SlideShare a Scribd company logo
Auth proxy pattern on
k8s
Michał Wcisło
27.07.2019
Agenda
2
▰ OAuth2 and OpenID connect basics
▰ Introduction to Auth proxy on k8s
▰ Simple binary authorization scenario
▰ The way forward...
A few words about myself
3
▰ 8 years in Nokia
▰ Worked in telco research (VoIP, MIMO), QA,
Technical Support and Development
▰ Currently working on development of Nokia
AVA ecosystem, specifically k8s as a service
OAuth2.0
OAuth2.0
5
▰ Open standard for access
delegation.
▰ OAuth1.0 2010, OAuth2 2012
▰ Should be used for
Authorization
▰ Decoupling
Decoupling - components
6
Resource
owner
(user)
Client
(app/service)
Authorization
Server
Resource server
(service providing
information)
Client
Agent
(browser)
OAuth2.0 flows
The story...
8
Resource
owner
(user)
Client
Authorization
Server
Resource
server
User Agent
(browser)
Secret
(password)
Secret
(password)
Auth code Access token
Authorization code flow
9
Resource owner (user)
Client Authorization Server
Resource server
User Agent (browser)
1. King wanted to buy shoes...
2. I heard you wanted to buy shoes from the merchants
3. Yes I did, pay them and … I'm the king!
4. King just bought shoes from you, get your money...
Auth code Access token
5. Great, I need access to your treasury and … I'm the merchant!
6. OK, take the access papers
7. I need the access to treasury, here are access papers
8. OK, here are your money
Implicit flow
10
Resource owner (user) Authorization Server
Resource server
Client (browser/js app)
1. King wanted to buy this...
2. I heard you wanted to buy this from the merchants
3. Yes I did, pay them and … I'm the king!
Auth code Access token
4. Take the access papers, to access treasury
5. I need the access to treasury, here are access papers
6. OK, here are your money
Client credential flow
11
Authorization Server Resource server
Client
1. Jewellery cleaning service, please let us in!
Access token
2. Take the access papers, to access treasury
3. I need the access to treasury, to clean the jewellery, I have the papers
4. OK, take it
OpenID connect
OpenID connect
13
▰ Build on top of OAuth2
▰ Released in 2014, as a
standarization of different ways
for using OAuth2 for AuthN
▰ Should be used for
Authentication
OpenID connect vs OAuth2
14
▰ User info becomes resource
▰ Authorization code, implicit and
hybrid flows
▰ Additional parts for security –
i.e. nonce
▰ Scopes and claims – openid
scope
▰ ID token introduced
Client = relying party aka "who
is scared the most"?
Auth proxy
Authorization code flow
16
User Client
Authorization Server
User Agent (browser)
1. King wants to access VIP promotion
2. I heard you want to checkout VIP promotion, are you really king?
3. Yes, I'm the king!
4. Hey, King wants something from you
Auth code ID token
5. You mean THE KING? I'm only merchant!
6. Yes, this is his ID
7. I will redirect him to our premium shops and tell he is the king
Apps behind proxy
Running it on k8s + DEMO
17
Auth proxy beyond
basics
Other Auth proxy
implementations
19
▰ Keycloak-gatekeeper
▰ Pomerium – zero-trust
▰ Buzzfeed/sso - double Auth
proxy
K8s API access
20
▰ Configure k8s API access with
OpenID connect and Auth proxy
--oidc-issuer-url
--oidc-client-id
(--oidc-username-claim, --oidc-groups-claim)
▰ Impersonation
proxy: https://kccnceu19.sche
d.com/event/MPdT
▰ Configure kubectl to act as Auth
proxy
kubectl config set-credentials USER_NAME 
--auth-provider=oidc 
--auth-provider-arg=idp-issuer-url=( issuer url ) 
--auth-provider-arg=client-id=( your client id ) 
--auth-provider-arg=client-secret=( your client secret )

--auth-provider-arg=refresh-token=( your refresh token
) 
--auth-provider-arg=idp-certificate-authority=( path to
your ca certificate ) 
--auth-provider-arg=id-token=( your id_token )
Istio – access managment +
DEMO
21
▰ Guards talk to each other in secret
language (mTLS)
▰ Guards allow to talk to protected
resource only when ordered
(policy)
▰ Guards needs assistance to
recognize (authenticate) people
from outside world > Auth proxy
Summary
22
▰ OAuth2 and OpenID connect are modern
standards for AuthZ and AuthN
▰ Auth proxy allows easily incorporating them with
your applications
▰ K8s ingress controller can be used to
dynamically define Auth proxy redirects
▰ Istio with Auth proxy enables fine-grained
access managment
References
23
▰ OAuth 2.0 Threat Model and Security
Considerations
▰ Security Best Current Practice
▰ Impersonation proxy talk KubeCon
▰ All configuration files from this presentation are
published on https://github.com/m-
wcislo/talks
Thank you!
Credits
Special thanks to all the people who
made and released these awesome
resources for free:
▰ Presentation template by
SlidesCarnival
▰ Photographs by Unsplash
25

