Oauth2, open-id connect with microservices

•Download as PPTX, PDF•

9 likes•1,647 views

inovia

Discover how we authenticate / authorize inside a microservice architecture inside our microservices projects.

2017
OAuth2, OpenID Connect
& microservices

2017
Who Am I ?
Antonin Ribeaud
React(Native) @ Inovia

2017
Securing
Microservices
User repository

2017
OAuth2 + OpenID Connect
(simplified)

2017
Resource Owner (RO)
OAuth2 has 4 actors

2017
Resource Owner (RO) Authorization Server (AS - IDP)
OAuth2 has 4 actors

2017
Resource Owner (RO)
Resource server (RS - API)
OAuth2 has 4 actors
Authorization Server (AS - IDP)

2017
Resource Owner (RO)
Client Resource server (RS - API)
OAuth2 has 4 actors
Authorization Server (AS - IDP)

2017
Resource server (RS - API)
Client
OAuth2 has 4 actors
Authorization Server (AS - IDP)

2017
Resource server (RS - API)
OAuth2 has 4 actors
Client
Authorization Server (AS - IDP)

2017
Resource server (RS - API)
OAuth2 has 4 actors
Authorization Server (AS - IDP)
Client

2017
Sharing by reference
No meaning outside of the network

2017
Sharing by value
Contains all necessary information

2017
WS-Security
JWT
SAML
Macaroons
Custom...

2017
OAuth2 has 4 actors
Resource Owner (RO)
Client Resource server (RS - API)
Authorization Server (AS - IDP)

2017
Resource Owner (RO)
Client Resource server (RS - API)
{
scope,
clientId,
callbackUrl
}
OAuth2 has 4 actors
Authorization Server (AS - IDP)

2017
Resource Owner (RO) Authorization Server (AS - IDP)
Client Resource server (RS - API)
{authorization code}
OAuth2 has 4 actors

2017
Resource Owner (RO)
Client Resource server (RS - API)
{authorization code}
OAuth2 has 4 actors
Authorization Server (AS - IDP)

2017
Resource Owner (RO)
Client Resource server (RS - API)
{authorization code}
OAuth2 has 4 actors

2017
Resource Owner (RO)
Client Resource server (RS - API)
JWT: {
access token,
refresh token,
}
OAuth2 has 4 actors

2017
Resource Owner (RO)
Client Resource server (RS - API)
JWT: {
access token,
refresh token,
}
OAuth2 has 4 actors
Authorization Server (AS - IDP)

2017
Resource Owner (RO)
Client Resource server (RS - API)
{secret}
OAuth2 has 4 actors
+ Hashmap
(Key-Value
store)
Authorization Server (AS - IDP)

2017
Resource Owner (RO)
Client Resource server (RS - API)
OAuth2 has 4 actors
Authorization Server (AS - IDP)
+ Hashmap
(Key-Value
store)

2017
Delegated access
No password sharing
Revocation of access
...

2017
Authorization Server (AS)
Resource server (RS - API)
Client
Resource Owner (RO)

2017
Authorization Server (AS - IDP)
{accessToken}
(reference)
Client
UUID
API Gateway
Resource server (RS - API)

2017
Authorization Server (AS - IDP)
API Gateway
Resource server (RS - API)
{accessToken}
(reference)
{
UUID (Principal),
TID
}
Client
UUID

2017
Inovia.fr // @inoviateam
Ubeeqo.com
Antonin Ribeaud // github.com/Antonhansel

How has microservices and new architectural style helped to evolve API Design? If you're working with microservices and APIS, this helpful presentation will underscore the important challenges and solutions you can take advantage of right now. Learn more about: - Monolith versus Microservices - How Microservices and APIs interact - Challenges & Solutions - How to leverage Express Gateway, an open source API gateway built entirely on Express.js Presented by Al Tsang, CEO of LunchBadger, at the 2017 SmartBear Conference in Boston, MA.

Keynote: Hedera Cryptoeconomics with Dr. Leemon Baird | Hedera18

Hedera Hashgraph

YouTube Video https://youtu.be/nUiqR7oJS9I Speaker Dr. Leemon Baird | Co-Founder and Chief Scientist | Hedera Hashgraph Abstract Dr. Leemon Baird, Chief Scientist & Co-Founder at Hedera Hashgraph, will discuss the cryptoeconomics of Hedera hashgraph, including details around proxy staking, fees, and node payments on the Hedera public network. He’ll also touch on some of the obstacles of cryptoeconomics seen across all distributed public ledgers, and how Hedera Hashgraph overcomes them. In his closing, both Leemon and Mance will be unveiling further details of governance and operations of the initial Hedera Hashgraph Council members and their associated committees.

How are microservices in 2017 different from how we used to build them at the beginning of the decade? More traditional Service-Oriented Architectures were defined by protocols and standards published and curated by industry consortiums. Knowledge of the architectural style usually called "microservices", on the other hand, is often in the form of patterns, cautionary tales, and tools extracted from real-world reports and software made available by organisations that have adopted this style. Almost ten years since the first wave of such reports, the landscape has changed considerably. Many hard challenges from the past have been eased or completely solved, and a lot of the custom software created by the microservices pioneers have been made off-the-shelf open source software. In this talk, Phil Calçado will contrast what we first found in the first generation of microservices architectures against the current generation's landscape. Let's talk about which previous common knowledge and patterns are deprecated, which ones are still active, and introduce some of the ones that have been recently added to our toolbox.

Trading Derivatives on Hyperledger

LF Events

Trading derivatives on a decentralized system aims for high availability (HA) and disaster recovery (DR). Both HA and DR can be met by incorporating a blockchain and a container technology. The Hyperledger is a blockchain framework aims for a cross-industry open standard with the freely customizable plugins, smart contract, and the data payload. Those features exposes us the easy ways to implement our trading platform on a blockchain. The Docker was brought to handle each specific Hyperledger chain internally. Also, hovering the whole Hyperledger nodes with containers reduce our time in building infrastructure, and much easier to be deployed on the production environment. This presentation will show how we integrate the Hyperledger and the Docker container for our derivatives trading project, and the issues that we are focusing on. Additionally, the talk partially includes the performance evaluation results under different configurations. This talk was delivered at LinuxCon Japan 2016 by Siriwat Kasamwattanarote, Thierry Gibralta, Vsevolod Yugov, Shibo Lin, Hideaki Takei, and Fernando Vazquez

Smart Contracts: From Zero to Dapp Hero | Hedera18

Hedera Hashgraph

YouTube Video https://youtu.be/zmFU54Apyn8 Speaker John Gethoefer | Principal Software Engineer | Bumped, Inc. Abstract Get started with Smart Contracts and the Solidity™ language. In this presentation, you'll receive an introduction to Solidity, a programming language for creating smart contracts for Ethereum and Hedera Hashgraph. You will learn step-by-step procedures to creating a simple smart contract and explore best practices for testing and developing distributed applications (Dapps).

Design and Evolution of APIs in Microservice Architecture

Lohika_Odessa_TechTalks

Wide adoption of Microservice Architecture presents a whole new set of challenges for us as developers. Some of them are well-known and understood. About others we do not think until they strike us out of the blue and we spend a lot of sleepless nights trying to figure them out. And communication between services in distributed system is one of the latter. During this Microservice Architecture Odesa #TechTalk we will talk about how to prevent your microservices from becoming a modern-world Tower of Babel. We will discuss how to select appropriate communication mechanisms for most common cases in a distributed system, how should we define API contracts for each of them and what tools are available for us to keep them consistent and evolve them over time. We will touch following topics:  REST vs RPC vs Messaging and how not to get lost with your options.  Contract First development and how it can save time in multi-team environment.  SwaggerHub as a single Point of truth for REST API  Best practices for gRPC contracts and how to deal with changes in them. About speaker: Andrii Barsukov is Senior .NET developer at Lohika, with 5+ years of commercial experience in development of microservice applications. Currently participating in development of microservice-based financial system, which includes 20+ microservices developed by 10 separate development teams. And some of the challenges that we faced during its development I'd like to share.

APIdays Paris 2018 - API Management is Dead, Augusto Marietti, CEO and Co-Fou...

apidays

The Economics of Microservices (redux)

Phil Calçado

Introduction to Istio Service Mesh

Georgios Andrianakis

Rabbit MQ - Tech Talk at Atlogys

Atlogys Technical Consulting

The message broker systems such as RabbitMQ are gaining a lot of momentum nowadays in large scale app development. They allow us to accomplish many prevalent tasks in a parallel manner without affecting the SLA of the micro-service. This presentation talks about RabbitMQ and how one can leverage its capabilities for making your software architecture more robust and scalable. Tech Talk conducted at Atlogys technical Consulting, Delhi by Senior Tech Lead - Mr. Gaurav Garg. Youtube recording also available at the Atlogys Academy Channel.

Microservices:  The phantom menace . Istio Service Mesh:  the new hope

Sergii Bishyr

Hyperledger Lightning Talk

Andrew Kennedy

The Service Mesh: It's about Traffic

C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2mcpD5B. Oliver Gould talks about the Linkerd project, a service mesh hosted by the Cloud Native Computing Foundation, to give operators control over the traffic between their microservices. He shares the lessons they've learned helping dozens of organizations get to production with Linkerd and how they've applied these lessons to tackle complexity with Linkerd. Filmed at qconnewyork.com. Oliver Gould is co-founder and CTO at Buoyant, Inc.

Fabric Composer - Construct 2017

Simon Stone

Building Highly Sophisticated Environments for Security and Compliance on AWS

Boyan Dimitrov

Fast exchange

MaksymVasylchykov

FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2

FIWARE

Microservice Secrets

Justin Hart

SQL Connectivity in a MongoDB World

Progress

Microservices with Spring Cloud

Wilder Rodrigues

Serverless Software Architecture - Gears 17

Tars Joris

Soup to Nuts: Identity Federation for AWS

Amazon Web Services

AWS offers customers multiple solutions for federating identities on the AWS Cloud. In this session, we will embark on a tour of these solutions and the use cases they support. Along the way, we will dive deep with demonstrations and best practices to help you be successful managing identities on the AWS Cloud. We will cover how and when to use Security Assertion Markup Language 2.0 (SAML), OpenID Connect (OIDC), and other AWS native federation mechanisms. You will learn how these solutions enable federated access to the AWS Management Console, APIs, and CLI, AWS Infrastructure and Managed Services, your web and mobile applications running on the AWS Cloud, and much more.

SID344-Soup to Nuts Identity Federation for AWS

Amazon Web Services

AWS offers customers multiple solutions for federating identities on the AWS Cloud. In this session, we will embark on a tour of these solutions and the use cases they support. Along the way, we will dive deep with demonstrations and best practices to help you be successful managing identies on the AWS Cloud. We will cover how and when to use Security Assertion Markup Language 2.0 (SAML), OpenID Connect (OIDC), and other AWS native federation mechanisms. You will learn how these solutions enable federated access to the AWS Management Console, APIs, and CLI, AWS Infrastructure and Managed Services, your web and mobile applications running on the AWS Cloud, and much more.

Together Cheerfully to Walk with Hypermedia

Vladimir Tsukur

Primary focus of this presentation is on the hypermedia as the engine of application state (HATEOAS) and how HTTP APIs may benefit from it. Provides sneak peek into HAL media type & gives an overview of hypermedia support in Java tools (JAX-RS / HalBuilder and Spring HATEOAS) along with practical suggestions for server-side design of hypermedia API. Also includes quick overview of Richardson Maturity Model based on a set of examples, current API trends.

What's hot

The Next Generation of Microservices

Phil Calçado

Trading Derivatives on Hyperledger

LF Events

Smart Contracts: From Zero to Dapp Hero | Hedera18

Hedera Hashgraph

Design and Evolution of APIs in Microservice Architecture

Lohika_Odessa_TechTalks

APIdays Paris 2018 - API Management is Dead, Augusto Marietti, CEO and Co-Fou...

apidays

The Economics of Microservices (redux)

Phil Calçado

Introduction to Istio Service Mesh

Georgios Andrianakis

Rabbit MQ - Tech Talk at Atlogys

Atlogys Technical Consulting

Microservices:  The phantom menace . Istio Service Mesh:  the new hope

Sergii Bishyr

Hyperledger Lightning Talk

Andrew Kennedy

The Service Mesh: It's about Traffic

C4Media

Fabric Composer - Construct 2017

Simon Stone

Building Highly Sophisticated Environments for Security and Compliance on AWS

Boyan Dimitrov

Fast exchange

MaksymVasylchykov

FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2

FIWARE

Microservice Secrets

Justin Hart

SQL Connectivity in a MongoDB World

Progress

Microservices with Spring Cloud

Wilder Rodrigues

What's hot (18)

The Next Generation of Microservices

Trading Derivatives on Hyperledger

Smart Contracts: From Zero to Dapp Hero | Hedera18

Design and Evolution of APIs in Microservice Architecture

APIdays Paris 2018 - API Management is Dead, Augusto Marietti, CEO and Co-Fou...

The Economics of Microservices (redux)

Introduction to Istio Service Mesh

Rabbit MQ - Tech Talk at Atlogys

Microservices:  The phantom menace . Istio Service Mesh:  the new hope

Hyperledger Lightning Talk

The Service Mesh: It's about Traffic

Fabric Composer - Construct 2017

Building Highly Sophisticated Environments for Security and Compliance on AWS

Fast exchange

FIWARE Global Summit - NGSI-LD – an Evolution from NGSIv2

Microservice Secrets

SQL Connectivity in a MongoDB World

Microservices with Spring Cloud

Similar to Oauth2, open-id connect with microservices

Serverless Software Architecture - Gears 17

Tars Joris

Soup to Nuts: Identity Federation for AWS

Amazon Web Services

SID344-Soup to Nuts Identity Federation for AWS

Amazon Web Services

AWS offers customers multiple solutions for federating identities on the AWS Cloud. In this session, we will embark on a tour of these solutions and the use cases they support. Along the way, we will dive deep with demonstrations and best practices to help you be successful managing identies on the AWS Cloud. We will cover how and when to use Security Assertion Markup Language 2.0 (SAML), OpenID Connect (OIDC), and other AWS native federation mechanisms. You will learn how these solutions enable federated access to the AWS Management Console, APIs, and CLI, AWS Infrastructure and Managed Services, your web and mobile applications running on the AWS Cloud, and much more.

