for IT Operations - AWS Summit Sydney 2018
Black Belt Tips for IT Operations - AWS Summit Sydney 2018
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 

Recently uploaded

How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 

Recently uploaded (20)

How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 

Elasticsearch JSON web token authentication | Search Guard

  • 1. SEARCH GUARD JSON WEB TOKEN AUTHENTICATION © 2018 floragunn GmbH - All Rights Reserved
  • 2. © 2018 floragunn GmbH - All Rights Reserved WHY TOKEN BASED AUTHENTICATION Traditional approach: Session-based User logs in to an application The server validates credentials and sets up a server-side session The browser saves session ID in a cookie and sends it with each request Drawbacks Scalability: Sessions are server-bound Overhead: Sessions are kept in-memory Security: CSRF Portability: CORS 01.
  • 3. © 2018 floragunn GmbH - All Rights Reserved WHY TOKEN BASED AUTHENTICATION Token-based authentication User logs in to an application or Identity Provider (IdP) Application or IdP creates a signed token containing all user information Client application saves token and sends it with each request Advantages Scalability: Stateless architecture Overhead: No state is stored on the server Standards-based: JWT RFC 7519 Portability: Token can be used for multiple applications 02.
  • 4. © 2018 floragunn GmbH - All Rights Reserved JSON WEB TOKENS JSON-based open standard for creating access tokens Access tokens assert a number of claims Standard claims: subject (user), issuer, expiration date, etc. Non-standard claims: roles, permissions, etc. Base64 encoded JSON string Verified by a message authentication hash Symmetric: HMAC Asymmetric: RSA and ECDSA Self-contained, all user information stored in the token 03.
  • 5. © 2018 floragunn GmbH - All Rights Reserved ANATOMY OF A JSON WEB TOKEN Token consists of three parts Header Payload Signature Base64 encoded, separated by a dot 04. Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. Payload eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9. Signature gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpy
  • 6. © 2018 floragunn GmbH - All Rights Reserved HEADER Information about the used signing mechanism Algorithm / cryptographic hash function Type (“static”, JWT) 05. { "alg": "HS256", "typ": "JWT" }
  • 7. © 2018 floragunn GmbH - All Rights Reserved PAYLOAD Consists of claims Any piece of information that was verified by the server / IdP Standard claims (“registered claims”) Non-standard claims 06. { "iss": "search-guard.com", "sub": "1234567890", "name": "John Doe", "username": "jdoe", "roles": ["devops", "it"] }
  • 8. © 2018 floragunn GmbH - All Rights Reserved SIGNATURE Calculated by a cryptographic hash function using: Symmetric: Shared secret Asymmetric: Private key Appended to header and payload 07. Pseudo-code (symmetric): encoded = base64UrlEncode(header) + "." + base64UrlEncode(payload) signature = HMACSHA256(encoded, 'secretkey'); jwt = encoded + "." + base64UrlEncode(signature) Result: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2 Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
  • 9. © 2018 floragunn GmbH - All Rights Reserved HTTP BEARER AUTHENTICATION HTTP authentication schema “Grant access to the bearer of this token” The token is added to each request as HTTP header Default header name: “Authorization” Token is prepended with “Bearer” 08. Authorization: Bearer <token> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFz …
  • 10. © 2018 floragunn GmbH - All Rights Reserved SEARCH GUARD CONFIGURATION JWT is self-contained All user information present in JWT No authentication backend necessary No authorization backend necessary Simple configuration Symmetric: shared secret Asymmetric: public key Claims containing username (mandatory) and roles (optional) 09.
  • 11. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: SYMMETRIC KEY 11. jwt_auth_domain: enabled: true order: 0 http_authenticator: type: jwt challenge: false config: signing_key: "bjBkNDBjYjg0LWJlZTMtMTFlNi1hZjdjLWNiOWFiYTM1YWJjNQ==" jwt_header: "Authorization" roles_key: roles subject_key: username authentication_backend: type: noop
  • 12. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: ASYMMETRIC KEY 12. jwt_auth_domain: enabled: true order: 0 http_authenticator: type: jwt challenge: false config: signing_key: |- -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2WDCucZF9dVw9j0T6Sp ... -----END PUBLIC KEY----- jwt_header: "Authorization" roles_key: roles subject_key: username authentication_backend: type: noop
  • 13. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: CURL CALL 13. curl -Ss -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW…” -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty { user: "User [name=jdoe, roles=[devops, it], requestedTenant=null]", user_name: "jdoe", backend_roles: ["devops", "it"], sg_roles: ["sg_devops", "sg_it"], ... } { "name": "John Doe", "username": "jdoe", "roles": ["devops", "it"] }
  • 14. © 2018 floragunn GmbH - All Rights Reserved ALTERNATIVE: URL PARAMETER The token is added to each request as URL parameter Non-standard Parameter name can be chosen freely 14. https://sgssl-0.example.com:9200/_searchguard/authinfo?urltoken=eyJhbGciOiJIUzI1 …
  • 15. © 2018 floragunn GmbH - All Rights Reserved EXAMPLE: URL PARAMETER 15. jwt_auth_domain: enabled: true order: 0 http_authenticator: type: jwt challenge: false config: signing_key: "bjBkNDBjYjg0LWJlZTMtMTFlNi1hZjdjLWNiOWFiYTM1YWJjNQ==" jwt_url_parameter: "urltoken" roles_key: roles subject_key: username authentication_backend: type: noop
  • 16. © 2018 floragunn GmbH - All Rights Reserved RESOURCES Search Guard website https://search-guard.com/ Documentation https://docs.search-guard.com/latest/json-web-tokens Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom 16.
  • 17. SEARCH GUARD info@search-guard.com © 2018 floragunn GmbH - All Rights Reserved SEND US A MESSAGE 17
  • 18. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV.