Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Better Together: JWT and Hashi Vault in Modern Apps
Similar to Better Together: JWT and Hashi Vault in Modern Apps (20)
Recently uploaded
Recently uploaded (20)
Better Together: JWT and Hashi Vault in Modern Apps
- 1. Better Together: JWT and Hashi Vault in Modern Apps Shrivatsa Upadhye Cloud Developer Advocate (VMware) Feb 2020
- 2. 2 whoami (Who am I?) • Cloud Developer Advocate @VMWare • Focused on Public Cloud and Application security • Part of CloudJourneyIO team • Love Cars, Pizza and Netflix Follow me on Twitter/Medium/GitHub/LinkedIn : @ishrivatsa
- 3. 3 Agenda Problem Statement OAuth vs OIDC vs JWT A bit more info... Why HashiCorp Vault? Vault with OIDC Demo
- 4. 4 Problem Statement Allow Allow users to access AWS/Azure/GCP credentials to deploy applications with consistent user-experience Store Securely store keys Revoke Revoke the keys when they are no longer needed Audit Audit the usage of credentials within the organization Policy Create policy to restrict access to some credentials
- 5. 5 OAuth vs OIDC vs JWT OAuth 2.0 • Industry-standard protocol for authorization • Provides specific authorization flows for web applications, desktop applications, mobile phones etc. • Successor of SAML (Security Assertion Markup Language) • Very open-ended and does not define any conventions OIDC (OpenID Connect) • Runs on top of OAuth 2.0 • Narrows down some open- ended design specs from OAuth • Clearly defines scopes (profile, email, address etc.), Access tokens and ID token JWT (JSON Web Token) • Self contained and compact information exchange standard • Defines basic structure for organizing data • It is digitally signed using HMAC algorithm or public/private key
- 6. 6 A bit more info... OIDC/JWT JWT structure Contains 3 parts – xxxx.yyyy.zzzz Header – contains algorithm type, type of token, key ID Payload – contains claims Signature - encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign Access tokens Used to request resources/information from the system Must be in JWT format (xxxx.yyyy.zzzz) Refresh tokens Used to “renew” access token These do not grant any permission to access resources May or may not be in JWT format Scopes Used to apply fine grained control to actions/resource within our system OIDC defines some scopes like profile, email, phone, address and openid Claims Key-Value pair embedded within our access token and ID token Keys are 3 character long 3 Types – Registered Claims (iss, exp, sub, aud), Public Claims, Private Claims
- 7. 7 Hashi Vault Self hosted and operated Freemium model – OpenSource and Enterprise version available Encrypted secrets Lifecycle management of secrets – Store, Rotate, Revoke, Expire Identity based access to secrets Supports policies to define permissions for users/systems Cloud Agnostic – Works with AWS, Azure and Google Cloud
- 8. 8 Flow Diagram - Vault with OIDC 2. Redirect request to Authz server 1. Login to Vault 3’. Validate user credentials 3. Validate user credentials 4. Returns user info based on defined scope4’. Returns user info based on defined scope 5. Return JWT to Vault 6. Return Vault token to the user 7. Request to create new user based on role 8. Return access and secret key Authz DB External Identity Provider https://github.com/ishrivatsa/terraform-vault-jenkins Authz Server
- 9. 9 Demo
- 10. 10 Summary • Do not store sensitive information in claims within JWT • Scopes should not be too broad • Rotate keys often • Design granular policy for secrets access
Editor's Notes
- Oauth 2.0 – Standard OIDC – Written on top of Oauth JWT – OIDC uses JWT for implementation