Together Cheerfully to Walk with Hypermedia

Vladimir Tsukur

Secure your APIs using OAuth 2 and OpenID Connect

Nordic APIs

Session held by Travis Spencer at PayEx and Nordic APIs event "Secure, flexible and modern APIs for Payments" event in Oslo, May 10th. Description: When opening up secure APIs, OAuth 2 and OpenID Connect are the primary standards being used today. Implementing and using these standards can be challenging. In this session, Travis Spencer, CEO of Twobo Technologies, will provide an in-depth overview of these standards and explain how they can be integrated into financial services apps. The overview will include information on: The actors involved in OAuth and OpenID Connect The flows used in the standards What grant types are, which are defined, and the message exchanges of each What scopes are and examples of their use Different classes of tokens and how they are used Overview of the OpenID Foundation’s work in the Financial API WG Attendees will leave with: An overview of OAuth 2 and OpenID Connect Knowledge of the basics necessary to using these standards Resources and information sources where more information can be found

Advanced Design Patterns for Amazon DynamoDB - DAT403 - re:Invent 2017

Amazon Web Services

This session, we go deep into advanced design patterns for DynamoDB. This session is intended for those who already have some familiarity with DynamoDB and are interested in applying the design patterns covered in the DynamoDB deep dive session and hands-on labs for DynamoDB. The patterns and data models discussed in this presentation summarize a collection of implementations and best practices leveraged by the Amazon CDO to deliver highly scaleable solutions for a wide variety of business problems. In this session, we discuss strategies for GSI sharding and index overloading, scaleable graph processing with materialized queries, relational modeling with composite keys, executing transactional workflows on DynamoDB, and much, much more.

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Nordic APIs

This is a session given by Jacob Ideskog at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden. Description: In this talk Jacob Ideskog (Identity Expert at Twobo Technologies) address the growing need to secure the emerging devices accessible over the Internet. The Internet of Things has many interpretations, but the common denominator is that there will be a vast number of connected devices, and nobody (almost) want’s those hacked.

REST Development made Easy with ColdFusion Aether

Pavan Kumar

DDS-XRCE (Extremely Resource Constrained Environments)

Gerardo Pardo-Castellote

AWS reInvent Recap 線上研討會

Amazon Web Services

AWS re:Invent 是 AWS 全球年度最盛大的技術大會，這年活動吸引了超過四萬名技術菁英與會。如果您沒辦法參加在拉斯维加斯舉辦的 AWS re:Invent，或是在台北舉行的 AWS re:Invent Recap。沒問題，我們現在就將 AWS re:Invent 一連串所公布新的服務和功能一一在線上為你講解，內容包括運算和容器服務（Compute & Containers），數據庫（Databases），機器學習（Machine Learning），人工智能（Artificial Intelligence）等等。絕不容錯過的精彩內容，立即報名，探索 AWS re:Invent 2017 發佈的新功能和服務！

INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt

apidays

Back to [Jaspersoft] Basics: Rest API 101

TIBCO Jaspersoft

Bringing the Superpower of Bots to Your Company with a Serverless Bot Solutio...

Amazon Web Services

Bots are leading the next disruptive wave of how people and companies communicate. Companies can use bots for internal communications, such as facilities management or support, or for external communications, such as selling products, helping customers with searches, and acting as a trusted advisor in other ways. In this session, we show how easy it is to deploy a bot and how it improves customer interactions. Further, most bot solutions operate with a single language. We show how to build a language-agnostic bot solution using AWS Lambda and other AWS services.

Using JSON API to Get Your Content Where It Needs to Be

Acquia

Today’s Drupal applications connect to many external systems via APIs - more than ever before. Phone apps, decoupled frontends and other sites or services all need to consume content. Given the number and variety of interfaces a Drupal application needs to interact with, how can you ensure your data gets where it’s needed with minimum fuss? This session will focus on integrating a JavaScript application with Drupal, but the knowledge will be applicable to many other use-cases. We’ll cover: Introduction to the JSON API standard Advantages to JSON API How the JSON API can be used to pass data between systems

Christian Mladenov @ Intuitics

PAPIs.io

DEV204_Debugging Modern Applications Introduction to AWS X-Ray

Amazon Web Services

Analyzing and debugging production distributed applications built using a service oriented, microservices, or serverless architectures is a challenging task. In this session, we introduce AWS X-Ray, an AWS service that makes it easier to identify performance bottlenecks and errors, pinpoint issues to specific services in your application, identify the impact of issues on application users, and visualize the service call graph and the request timelines for your applications. We will also showcase a customer, Chick-fil-A and how they have adopted AWS X-Ray to play a role throughout the microservice lifecycle in order to ensure quality, transparency, and operational visibility for their services on AWS

The Future is Now: What’s New in ForgeRock Directory Services

ForgeRock

Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...

