VMware Tanzu, profile picture
Uploaded byVMware Tanzu
PPTX, PDF390 views

Securing Microservices in Hybrid Cloud

The document discusses the security of microservices within T-Mobile's hybrid cloud architecture, detailing the shift from monolithic systems to microservices with a focus on API access processes. An emphasis is placed on token-based authentication using JWT and OpenID Connect to enhance scalability and performance while ensuring user identity integrity. It also describes the evolution of the T-Mobile app's access mechanism towards a more efficient and secure model through the T-Mobile API Access Process (TAAP).

Embed presentation

Downloaded 13 times
Securing Microservices in Hybrid Cloud By Komes Subramaniam, Senthil Velusamy T-Mobile USA
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ About us Komes Subramaniam, Sr. Manager, Digital Services Group • 18+ years of IT experience • Responsible for Digital Transformation Architecture, API Products and Platform Management • Member of OSS working group @ T-Mobile • Passion for running and biking 2 Senthil Velusamy, Sr. Member of Technical Staff, Digital Customer Experience • 18+ years of product and technology experience • Responsible for strategy, technical and service architecture for Mobile Apps Ecosystem • Head of Mobile Center of Excellence, Wi-Fi Alliance board for T-Mobile • Passion for running and cooking
About T-Mobile US America's Un-carrier: Redefining the way consumers and businesses buy wireless through leading product and service innovation. • Based in Bellevue, Washington • NASDAQ traded public company – TMUS • Two flagship brands: T-Mobile and MetroPCS • 21 consecutive quarters with more than one million net adds • 323 million Americans covered today • 18 quarters in a row with the fastest download and upload speeds (Ookla and OpenSignal) • #1 U.S. wireless carrier in customer care (J.D. Power) 3
About T-Mobile US (cont..) 4 T-Mobile Open Source Projects (https://opensource.t-mobile.com) Digital Transformation • Monolithic to Microservices • DevOps You Build It, You Own It • Telemetry • CI/CD/CT • Investment in FTEs Product & Technology • World-class product management organization • Empowering teams to build and own customer experience-obsessed products from design through sustainment casquatch: Java abstraction layer for Cassandra databases next-identity: Highly auditable blockchain-based, access management solution keybiner: Library for encoding authorized business functions in an ID token t-vault: Simplified secrets management solution jazz: A platform for building serverless applications
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Traditional API /Service Security • Trust based access to all internal API / Services • Traditional authentication method uses user session id or cookie • Stateful : Server keeps track of active authenticated sessions 5 Source image: montgomerynews.com
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Securing Microservices 6 Token based Authentication • Stateless • Scalable SPA: Single page Application • Performant • Supports Modern SPA Source image: depositphotos.com
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ JWT, ODIC JWT (JSON Web Token) • Optionally validated and/or encrypted container format that is used to securely transfer information between two parties. 7 { “type”:”jwt”, “alg”:”sha256” } { "exp" : “xx600", "iat" : "1xxx1699266017", "iss" : "https://xxx.t-mobile.com", "aud" : “TMOApp", "nonce" : "NONCE", "auth_time" : "1481699265", “AT" : "3285.4326xyabbss521112m4", "sub" : "U-9645rra1cf7-0xxxf-450c-bdbe-1yyyyy926“ } PayloadandclaimsHeader Source: OpenID Connect & OAuth - Demystifying Cloud Identity - Filip Hanik, Sree Tumidi { bGmI4ujxjRgc7OKKNATgvXGMADfnFmrwfwxBoTM2g8 8ndi3mGU1i6xo2jr6NQE_..} Signature OIDC (Open ID Connect) • Identity layer on top of OAuth 2.0 flow • Token issued has access and profile information • Use the token information to accordingly retrieve resource data Source: DOL.WA.gov
