Recommended
More Related Content
What's hot
What's hot (20)
Similar to JWS tokens: Understanding JSON Web Signatures
Similar to JWS tokens: Understanding JSON Web Signatures (20)
More from Lance Bragstad
More from Lance Bragstad (8)
Recently uploaded
Recently uploaded (20)
JWS tokens: Understanding JSON Web Signatures
- 1. Adam Young (ayoung) Lance Bragstad (lbragstad) JWS tokens Past, Present, and Future
- 2. IMAGINE IF we had a token compatible with OpenStack and everything else
- 3. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 4. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 5. What is a token? GET /v2/b5a951/servers HTTP/1.1 Host: servers.api.openstack.org Accept: application/json X-Auth-Token: $TOKEN
- 6. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 7. Why not use UUID tokens? They must be persisted. 779810523fb24886b67a23f4f823b685
- 8. Why not use PKI tokens? They are huge. MIIE-gYJKoZIhvcNAQcCoIIE7zCCBOsCAQExDTALBglghkgBZQMEAgEwggNMBgkqhkiG9w0BBwGgggM9BIIDO XsidG9rZW4iOnsibWV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIzNjBiMTc3ZDhjMjM0 N2ZmOTVlMGFjMTYxNWJhOGZiNiIsIm5hbWUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMDItMjZ UMDU6NDg6MjYuMDk0MDk4WiIsInByb2plY3QiOnsiZG9tYWluIjp7ImlkIjoiZGVmYXVsdCIsIm5hbWUiOi JEZWZhdWx0In0sImlkIjoiNTkwMDJjZTczOWYxNDNiYjhiMmNjMzNjYWY5OGZjZjkiLCJuYW1lIjoiYWRta W4ifSwiY2F0YWxvZyI6W3siZW5kcG9pbnRzIjpbeyJyZWdpb25faWQiOm51bGwsInVybCI6Imh0dHA6Ly8x MDQuMjM5LjE2My4yMTU6MzUzNTcvdjMiLCJyZWdpb24iOm51bGwsImludGVyZmFjZSI6ImFkbWluIiwiaWQ iOiI5YTI5ZWFmMjBmNzk0MmI2YjljOTZjZmIwYWEwMmEzZSJ9LHsicmVnaW9uX2lkIjpudWxsLCJ1cmwiOi JodHRwOi8vMTA0LjIzOS4xNjMuMjE1OjM1MzU3L3YzIiwicmVnaW9uIjpudWxsLCJpbnRlcmZhY2UiOiJwd WJsaWMiLCJpZCI6ImQzMjMzYWZkMmI2MDQxZDRhMzlmOGFjMTIzMzc1N2ZkIn1dLCJ0eXBlIjoiaWRlbnRp dHkiLCJpZCI6IjFiNzk2ZTIxNGY4MTQwMTE4MTA4YTdlNGU0Y2E2ZTE2IiwibmFtZSI6IktleXN0b25lIn1 dLCJleHRyYXMiOnt9LCJ1c2VyIjp7ImRvbWFpbiI6eyJpZCI6ImRlZmF1bHQiLCJuYW1lIjoiRGVmYXVsdC J9LCJpZCI6Ijg1YTlhZjE0NWRkYjRkMTlhOTU0NGRmYmVhYzVkMWYwIiwibmFtZSI6ImFkbWluIn0sImF1Z Gl0X2lkcyI6WyJZeW9iU2FIY1ROQ3U3c2V1c2RUdHBRIl0sImlzc3VlZF9hdCI6IjIwMTUtMDItMjZUMDU6 MzM6MjYuMDk0MTI3WiJ9fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4 wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBg lghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAYJR+ETbjA4RpgToeRm0qh-zxRWyBL4RdN99hLHV6foIpc r6uXMN-DaUJvGygPDi1wi-HAbpErJAe9iRHk4+8BUnX--jQRTaYhkg237eyjpYHU8Hgt8Ydn7Wdnn0hriXK t+RZBG-ZEnnP-MZ9V9GGJz-BoAMHx42uF5j6mlfVvUxtJGSaZ2wPROkLIHAjrX-8zEo8YhtGQHi-rFvXOoP +w8TVb907R2WNsGs3LbFKRmDv-yev6pMnz+gQu8uImf2idd18hyEYdw8M9bgZc2YsGBiPSeIm-VhzH9qTX0 e7fK-chhAE+saIEbl5Mw0PzybhTyKHRzqtsW4HWFOlbE0yOA==