Amazon Web Services

By using serverless architectures, startups, and enterprises are building and running modern applications and services with increased agility and simplified scalability, all without managing a single server. Many applications need to manage user identities and support customers signing up and signing in. In this workshop, you create a complete serverless web application backed by a serverless microservice using Amazon API Gateway, AWS Lambda, and Amazon DynamoDB, implementing security controls and best practices at each layer. We also integrate social identity federation with Facebook and Google sign-in options to create a universal user directory with secure identity management and granular role-based access control for your application.

Using Access Advisor to Strike the Balance Between Security and Usability - S...

Amazon Web Services

AWS provides a killer feature for security operations teams: Access Advisor. In this session, we discuss how Access Advisor shows the services to which an IAM policy grants access and provides a timestamp for the last time that the role authenticated against that service. At Netflix, we use this valuable data to automatically remove permissions that are no longer used. By continually removing excess permissions, we can achieve a balance of empowering developers and maintaining a best-practice, secure environment.

UMA - An Open Standard for Consent-Driven Personal Data Sharing

Chris Adriaensen

Similar to Oauth2, open-id connect with microservices (20)

Serverless Software Architecture - Gears 17

Soup to Nuts: Identity Federation for AWS

SID344-Soup to Nuts Identity Federation for AWS

Together Cheerfully to Walk with Hypermedia

Secure your APIs using OAuth 2 and OpenID Connect

Advanced Design Patterns for Amazon DynamoDB - DAT403 - re:Invent 2017

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

REST Development made Easy with ColdFusion Aether

DDS-XRCE (Extremely Resource Constrained Environments)

AWS reInvent Recap 線上研討會

INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt

Back to [Jaspersoft] Basics: Rest API 101

Bringing the Superpower of Bots to Your Company with a Serverless Bot Solutio...

Using JSON API to Get Your Content Where It Needs to Be

Christian Mladenov @ Intuitics

DEV204_Debugging Modern Applications Introduction to AWS X-Ray

The Future is Now: What’s New in ForgeRock Directory Services

Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...

Using Access Advisor to Strike the Balance Between Security and Usability - S...

UMA - An Open Standard for Consent-Driven Personal Data Sharing

More from inovia

10 tips for Redux at scale

inovia

Using Redux in a large team is not easy. Organization and best practices can help scaling the team. Tip 1 : Planed 1 full day of training for each member Tip 2 : Tooled our environment Tip 3 : Used action creators Tip 4 : Redux Ducks Tip 5 : Write Unit tests Tip 6 : Use payload-based actions Tip 7 : Frontend development is all about side-effects Tip 8 : Normalized the state like a db Tip 9 : Selectors are helpful Tip 10 : Flow and typescript helped Matters is a startup studio based in Paris and San Francisco. To know more about us: https://matters.tech

10 essentials steps for kafka streaming services

inovia

Redux at scale

inovia

In this presentation, Baptiste Manson provides feedback after 2 years usage of React Redux at Scale with a team of more than 20 developers in Matters Startup Studio. See chapters below and don't forget to subscribe http://bit.ly/2EHSdU7 https://matters.tech/ This meetup is made for developers who are using Redux. Baptiste Manson, from the Matters Tech team, explains in details the pros and cons of React Redux at scale. You will find in this tutorial video 10 tips to pilot a project React Redux at scale. With this talk, learn Redux, how to scale your dev team on React projects and how to optimize your performance, in terms of team cooperation and architecture.

DocuSign's Road to react

inovia

Want to migrate to React ? Learn from the experience of Docusign. In this meetup, Joe Cocco, engineering at Docusign provides tips that can help your migration, your road to react. Don’t forget to subscribe http://bit.ly/2EHSdU7 https://matters.tech/ Migrating to React can be a long road. It is always better to have some tips before initiate this process. This Matters Tech video provides talks of two engineers at Docusign. Joe Cocco and Claudiu Andrei explain the steps of a successful React migration, based on their own experience at Docusign. They give you the keys of success, but they also explain the issues at scale. Some pros and cons of Reactjs are revealed in this Matters Meetup too. If you plan a journey to react, you must watch this video, because maybe you didn’t think of hurdles you will have to surmount, like how to integrating React into existing applications. However, there is a lot of benefits migrating to React. For instance, the goal of Docusign was to give developers the tool to move forward. The two engineers will convince you to make the transition to this Javascript Library.