More Related Content

What's hot

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
ForgeRock Identity Tech Talks
 
The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand
Pushpalanka Jayawardhana
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Svetlin Nakov
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018
Quentin Castel
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity  tech talksIntelligent authentication Identity  tech talks
Intelligent authentication Identity tech talks
Leonard Moustacchis
 
SingularityNET Developer Workshop
SingularityNET Developer Workshop SingularityNET Developer Workshop
SingularityNET Developer Workshop
Ibby Benali
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
MikeLeszcz
 
Explaining Ethereum
Explaining EthereumExplaining Ethereum
Explaining Ethereum
Pascal Van Hecke
 
Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018
Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018
Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018
Svetlin Nakov
 
BLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERBLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPER
LandmarkClub
 
Bitcoin cash standards
Bitcoin cash standardsBitcoin cash standards
Bitcoin cash standards
noyenmaih
 
Write smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumWrite smart contract with solidity on Ethereum
Write smart contract with solidity on Ethereum
Murughan Palaniachari
 
Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2
Pushpalanka Jayawardhana
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 
Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018
Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018
Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018
Svetlin Nakov
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
Jordan Valdma
 

What's hot (20)

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
 
The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
Multi-Signature Crypto-Wallets: Nakov at Blockchain Berlin 2018
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity  tech talksIntelligent authentication Identity  tech talks
Intelligent authentication Identity tech talks
 
SingularityNET Developer Workshop
SingularityNET Developer Workshop SingularityNET Developer Workshop
SingularityNET Developer Workshop
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
 
Explaining Ethereum
Explaining EthereumExplaining Ethereum
Explaining Ethereum
 
Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018
Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018
Building a Blockchain in JavaScript - Nakov - at Beer.js - August 2018
 
BLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPERBLOCKSAFE WHITEPAPER
BLOCKSAFE WHITEPAPER
 
Bitcoin cash standards
Bitcoin cash standardsBitcoin cash standards
Bitcoin cash standards
 
Write smart contract with solidity on Ethereum
Write smart contract with solidity on EthereumWrite smart contract with solidity on Ethereum
Write smart contract with solidity on Ethereum
 
Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018
Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018
Multi-Signature Crypto-Wallets: Nakov at SoftUnit Conf 2018
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
 

Similar to Auth proxy pattern on Kubernetes

CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
WSO2
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
Paris Open Source Summit
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
HostedbyConfluent
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
South Tyrol Free Software Conference
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
Aaron Ralls
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 

Similar to Auth proxy pattern on Kubernetes (20)

CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party Access
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 

Recently uploaded

Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
AjmalKhan50578
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
shadow0702a
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
ElakkiaU
 
Seminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptxSeminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptx
Madan Karki
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Design and optimization of ion propulsion drone
Design and optimization of ion propulsion droneDesign and optimization of ion propulsion drone
Design and optimization of ion propulsion drone
bjmsejournal
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
171ticu
 
artificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptxartificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptx
GauravCar
 
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by AnantLLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
Anant Corporation
 
People as resource Grade IX.pdf minimala
People as resource Grade IX.pdf minimalaPeople as resource Grade IX.pdf minimala
People as resource Grade IX.pdf minimala
riddhimaagrawal986
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
MDSABBIROJJAMANPAYEL
 
integral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdfintegral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdf
gaafergoudaay7aga
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
LAXMAREDDY22
 
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
KrishnaveniKrishnara1
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
abbyasa1014
 
AI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptxAI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptx
architagupta876
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
Yasser Mahgoub
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
IJECEIAES
 

Recently uploaded (20)

Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
 
Seminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptxSeminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptx
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Design and optimization of ion propulsion drone
Design and optimization of ion propulsion droneDesign and optimization of ion propulsion drone
Design and optimization of ion propulsion drone
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
 
artificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptxartificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptx
 
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by AnantLLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
 
People as resource Grade IX.pdf minimala
People as resource Grade IX.pdf minimalaPeople as resource Grade IX.pdf minimala
People as resource Grade IX.pdf minimala
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
 
integral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdfintegral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdf
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
 
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
 
AI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptxAI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptx
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
 

