Better Together: JWT and Hashi Vault in Modern Apps
1. Better Together: JWT
and Hashi Vault in
Modern Apps
Shrivatsa Upadhye
Cloud Developer Advocate (VMware)
Feb 2020
2. 2
whoami (Who am I?)
• Cloud Developer Advocate @VMWare
• Focused on Public Cloud and Application
security
• Part of CloudJourneyIO team
• Love Cars, Pizza and Netflix
Follow me on Twitter/Medium/GitHub/LinkedIn : @ishrivatsa
4. 4
Problem
Statement
Allow
Allow users to access AWS/Azure/GCP
credentials to deploy applications
with consistent user-experience
Store Securely store keys
Revoke
Revoke the keys when they are no
longer needed
Audit
Audit the usage of credentials within
the organization
Policy
Create policy to restrict access to
some credentials
5. 5
OAuth vs OIDC vs JWT
OAuth 2.0
• Industry-standard protocol
for authorization
• Provides specific
authorization flows for web
applications, desktop
applications, mobile phones
etc.
• Successor of SAML (Security
Assertion Markup
Language)
• Very open-ended and does
not define any conventions
OIDC (OpenID Connect)
• Runs on top of OAuth 2.0
• Narrows down some open-
ended design specs from
OAuth
• Clearly defines scopes
(profile, email, address etc.),
Access tokens and ID token
JWT (JSON Web Token)
• Self contained and compact
information exchange
standard
• Defines basic structure for
organizing data
• It is digitally signed using
HMAC algorithm or
public/private key
6. 6
A bit more info... OIDC/JWT
JWT structure
Contains 3 parts –
xxxx.yyyy.zzzz
Header – contains
algorithm type, type of
token, key ID
Payload – contains claims
Signature - encoded
header, the encoded
payload, a secret, the
algorithm specified in the
header, and sign
Access tokens
Used to request
resources/information
from the system
Must be in JWT format
(xxxx.yyyy.zzzz)
Refresh tokens
Used to “renew” access
token
These do not grant any
permission to access
resources
May or may not be in
JWT format
Scopes
Used to apply fine
grained control to
actions/resource within
our system
OIDC defines some
scopes like profile, email,
phone, address and
openid
Claims
Key-Value pair
embedded within our
access token and ID
token
Keys are 3 character long
3 Types – Registered
Claims (iss, exp, sub,
aud), Public Claims,
Private Claims
7. 7
Hashi Vault
Self hosted and
operated
Freemium model –
OpenSource and
Enterprise version
available
Encrypted secrets Lifecycle management
of secrets – Store,
Rotate, Revoke, Expire
Identity based access to
secrets
Supports policies to
define permissions for
users/systems
Cloud Agnostic – Works
with AWS, Azure and
Google Cloud
8. 8
Flow Diagram - Vault with OIDC
2. Redirect request to Authz
server
1. Login to Vault
3’. Validate user credentials 3. Validate user credentials
4. Returns user info based on defined scope4’. Returns user info based on defined scope
5. Return JWT to Vault
6. Return Vault token to the user
7. Request to create new user based on role
8. Return access and secret key
Authz DB
External Identity Provider
https://github.com/ishrivatsa/terraform-vault-jenkins
Authz Server
10. 10
Summary
• Do not store sensitive information in claims within JWT
• Scopes should not be too broad
• Rotate keys often
• Design granular policy for secrets access