API Gateway: Nginx way

inovia

Kafka: meetup microservice

inovia

Microservice: starting point

inovia

Correlation id (tid)

inovia

Meetic back end redesign - Meetup microservices

inovia

Security in microservices architectures

inovia

Building a Secure, Performant Network Fabric for Microservice Applications

inovia

Microservices vs SOA

inovia

CQRS, an introduction by JC Bohin

inovia

Domain Driven Design

inovia

Steam Learn: An introduction to Redis

inovia

Steam Learn: Speedrun et TAS

inovia

Steam Learn: Asynchronous Javascript

inovia

Steam Learn: Cheat sheet for Vim

inovia

Steam Learn: REST Good practices

inovia

Steam Learn: Faster php testing process with Atoum

inovia

More from inovia (20)

10 tips for Redux at scale

10 essentials steps for kafka streaming services

Redux at scale

DocuSign's Road to react

API Gateway: Nginx way

Kafka: meetup microservice

Microservice: starting point

Correlation id (tid)

Meetic back end redesign - Meetup microservices

Security in microservices architectures

Building a Secure, Performant Network Fabric for Microservice Applications

Microservices vs SOA

CQRS, an introduction by JC Bohin

Domain Driven Design

Steam Learn: An introduction to Redis

Steam Learn: Speedrun et TAS

Steam Learn: Asynchronous Javascript

Steam Learn: Cheat sheet for Vim

Steam Learn: REST Good practices

Steam Learn: Faster php testing process with Atoum

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Free Complete Python - A step towards Data Science

RinaMondal9

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

GraphRAG is All You need? LLM & Knowledge Graph

Monitoring Java Application Security with JDK Tools and JFR Events

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

A tale of scale & speed: How the US Navy is enabling software delivery from l...

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

The Art of the Pitch: WordPress Relationships and Sales

20240607 QFM018 Elixir Reading List May 2024

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

PCI PIN Basics Webinar from the Controlcase Team

National Security Agency - NSA mobile device best practices

Free Complete Python - A step towards Data Science

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

20240605 QFM017 Machine Intelligence Reading List May 2024

Video Streaming: Then, Now, and in the Future

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Climate Impact of Software Testing at Nordic Testing Days

Oauth2, open-id connect with microservices

1. 2017 OAuth2, OpenID Connect & microservices

2. 2017 Who Am I ? Antonin Ribeaud React(Native) @ Inovia

3. 2017 OAuth2 !== OpenID Connect

4. 2017 Microservices

5. 2017 Monolith

6. 2017 Microservices

7. 2017 User identity

8. 2017 Securing a Monolith Client

9. 2017 Securing Microservices User repository

10. 2017 Houston, we have a problem

11. 2017 OAuth2 + OpenID Connect (simplified)

12. 2017 No Authentication

13. 2017 OAuth2 is a delegation protocol

14. 2017 OAuth2 has 4 actors

15. 2017 Resource Owner (RO) OAuth2 has 4 actors

16. 2017 Resource Owner (RO) Authorization Server (AS - IDP) OAuth2 has 4 actors

17. 2017 Resource Owner (RO) Resource server (RS - API) OAuth2 has 4 actors Authorization Server (AS - IDP)

18. 2017 Resource Owner (RO) Client Resource server (RS - API) OAuth2 has 4 actors Authorization Server (AS - IDP)

19. 2017 Resource server (RS - API) Client OAuth2 has 4 actors Authorization Server (AS - IDP)

20. 2017 Resource server (RS - API) Client OAuth2 has 4 actors Authorization Server (AS - IDP)

21. 2017 Resource server (RS - API) Client OAuth2 has 4 actors Authorization Server (AS - IDP)

22. 2017 Resource server (RS - API) Client OAuth2 has 4 actors Authorization Server (AS - IDP)

23. 2017 Resource server (RS - API) OAuth2 has 4 actors Client Authorization Server (AS - IDP)

24. 2017 Resource server (RS - API) OAuth2 has 4 actors Authorization Server (AS - IDP) Client

25. 2017 Delegated access

26. 2017 Tokens (simplified)

27. 2017 Access tokens Refresh tokens

28. 2017 Sharing by reference No meaning outside of the network

29. 2017 Sharing by value Contains all necessary information

30. 2017 WS-Security JWT SAML Macaroons Custom...

31. 2017 JWT

32. 2017 header.payload.signature

33. 2017

34. 2017 So, is a JWT secure ?

35. 2017 Nope.

36. 2017 Mitigating attacks against a JWT

37. 2017 OAuth2 + OpenID Connect

38. 2017 OAuth2 has 4 actors Resource Owner (RO) Client Resource server (RS - API) Authorization Server (AS - IDP)

39. 2017 Resource Owner (RO) Client Resource server (RS - API) { scope, clientId, callbackUrl } OAuth2 has 4 actors Authorization Server (AS - IDP)

40. 2017 Scope Email, profile, etc...