Auth proxy pattern on Kubernetes

  • 1. Auth proxy pattern on k8s Michał Wcisło 27.07.2019
  • 2. Agenda 2 ▰ OAuth2 and OpenID connect basics ▰ Introduction to Auth proxy on k8s ▰ Simple binary authorization scenario ▰ The way forward...
  • 3. A few words about myself 3 ▰ 8 years in Nokia ▰ Worked in telco research (VoIP, MIMO), QA, Technical Support and Development ▰ Currently working on development of Nokia AVA ecosystem, specifically k8s as a service
  • 5. OAuth2.0 5 ▰ Open standard for access delegation. ▰ OAuth1.0 2010, OAuth2 2012 ▰ Should be used for Authorization ▰ Decoupling
  • 9. Authorization code flow 9 Resource owner (user) Client Authorization Server Resource server User Agent (browser) 1. King wanted to buy shoes... 2. I heard you wanted to buy shoes from the merchants 3. Yes I did, pay them and … I'm the king! 4. King just bought shoes from you, get your money... Auth code Access token 5. Great, I need access to your treasury and … I'm the merchant! 6. OK, take the access papers 7. I need the access to treasury, here are access papers 8. OK, here are your money
  • 10. Implicit flow 10 Resource owner (user) Authorization Server Resource server Client (browser/js app) 1. King wanted to buy this... 2. I heard you wanted to buy this from the merchants 3. Yes I did, pay them and … I'm the king! Auth code Access token 4. Take the access papers, to access treasury 5. I need the access to treasury, here are access papers 6. OK, here are your money
  • 11. Client credential flow 11 Authorization Server Resource server Client 1. Jewellery cleaning service, please let us in! Access token 2. Take the access papers, to access treasury 3. I need the access to treasury, to clean the jewellery, I have the papers 4. OK, take it
  • 13. OpenID connect 13 ▰ Build on top of OAuth2 ▰ Released in 2014, as a standarization of different ways for using OAuth2 for AuthN ▰ Should be used for Authentication
  • 14. OpenID connect vs OAuth2 14 ▰ User info becomes resource ▰ Authorization code, implicit and hybrid flows ▰ Additional parts for security – i.e. nonce ▰ Scopes and claims – openid scope ▰ ID token introduced Client = relying party aka "who is scared the most"?
  • 16. Authorization code flow 16 User Client Authorization Server User Agent (browser) 1. King wants to access VIP promotion 2. I heard you want to checkout VIP promotion, are you really king? 3. Yes, I'm the king! 4. Hey, King wants something from you Auth code ID token 5. You mean THE KING? I'm only merchant! 6. Yes, this is his ID 7. I will redirect him to our premium shops and tell he is the king Apps behind proxy
  • 17. Running it on k8s + DEMO 17
  • 19. Other Auth proxy implementations 19 ▰ Keycloak-gatekeeper ▰ Pomerium – zero-trust ▰ Buzzfeed/sso - double Auth proxy
  • 20. K8s API access 20 ▰ Configure k8s API access with OpenID connect and Auth proxy --oidc-issuer-url --oidc-client-id (--oidc-username-claim, --oidc-groups-claim) ▰ Impersonation proxy: https://kccnceu19.sche d.com/event/MPdT ▰ Configure kubectl to act as Auth proxy kubectl config set-credentials USER_NAME --auth-provider=oidc --auth-provider-arg=idp-issuer-url=( issuer url ) --auth-provider-arg=client-id=( your client id ) --auth-provider-arg=client-secret=( your client secret ) --auth-provider-arg=refresh-token=( your refresh token ) --auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) --auth-provider-arg=id-token=( your id_token )
  • 21. Istio – access managment + DEMO 21 ▰ Guards talk to each other in secret language (mTLS) ▰ Guards allow to talk to protected resource only when ordered (policy) ▰ Guards needs assistance to recognize (authenticate) people from outside world > Auth proxy
  • 22. Summary 22 ▰ OAuth2 and OpenID connect are modern standards for AuthZ and AuthN ▰ Auth proxy allows easily incorporating them with your applications ▰ K8s ingress controller can be used to dynamically define Auth proxy redirects ▰ Istio with Auth proxy enables fine-grained access managment
  • 23. References 23 ▰ OAuth 2.0 Threat Model and Security Considerations ▰ Security Best Current Practice ▰ Impersonation proxy talk KubeCon ▰ All configuration files from this presentation are published on https://github.com/m- wcislo/talks
  • 25. Credits Special thanks to all the people who made and released these awesome resources for free: ▰ Presentation template by SlidesCarnival ▰ Photographs by Unsplash 25