The document discusses JSON Web Tokens (JWTs) which are an open standard for securely transmitting authorization data between parties as a JSON object. It describes JWTs as being relatively small, non-persistent tokens that can be signed or encrypted and support asymmetric cryptography. An example JWT is provided that contains a header specifying the signing algorithm and type, and a payload containing claims like the subject, expiration time, and authorized methods.
2. IMAGINE IF
we had a token compatible with
OpenStack
and everything else
3. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
4. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
5. What is a token?
GET /v2/b5a951/servers HTTP/1.1
Host: servers.api.openstack.org
Accept: application/json
X-Auth-Token: $TOKEN
6. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
7. Why not use UUID tokens?
They must be persisted.
779810523fb24886b67a23f4f823b685
8. Why not use PKI tokens?
They are huge.
MIIE-gYJKoZIhvcNAQcCoIIE7zCCBOsCAQExDTALBglghkgBZQMEAgEwggNMBgkqhkiG9w0BBwGgggM9BIIDO
XsidG9rZW4iOnsibWV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIzNjBiMTc3ZDhjMjM0
N2ZmOTVlMGFjMTYxNWJhOGZiNiIsIm5hbWUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMDItMjZ
UMDU6NDg6MjYuMDk0MDk4WiIsInByb2plY3QiOnsiZG9tYWluIjp7ImlkIjoiZGVmYXVsdCIsIm5hbWUiOi
JEZWZhdWx0In0sImlkIjoiNTkwMDJjZTczOWYxNDNiYjhiMmNjMzNjYWY5OGZjZjkiLCJuYW1lIjoiYWRta
W4ifSwiY2F0YWxvZyI6W3siZW5kcG9pbnRzIjpbeyJyZWdpb25faWQiOm51bGwsInVybCI6Imh0dHA6Ly8x
MDQuMjM5LjE2My4yMTU6MzUzNTcvdjMiLCJyZWdpb24iOm51bGwsImludGVyZmFjZSI6ImFkbWluIiwiaWQ
iOiI5YTI5ZWFmMjBmNzk0MmI2YjljOTZjZmIwYWEwMmEzZSJ9LHsicmVnaW9uX2lkIjpudWxsLCJ1cmwiOi
JodHRwOi8vMTA0LjIzOS4xNjMuMjE1OjM1MzU3L3YzIiwicmVnaW9uIjpudWxsLCJpbnRlcmZhY2UiOiJwd
WJsaWMiLCJpZCI6ImQzMjMzYWZkMmI2MDQxZDRhMzlmOGFjMTIzMzc1N2ZkIn1dLCJ0eXBlIjoiaWRlbnRp
dHkiLCJpZCI6IjFiNzk2ZTIxNGY4MTQwMTE4MTA4YTdlNGU0Y2E2ZTE2IiwibmFtZSI6IktleXN0b25lIn1
dLCJleHRyYXMiOnt9LCJ1c2VyIjp7ImRvbWFpbiI6eyJpZCI6ImRlZmF1bHQiLCJuYW1lIjoiRGVmYXVsdC
J9LCJpZCI6Ijg1YTlhZjE0NWRkYjRkMTlhOTU0NGRmYmVhYzVkMWYwIiwibmFtZSI6ImFkbWluIn0sImF1Z
Gl0X2lkcyI6WyJZeW9iU2FIY1ROQ3U3c2V1c2RUdHBRIl0sImlzc3VlZF9hdCI6IjIwMTUtMDItMjZUMDU6
MzM6MjYuMDk0MTI3WiJ9fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4
wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBg
lghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAYJR+ETbjA4RpgToeRm0qh-zxRWyBL4RdN99hLHV6foIpc
r6uXMN-DaUJvGygPDi1wi-HAbpErJAe9iRHk4+8BUnX--jQRTaYhkg237eyjpYHU8Hgt8Ydn7Wdnn0hriXK
t+RZBG-ZEnnP-MZ9V9GGJz-BoAMHx42uF5j6mlfVvUxtJGSaZ2wPROkLIHAjrX-8zEo8YhtGQHi-rFvXOoP
+w8TVb907R2WNsGs3LbFKRmDv-yev6pMnz+gQu8uImf2idd18hyEYdw8M9bgZc2YsGBiPSeIm-VhzH9qTX0
e7fK-chhAE+saIEbl5Mw0PzybhTyKHRzqtsW4HWFOlbE0yOA==
9. Why not use PKIZ tokens?
They are still huge.