41. 2017 Resource Owner (RO) Client Resource server (RS - API) OAuth2 has 4 actors Authorization Server (AS - IDP)

42. 2017

43. 2017 Resource Owner (RO) Authorization Server (AS - IDP) Client Resource server (RS - API) {authorization code} OAuth2 has 4 actors

44. 2017 Resource Owner (RO) Client Resource server (RS - API) {authorization code} OAuth2 has 4 actors Authorization Server (AS - IDP)

45. 2017 Resource Owner (RO) Client Resource server (RS - API) {authorization code} OAuth2 has 4 actors

46. 2017 Resource Owner (RO) Client Resource server (RS - API) JWT: { access token, refresh token, } OAuth2 has 4 actors

47. 2017 Resource Owner (RO) Client Resource server (RS - API) JWT: { access token, refresh token, } OAuth2 has 4 actors Authorization Server (AS - IDP)

48. 2017 Resource Owner (RO) Client Resource server (RS - API) OAuth2 has 4 actors Authorization Server (AS - IDP)

49. 2017 Resource Owner (RO) Client Resource server (RS - API) {secret} OAuth2 has 4 actors + Hashmap (Key-Value store) Authorization Server (AS - IDP)

50. 2017 Resource Owner (RO) Client Resource server (RS - API) OAuth2 has 4 actors Authorization Server (AS - IDP) + Hashmap (Key-Value store)

51. 2017 Example

52. 2017

53. 2017 { scope, clientId, callbackUrl }

54. 2017

55. 2017

56. 2017 Delegated access No password sharing Revocation of access ...

57. 2017 Trust !

58. 2017 Authorization Server (AS) Resource server (RS - API) Client Resource Owner (RO)

59. 2017 Authorization Server (AS) Resource server (RS - API) Client Resource Owner (RO)

60. 2017 User identity in microservices

61. 2017 Authorization Server (AS - IDP) {accessToken} (reference) Client UUID API Gateway Resource server (RS - API)

62. 2017 Authorization Server (AS - IDP) API Gateway Resource server (RS - API) {accessToken} (reference) { UUID (Principal), TID } Client UUID

63. 2017 Using standards Secure

64. 2017 Inovia.fr // @inoviateam Ubeeqo.com Antonin Ribeaud // github.com/Antonhansel

