The document discusses microservices architecture with a focus on security, specifically the implementation of OAuth 2.0 and OpenID Connect for user authentication and authorization. It outlines the roles of tokens, JWTs, and the responsibilities of API gateways within a microservices framework, emphasizing the need for improved logging and user identification. Additionally, it provides examples of access and ID tokens, and resources for further understanding of OAuth 2.0 and OpenID Connect.

1. Identity
within
Microservices
Erick
Belluci Tedeschi
@ericktedeschi
São
Paulo,
Oct
22
2016

2. Who?
• PHP
Developer
since
2003
• Application
Security
since
2007
• Biker
• Maker
• Help
devs delivery
Secure
Applications
• Help
business
to
keep
clients
data
secure

3. Agenda
• Microservice architecture
Version
1
• About
Tokens
• OAuth
2.0
• OpenID
Connect
• Authorization
Code
Flow
Example
• Microservice architecture
NG!!!

4. Microservice Architecture
V1
API
GatewayOAuth
Server*
Account
GET
/my/{user_id}
Transfer
POST
/transferto/{src_account}/{dst_account}
Receipt
GET
/receipts/{user_id}
End-­‐User
Bank
API
(Public)
GET
/my
POST
/transferto/{dst_account}
GET
/receipts
/token
/authorize
Basic
auth
Basic
auth
No
auth

5. Microservice Architecture
V1
API
GatewayOAuth
Server*
Account
GET
/my/{user_id}
Transfer
POST
/transferto/{src_account}/{dst_account}
Receipt
GET
/receipts/{user_id}
End-­‐User
Bank
API
(Public)
GET
/my
POST
/transferto/{dst_account}
GET
/receipts
/token
/authorize
Basic
auth
Basic
auth
No
auth
• Poor
logging
(audit
trail)
• Poor
identification
on
microservices (X-­‐User-­‐Logged
L)
• Authorization
centralized
on
API
Gateway
• Microservices are
more
like
CRUDs
APIs
• Microservices have
”micro
user
repositories”
or
don’t
have
authentication/authorization
• API
Gateway
have
more
responsibility
than
necessary

6. Now,
let’s
take
a
look
at
the:
Token
• A
piece
of stamped metal used
as
a substitute for money;
a voucher that
can
be
exchanged
for
goods
or
services
(https://en.wiktionary.org/wiki/token)
• Token
By
Reference
• An
opaque
string
generated
randomly
• Ex.:
2YotnFZFEjr1zCsicMWpAA
• Token
By
Value
• A
JWT
that
contains
claims
about
the
context
of
the
token
• Ex.:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA
iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb
3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU

7. JWT
– JSON
Web
Token
eyJ0eXAiOiJKV1QiL
CJhbGciOiJIUzI1NiJ
9.eyJpc3MiOiJodH
RwczovL215LnNlcn
ZpY2UuY29tIiwiaW
F0IjoxNDM1MTc5N
jAzLCJleHAiOjE0Mz
UxODE0MjEsImF1Z
CI6Ind3dy5zZXJ2a
WNlLmNvbSIsInN1
YiI6ImpvaG5kb2VA
Z21haWwuY29tIiwi
Um9sZSI6WyJhcHB
yb3ZlciIsInZpZXdlci
JdfQ.91GLvtMhhnI
Cmqlf_RVONGw5I
M9i8eeAPx2s_Wp
MObU
{
"typ":
"JWT",
"alg":
"HS256"
}
{
"iss":
"https://my.service.com",
"iat":
1435179603,
"exp":
1435181421,
"aud":
"www.service.com",
"sub":
"johndoe@gmail.com",
"Role":
[
"approver",
"viewer"
]
}
HMACSHA256(
base64UrlEncode(header)
+
"."
+
base64UrlEncode(payload),sharedsecret)
JWT
Header
JWT
Payload
JWT
Signature

8. The
OAuth
2.0
Authorization
Framework
The
OAuth
2.0
enables
a
third-­‐party
application
to
obtain
limited
access
to
an
HTTP
service
on
behalf
of
a
resource
owner...

9. OAuth
2.0
– Protocol
or
Framework?
• RFC
5849:
The
OAuth
1.0
Protocol
• RFC
6749:
The
OAuth
2.0
Authorization
Framework
https://tools.ietf.org/html/rfc5849
…
contract,
pact,
deal
https://tools.ietf.org/html/rfc6749
…
structure,
skeleton,
chassis

10. Warning:
OAuth
is
not
about
authentication

11. Warning:
OAuth
is
not
about
authentication

12. How
an
access_token looks
like?
(by
value
-­‐ JWT)
// JWT Payload
{
"sub": "alice", // user id
"cid": "000123", // client id
"iss": "https://as.domain.com", // who issued
"aud": "https://rs.domain.com",
"exp": 1460345736, // expiration date
"scp": ["openid","email","profile"] // scopes
}

13. OpenID
Connect
OpenID
Connect
1.0
is
a
simple
identity
layer
on
top
of
the
OAuth
2.

14. How
an
id_token looks
like?
(by
value
-­‐ JWT)
{
"iss": ”InstIdentRicardoGumbletonDaunt", // who issued
"sub": ”4.444.444", // user identification
"aud": ["cops","bank"], // where it’s used
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970, // 10 years
"iat": 1311280970,
"auth_time": 1311280969,
"amr": "sign+fingerprint” //auth-methods-ref
}