- 9. Why not use PKIZ tokens? They are still huge. PKIZ_eJxtVcmSozgUvPMVc6_oKMBgm0Mf2IzBCIpVlm4sNiAEtssLy9eP7K6Jqo4YboCUysyX7-nXL_ZopmV7 _-gger784oBtm-8VcnYnbNePwlODQj-xb6tZ1zX_qquBORqx6moVreq20nAATLUyh6rygFa1F65uG0sZeE0 brKqqgKLZtuHvr01pKZ8YSo3fX5scpnxmKW0x2Us4OQPae3MpKhPWnZJzdWfKxZG-fi6uTQaDxm9s2TPAgE gwe10i-9DkPWLOfkwpIJWMYq32LId4c7LgfN2-2p1c5zBhG50aW8I5bxxlHw0N3tdDtndoISh1qdtLm9gDi JMbMOwbIDgBBlpyIEZLQII7mNuJnTrDhgH2GmN1pmgRvCRgS7khSO82Oa_sjrY2ObFvaYf26ZUr_2ZgYojr Eo683fPX78WmhOaw82MgITHtPCvhgWjzvpW2HLBwh4nX-kYgYENtmCd3BAX63IhgeMuYkUcmB4kbHsHxgb- 8wlBuC0s5c3kfzoxafpicCcPynIvy8WVkJwu5NTA56ZQ_9Xc1X27VpTutR2AwyQTILjFFDkzSxIxZgjmZvb h4lAQ8WXyBSd9AHb2XVjrhbkNw9ATctDnzhbOb4at0Tu2RkIC4HX3DHDFBPIYhRXG1AHNKEUEy6hAPIJhw5 Cju9toUXdpzGVTue_Fp1vnOzLuy04WiG56Ap3IbDn6zfoBY5V1iz34kjR4BjL4p-AQI4JkDd4HmJ4sn2hPs B9CZ-UOLDtdIfFVoKKFzzeBL4hm_fAELDhgVQy07TwwpjkMmg9a-0cqsTIJnPdPXDqBDC7sXSraRP-y1V4U yJo8dcObKbfuNSBIex7YErISFqlpgI-CxUdYotmcQOy0mxeiJKYuwR5-s825z416Otjd62Hs8KyH9Ooketu GE9oAl8aa8fBHT6U8Sw0cONyzu9pKV_sz90cLodxsh3wZ_BSn8imupO8o3S6_GsSkxhjyaW55jNAVECtm37 AUmlQQgK6eFJCAC-T-aP-v-J-IbAVuUf1aP--rxNklGMekrIRM290g8NxnFt6yjJOmd3qavvpiLRUrx5u_O 5H62JjDMH52JJMja-hhbuooSNoEsjU0iDWyGIZ1NF6itpQqJyWk10NMUjAZR2YjyUrYKaGl6Z6bxIJAGQ0V GGgRbQ03TvPdoaZg-UIfXZr0aNlwK5Rnvg9EyVPgHAABjUS7KSaYHa3MrrJG6nffIA1tT_2c2ckbwc6Camh aoZlWZ6s5fHiM7FSN_F4LPwIZ62eK-Ck7bCCpG5gpWk55VZuJb-wZ30-Uwfh6c4_0Srgp12Ak0si9usTwdm uUcuHlIuqUjXarRXcN-_THIn6tdAN-nPSg57PGwD4Wt2Avm6qpmghnW1w0ZrGUX7cQ3MprKmr7nWFmkufam ysNiZfWSqNPDabMl54Q7ykPw2Gzxx1G8gzcNvGvRvTCjTLAqtQ1dZ7xM-zxbbam8Vha3SgGNhxL8-bESItc 8SiF3PhHSXD4Mfztp16N2Em_F8CYqviBlaj917zPUwf2h-1nsiVSIpWGKeu-Gdtc6rtfD2eRWEbn5VNhNU- wivHb8i14U1yo6RNH7qf0Y4ValpVTG9nR4NMHv39zrQjM94_ty-xc2_Erg
- 10. Why not use Fernet tokens? They require symmetric encryption and signing. gAAAAABU7roWGiCuOvgFcckec- 0ytpGnMZDBLG9hA7Hr9qfvdZDHjsak39YN98HXxoYLIqVm19Egku5YR3wyI7heVrOmPNEtmr- fIM1rtahudEdEAPM4HCiMrBmiA1Lw6SU8jc2rPLC7FK7nBCia_BGhG17NVHuQu0S7waA306jyKNhHwUnp sBQ=
- 11. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 12. What is a JSON Web Token? An open standard for sharing authorization data.