Editor's Notes

Ubeeqo application de carsharing Si je suis ici aujourd’hui, c’est parce que Ubeeqo utilise une architecture en microservices
Avant d’avancer sur notre sujet, je veux bien noter que OAuth2 et OpenID Connect sont deux choses différentes OAauth2 -> Delegation, autorisation -> C’est de savoir ce que vous etes autorisés à faire. Open ID Connect -> Le but c’est que l’ont soit sur que l’interlocuteur avec qui vous échangez des données est bien celui que vous croyez. C’est une couche d’identification sur OAuth2 Open ID connect permet de combler certaines faiblesses de l’OAuth2, ce sont bien deux éléments distincts mais que l’on fait fonctionner ensemble
Vous avez décidé de faire des micro services. Vous transitionnez d’un monolithe vers une architecture en microservices, bravo. J’espère que vous avez suivi les précédentes présentations On va vous donner les clefs, progressivement et plus en détail pour réussir cette transition, notamment sur la gestion de l’identité de l’utilisateur
Architecture avec 1 service Système traditionnel Plusieurs sous composants dans un gros Quelques inconvénients On doit toujours redéployer toute la stack Quand l’équipe et le code grossit, il devient compliqué de travailler sur un monolith
Transforme le monolith en une série d’applications modulaires Deployment indépendant Code séparé
Un client c’est un utilisateur qui utilise une application mobile par exemple Le client fait une requète vers le monolith Un composant au début de la requête gère l’identité de l’utilisateur Il vérifie si l’utilisateur est connecté En pratique, on va populer la session ou la requete entrante Propage cette information aux sous composants Les composants suivants utilisent cette donnée Si on prend la meme logique et qu’on l’applique aux microservices, ça donne ça [NEXT SLIDE]
Chacun des microservices devrait alors avoir un composant qui gère les requêtes entrantes, qui gère les identités, qui fait appel a la base de données ou sont stockés les utilisateurs… Dans un système comme celui la on a beaucoup de redondances, c’est une mauvaise manière de régler le probleme
Comment fait on pour gérer l’identité d’un utilisateur dans des micro services Pour répondre a cette question, je vais d’abord vous parler d’OAuth2
No Authentication Pas de gestion d’accès ou de gestion de droit
Delegation de l’accès a quelqu’un pour faire quelque chose pour moi
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Le client appelle l’Authorization Server L’Authorization Server demande alors au Ressource Owner de s’identifier
L’autorisation server fournit au client une preuve d’identité
Le client fait des requêtes auprès du resource server
Le ressource serveur demande a l'authorization server si le token est valide
Le ressource server répond au client la data demandée
Le Ressource Owner a délégué l’accés de ses données au clientL’Authorization Server a fourni une preuve d’identité que le client a pu utiliser pour requeter le Ressource Server ou l’API Qu’est-ce que cette “preuve d’identité”
Les différents tokens que l’on trouve en OAauth2
Access token c’est une session On se log sur un site, ça ouvre une session et pendant une période donnée, on n’a pas besoin de se re-logguer Au bout d’un certain temps, cette session expire et l’access token deviens invalide Le refresh token ça peut s’apparenter a un mot de passe, ce n’est évidement pas votre mot de passe. C’est un secret. On s’en sert pour créer une nouvelle session, avoir un nouveau access token Aussi, l’intéret de ce systeme c’est que si l’utilisateur souhaite révoquer l’accès du client, on a simplement a invalider son refresh token, l’access token sera invalidé rapidement de manière automatique et le client ne pourra plus en générer On peut ranger ces tokens dans une catégorie
Access token, c’est du partage par référence
Passé au client sous forme d’un header ou d’une query string compact
Cout de calcul faible
Élément stocké coté client -> Vulnérable Partir du principe que ça pourrait être compromis
Élément stocké côté client -> Vulnérable Toujours vérifier la signature du JWT HTTPS Ne pas stocker de données sensibles. Si vous avez besoin de transmettre des données sensibles, d’autres systèmes permettent de le faire. Un JWT qu’on signe, que l’on transmet en HTTPS, on met rien de sensible dedans, il n’est pas critique
Ressource Owner (RO) the user Client (Application mobile par exemple, parfois le backend de l’application) Authorization Server (AS) oAuth Server Resource Server (RS) Le service qu’on va appeler
Que se passe-til quand le client veut accéder a des ressources qui se trouvent sur le resource server ? ClientID -> Identifiant de l’application qui veut accéder a mes données Callback URL -> L’URL qui sera utilisée pour rediriger l’utilisateur a la fin du processus d’authentification
Comme des permissions Decrivent les autorisations que donnent le Ressource Owner (l’utilisateur) au Client L’utilisateur peut modifier les autorisations données au client L’utilisateur ne se login pas sur le client ou l’application, mais bien sur l’authorization server
Le RO est identifié sur le AS Le AS renvoie au client sur l’url de callback spécifiée plus tôt un code Ce code n’est pas compréhensible par le client
Code a usage unique Durée de vie extremement limitée
Le ressource server contacte l’autorization serverAuthorization Server (AS)
Le client stock le JWT
Authorization: Bearer AccessToken
L’authorization server c’est une brique technique assez complexe. Vous pouvez décider de passer par un service tiers, comme Facebook par exemple pour faire office d’authorization server
Vous l’avez surement déjà fait, peut être sans le savoir, mais vous pouvez utiliser l’Authorization Server d’un autre service vous pouvez également déléguer une partie de la logique OAuth2 a un tiers. comme facebook par exemple
Pour mon exemple j’ai choisi Deezer Tout le monde connaît Deezer, on écoute de la musique avec, je vais pas vous faire une review de l’application
L’application Deezer envoie a Facebook: Un clientID Un scope ( a quoi deezer veur acceder) Une callback URI
Facebook redirige l’utilisateur sur sa page d’autorisation On est bien chez Facebook (voir la barre url) Je me log chez facebook J’approuve les permissions demandées, le scope Facebook redirige alors le navigateur de mon téléphone sur l'adresse de callback de deezer avec un code dans l’URL L’application Deezer communique ce code au backend Deezer, le backend deeezer contact facebook pour vérifier l’authenticité de la preuve d’identé, le code, fourni A partir de la, Deezer doit stocker mon access et mon refresh, renvoie un token a l’application
Pas de formulaire Pas besoin d'être garant de l’identité de l’utilisateur Pas besoin de faire un processus de vérification de l’identité de l’utilisateur
Un élément très important aussi, c’est qu’on a crée des relations de confiance
Le ressource owner fait confiance a Authorization Server
Le ressource server fait confiance également a l’Authorization Server qui se porte garant de l’identité du Resource Owner
Maintenant que vous connaissez tous ces éléments, on va parler de la manière dont on les mets en oeuvre a Ubeeqo pour gérer l’identité de nos utilisateurs a travers les microservices Je me permets de préciser que c’est l’implémentation que nous avons choisi de mettre en place Ca ne veut pas dire que c’est la seule, ou que les autres sont mauvaises
UUID -> Universally Unique IDentifierChaine de caractère, répond a RFC Identifiant de l’utilisateur
UUID -> Universally Unique IDentifierChaine de caractère, répond a RFC Principal sert à identifier un acteur au travers de l’applicationContexte de la requète TID: Transaction ID Microservices sur un réseau fermé Shared secret entre les microservices
Vous avez pris connaissance des problématiques liées à une architecture en microservice Notamment celles qui concernent l’authentification et la délégation d’accès
Merci de votre attention

Oauth2, open-id connect with microservices

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Oauth2, open-id connect with microservices

Similar to Oauth2, open-id connect with microservices (20)

More from inovia

More from inovia (20)

Recently uploaded

Recently uploaded (20)

Oauth2, open-id connect with microservices

Editor's Notes