15. OpenID
Connect
Discovery
1.0

16. A
complete
Authorization
Server
• /authorize
• /token
• /introspection
(check
access_token)
• /token_info (get
more
information
about
identity)
• /revocation

17. Let’s
see
how
to
get
both
access_token and
id_token using
Authorization
Code
Flow

18. Resource
Owner
Authorization
Server
Resource
Server
Client
access

19. Resource
Owner
Authorization
Server
Resource
Server
Client
access
*
GET
/authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

20. Resource
Owner
Authorization
Server
Resource
Server
Client
access

21. Resource
Owner
Authorization
Server
Resource
Server
Client
access

22. Resource
Owner
Authorization
Server
Resource
Server
Client
*
Location:
https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

23. Resource
Owner
Authorization
Server
Resource
Server
Client
POST
/token
HTTP/1.1
Host:
server.example.com
Authorization:
Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-­‐Type:
application/x-­‐www-­‐form-­‐urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

24. Resource
Owner
Authorization
Server
Resource
Server
Client
HTTP/1.1
200
OK
Content-­‐Type:
application/json;charset=UTF-­‐8
Cache-­‐Control:
no-­‐store
Pragma:
no-­‐cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"id_token":
"eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi
8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx
IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM
k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto"
}

25. Resource
Owner
Authorization
Server
Resource
Server
Client

26. Resource
Owner
Authorization
Server
Resource
Server
Client
POST
/introspect
HTTP/1.1
Host:
server.example.com
Authorization:
Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-­‐Type:
application/x-­‐www-­‐form-­‐urlencoded
token=2YotnFZFEjr1zCsicMWpAA
https://tools.ietf.org/search/rfc7662 OAuth
2.0
Token
Introspection
Introspection
Request

27. Resource
Owner
Authorization
Server
Resource
Server
Client
HTTP/1.1
200
OK
Content-­‐Type:
application/json
{
"active":
true,
"client_id":
"l238j323ds-­‐23ij4",
"username":
"jdoe",
"scope":
”openid profile
email",
"sub":
"Z5O3upPC88QrAjx00dis",
"aud":
"https://protected.example.net/resource",
"iss":
"https://server.example.com/",
"exp":
1419356238,
"iat":
1419350238,
"extension_field":
"twenty-­‐seven”
}
https://tools.ietf.org/search/rfc7662 OAuth
2.0
Token
Introspection
Introspection
Request

28. Resource
Owner
Authorization
Server
Resource
Server
Client
https://tools.ietf.org/search/rfc7662 OAuth
2.0
Token
Introspection
Introspection
Request

29. Resource
Owner
Authorization
Server
Resource
Server
Client
https://tools.ietf.org/search/rfc7662 OAuth
2.0
Token
Introspection
Introspection
Request
Nice

30. Microservice Architecture
NG!!!
API
Gateway
Authorization
Server
Account
GET
/my
GET
/pvt/{account}
Transfer
POST
/transferto/{dst_account}
Receipt
GET
/receipts
OAuth
Filter
OAuth
Filter
OAuth
Filter
OAuth
Filter
Resource
Owner
Introspection/validation
Bank
API
(Public)
GET
/my
POST
/transferto/{dst_account}
GET
/receipts
/token
/authorize
/introspect
/revoke
/token_info
”offline
introspection/validation”
”offline
introspection/validation”

31. Microservice Architecture
NG!!!
API
Gateway
Authorization
Server
Account
GET
/my
GET
/pvt/{account}
Transfer
POST
/transferto/{dst_account}
Receipt
GET
/receipts
OAuth
Filter
OAuth
Filter
OAuth
Filter
OAuth
Filter
Resource
Owner
Introspection/validation
Bank
API
(Public)
GET
/my
POST
/transferto/{dst_account}
GET
/receipts
/token
/authorize
/introspect
/revoke
/token_info
”offline
introspection/validation”
”offline
introspection/validation”
• Audit
Trail
Improved
• Microservices can
make
decision
based
on
the
end-­‐user
identity
• Fine
grained
authorization
across
the
services
• The
whole
environment
have
a
central
user
identity
repository
(OAuth+OpenID Connect
Server)
• API
Gateway
is
clean/slim

32. Don’t
start
from
scratch
• OpenSource
• Connect2ID
http://connect2id.com/
• Keycloak http://www.keycloak.org/
• MitreID Connect
https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐
Spring-­‐Server
• WSO2
Identity
Server
http://wso2.com/products/identity-­‐server/

33. References
and
Links
• OAuth
2.0:
https://tools.ietf.org/html/rfc6749
• OAuth
2.0
Bearer
Token
Usage:
https://tools.ietf.org/html/rfc6750
• OpenID
Connect
Core:
http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html
• OpenID
Connect
Discovery:
https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html
• JOSÉ
(JSON
Object
Signing
and
Encryption)
• JSON
Web
Signature
(JWS)
https://tools.ietf.org/html/rfc7515
• JSON
Web
Encryption
(JWE)
https://tools.ietf.org/html/rfc7516
• JSON
Web
Key
(JWK)
https://tools.ietf.org/html/rfc7517
• JSON
Web
Algorithms
(JWA)
https://tools.ietf.org/html/rfc7518
• JSON
Web
Token
(JWT)
https://tools.ietf.org/html/rfc7519
• http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens

34. Thanks
https://www.linkedin.com/in/ericktedeschi
https://twitter.com/ericktedeschi
http://www.slideshare.net/erickt86
erick@oerick.com