- 13. What is a JSON Web Token? detailed in RFC 75[1][9568] defines a set of public claims allows implementations to supply private claims supports signed and encrypted payloads supports asymmetric cryptography
- 14. JSON Web Token (RFC 7519) relatively small, non-persistent, asymmetric, setup, online validation eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4 QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19. tHcVIaW43RwREduckh2itJ_RrZ5Dc- tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=
- 16. {"alg": "ES256", "typ": "JWT"}
- 18. {"openstack_project_id": "3333a044ec2c4133a1d44b5fdab0c286","sub": "3fe15113cf794e8f9c5dad9f1073b089","exp": 1554133331,"openstack_audit_ids": ["emAQTBeeRVabw28AoEEDjw"],"iat": 1554129731,"openstack_methods": ["password"]}
- 20. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
- 21. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
- 22. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
- 23. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
- 24. Public claims principal of the JWT expiration time issued at time
- 25. Public claims "sub": "3fe15113cf794e8f9c5dad9f1073b089" "exp": 1554133331 "iat": 1554129731
- 26. Private claims token scope auditing information authentication methods
- 27. Private claims "openstack_project_id": "3333a044ec2c4133a1d44b5fdab0c286" "openstack_audit_ids": ["emAQTBeeRVabw28AoEEDjw"] "openstack_methods": ["password"]
- 28. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 29. Comparing Fernet and JWS non-persistence and online validation* opacity, symmetric versus asymmetric, key rotation and distribution
- 30. Encryption and signing details Fernet uses a 128-bit AES-CBC encryption key + 128-bit SHA256 HMAC signing key
- 31. Encryption and signing details JWS uses the ES256 JWA signing with ECDSA using the P-256 curve and the SHA256 HMAC
- 32. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 33. Configuring JWS keystone.conf [token] provider = jws keystone.conf [jwt_tokens] jws_public_key_repository keystone.conf [jwt_tokens] jws_private_key_repository
- 34. Configuring JWS keystone.conf [token] provider = jws /etc/keystone/jws-keys/public /etc/keystone/jws-keys/private
- 35. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 36. How do we create key pairs? keystone-manage create_jws_keypair ECDSA key pair using a secp256r1 (NIST P-256) curve
- 37. JWS key rotation and distribution on-disk key repositories each API server needs a public-private key pair keystone-manage doesn't handle rotation
- 38. JWS key-pair management node1 node2 node3 create key pair distribute public key configure private key
- 39. JWS key-pair management node1 node2 node3 pub1.pem create key pair pri1.pem distribute public key configure private key
- 40. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pri1.pem distribute public key configure private key
- 41. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pri1.pem pub2.pem distribute public key pri2.pem configure private key
- 42. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pri1.pem pri2.pem configure private key
- 43. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pri1.pem pri2.pem pub3.pem configure private key pri3.pem
- 44. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pub3.pem pub3.pem pub3.pem configure private key pri1.pem pri2.pem pri3.pem
- 45. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pub3.pem pub3.pem pub3.pem configure private key pri1.pem pri2.pem pri3.pem
- 46. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
- 47. What's next for JWS? beyond OpenStack operations nested JWTs offline validation per-domain token signing additional JWA algorithms
- 48. beyond OpenStack operations test with OpenID Connect interoperability with kubernetes identify other JWS consumers identify other private claims
- 49. nested JWTs encrypt then sign privacy drop-in replacement for fernet
- 50. offline validation make use of PKI token contains all information for validation caching role information and token catalog at the service short token lifespan is required to avoid revocation Keystone-to-Keystone (K2K) federation use cases
- 51. per-domain token signing split massive deployments into regions multiple domains per region consolidate assignments independent upgradeability across clusters
- 52. additional JWA algorithms currently only support ES256 better cryto-agility