PKIZ_eJxtVcmSozgUvPMVc6_oKMBgm0Mf2IzBCIpVlm4sNiAEtssLy9eP7K6Jqo4YboCUysyX7-nXL_ZopmV7
_-gger784oBtm-8VcnYnbNePwlODQj-xb6tZ1zX_qquBORqx6moVreq20nAATLUyh6rygFa1F65uG0sZeE0
brKqqgKLZtuHvr01pKZ8YSo3fX5scpnxmKW0x2Us4OQPae3MpKhPWnZJzdWfKxZG-fi6uTQaDxm9s2TPAgE
gwe10i-9DkPWLOfkwpIJWMYq32LId4c7LgfN2-2p1c5zBhG50aW8I5bxxlHw0N3tdDtndoISh1qdtLm9gDi
JMbMOwbIDgBBlpyIEZLQII7mNuJnTrDhgH2GmN1pmgRvCRgS7khSO82Oa_sjrY2ObFvaYf26ZUr_2ZgYojr
Eo683fPX78WmhOaw82MgITHtPCvhgWjzvpW2HLBwh4nX-kYgYENtmCd3BAX63IhgeMuYkUcmB4kbHsHxgb-
8wlBuC0s5c3kfzoxafpicCcPynIvy8WVkJwu5NTA56ZQ_9Xc1X27VpTutR2AwyQTILjFFDkzSxIxZgjmZvb
h4lAQ8WXyBSd9AHb2XVjrhbkNw9ATctDnzhbOb4at0Tu2RkIC4HX3DHDFBPIYhRXG1AHNKEUEy6hAPIJhw5
Cju9toUXdpzGVTue_Fp1vnOzLuy04WiG56Ap3IbDn6zfoBY5V1iz34kjR4BjL4p-AQI4JkDd4HmJ4sn2hPs
B9CZ-UOLDtdIfFVoKKFzzeBL4hm_fAELDhgVQy07TwwpjkMmg9a-0cqsTIJnPdPXDqBDC7sXSraRP-y1V4U
yJo8dcObKbfuNSBIex7YErISFqlpgI-CxUdYotmcQOy0mxeiJKYuwR5-s825z416Otjd62Hs8KyH9Ooketu
GE9oAl8aa8fBHT6U8Sw0cONyzu9pKV_sz90cLodxsh3wZ_BSn8imupO8o3S6_GsSkxhjyaW55jNAVECtm37
AUmlQQgK6eFJCAC-T-aP-v-J-IbAVuUf1aP--rxNklGMekrIRM290g8NxnFt6yjJOmd3qavvpiLRUrx5u_O
5H62JjDMH52JJMja-hhbuooSNoEsjU0iDWyGIZ1NF6itpQqJyWk10NMUjAZR2YjyUrYKaGl6Z6bxIJAGQ0V
GGgRbQ03TvPdoaZg-UIfXZr0aNlwK5Rnvg9EyVPgHAABjUS7KSaYHa3MrrJG6nffIA1tT_2c2ckbwc6Camh
aoZlWZ6s5fHiM7FSN_F4LPwIZ62eK-Ck7bCCpG5gpWk55VZuJb-wZ30-Uwfh6c4_0Srgp12Ak0si9usTwdm
uUcuHlIuqUjXarRXcN-_THIn6tdAN-nPSg57PGwD4Wt2Avm6qpmghnW1w0ZrGUX7cQ3MprKmr7nWFmkufam
ysNiZfWSqNPDabMl54Q7ykPw2Gzxx1G8gzcNvGvRvTCjTLAqtQ1dZ7xM-zxbbam8Vha3SgGNhxL8-bESItc
8SiF3PhHSXD4Mfztp16N2Em_F8CYqviBlaj917zPUwf2h-1nsiVSIpWGKeu-Gdtc6rtfD2eRWEbn5VNhNU-
wivHb8i14U1yo6RNH7qf0Y4ValpVTG9nR4NMHv39zrQjM94_ty-xc2_Erg
10. Why not use Fernet tokens?
They require symmetric encryption and signing.
gAAAAABU7roWGiCuOvgFcckec-
0ytpGnMZDBLG9hA7Hr9qfvdZDHjsak39YN98HXxoYLIqVm19Egku5YR3wyI7heVrOmPNEtmr-
fIM1rtahudEdEAPM4HCiMrBmiA1Lw6SU8jc2rPLC7FK7nBCia_BGhG17NVHuQu0S7waA306jyKNhHwUnp
sBQ=
11. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
12. What is a JSON Web Token?
An open standard for sharing authorization data.
13. What is a JSON Web Token?
detailed in RFC 75[1][9568]
defines a set of public claims
allows implementations to supply private claims
supports signed and encrypted payloads
supports asymmetric cryptography
28. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
29. Comparing Fernet and JWS
non-persistence and online validation*
opacity, symmetric versus asymmetric, key rotation and distribution
30. Encryption and signing details
Fernet uses a 128-bit AES-CBC encryption key + 128-bit SHA256 HMAC
signing key
31. Encryption and signing details
JWS uses the ES256 JWA signing with ECDSA using the P-256 curve and
the SHA256 HMAC
32. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
35. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
36. How do we create key pairs?
keystone-manage create_jws_keypair
ECDSA key pair using a secp256r1 (NIST P-256) curve
37. JWS key rotation and distribution
on-disk key repositories
each API server needs a public-private key pair
keystone-manage doesn't handle rotation
46. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A
47. What's next for JWS?
beyond OpenStack operations
nested JWTs
offline validation
per-domain token signing
additional JWA algorithms
48. beyond OpenStack operations
test with OpenID Connect
interoperability with kubernetes
identify other JWS consumers
identify other private claims
50. offline validation
make use of PKI
token contains all information for validation
caching role information and token catalog at the service
short token lifespan is required to avoid revocation
Keystone-to-Keystone (K2K) federation use cases
51. per-domain token signing
split massive deployments into regions
multiple domains per region
consolidate assignments
independent upgradeability across clusters