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile API Access Process (TAAP) • TAAP developed based on Open ID Connect flow • Introduced POP (Proof of Possession) for Message Integrity • ID Tokens user identity and basic information (JWT) • AT (Access Token) is based on JWT and supports self-validation PoP Token (Proof of Possession) • JWT Format • Claims include: • Request Payload • Header Parameters • Signed by Client’s Private Key { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "authorization; content-type, uri", "edts": "109e2ee7xxbbvvefe457bbe3c1065e3 c510744511cnbvg411e956ea836370 d605" }
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ TAAP Call flow Client Registration AuthN & AuthZ Get Token Get Resources
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Use Public cloud for high-volume internet traffic • All API layers deployed to handle burst traffic Use Private / On-Premises for sensitive, business-critical operations • All events traffic handled on-premises /w legacy system integration • Sensitive data filtrations and handling Ability to scale to the public cloud, you pay for extra computing power only when needed Need for Hybrid Cloud Public Private On-Premise
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Hybrid Cloud /w TAAP flow 11 IDP: Identity Provider, TAAP: T-Mobile API Access Process A P I G A T E W A Y IDPOIDC AT, ID Token AT AT1 µ Service - A 1. Client Application follows TAAP Flow for obtaining Access Token & ID Token 2. Client sends AT to API Gateway. Gateway does a cache lookup for ID Token 3. API Gateway sends AT & ID Tokens as part of µ Service request 4. µ Service-A may require system level access for µ Service-B. In this case, it follows Client Credential grant flow to obtain Access Token (AT1). 5. µ Service-A sends AT1 and ID Token (Original) to µ Service-B AT, ID Token A P I G A T E W A Y AT1, ID Token µ Service - B AT1, ID Token AT1, Request
T-Mobile App : Evolution to TAAP for Secure API Access in Hybrid Cloud • T-Mobile App Overview • Using Opaque Token and its challenges • Evolution to TAAP based Token and its benefits
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App 13 • Android & iOS • 75M+ installs • 4.3 rating V1 Launched in 2015 Opaque Token based V2 Launched in 2018 TAAP based tokens T-Mobile app core functions : 1. Self-serve  Retrieve user info 2. Analytics  Submit device info
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App: Data in Hybrid Cloud 14 On-Premises: • Identity provider • Credentials, Profile, Tokens Public Cloud: • AWS • Device, Plan, Promo etc. • Data Orchestration for UI Private Cloud: • PCF • Customer Account, Bill, Lease etc. (425)-xxx-yyyy Priya (425)-xyz-yyyy Identity Provider Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) 1 2 3
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Call-flow 15 OT: Opaque Token, UI: User Interface Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider Opaque Token: 02.USR.KtDZXYxzleIDLWjOSvVP Device identifier: subscriber._0JOBCZpSwWWxyZxXKLCs3t56shu8bd D77_HfB76KUg= 1. Submit Credentials 2. Opaque Token, Device Identifier 3. Request app data (OT) 10. App data for UI display 4. Validate (OT) 5. Valid 7. Validate (OT) 8. Valid 6. Request account info (OT) 9. Account data
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Challenges 16 Opaque Token requires validation with a central system and adds latency to critical path of user experience • 100 – 200ms latency, up to 6 requests to IDP per login session Tokens when stolen can be used to replay until its validity OT: Opaque Token, IDP: Identify Provider
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Call-flow 17 JWK: JSON Web key, TAAP: T-Mobile API Access Process, POP: Proof of Possession Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider 1. Submit Credentials 2. User ID token, Device ID Token 3. App data (User ID Token, POP) 6. App data for UI display 4. Account info (User ID Token) 5. Account data JWK • JWK: Retrieve Identity Provider public key • Each domain receiving the ID token self- validates
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Tokens 18 { "iss": "https://xxxxx.t-mobile.com", "network": { id: “35679xxx0011980” phone: “425xxxyyy”}, "device": { "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... n-----END PUBLIC KEY-----" }, "exp": 1aabc435ddee, "aud": “TMOApp", "iat": 1xx6yyy776 } Device ID Token User ID Token Proof Of Possession (POP) { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "iss": "https://xxxxx.t-mobile.com", "aud": "TMOApp", "auth_time": 1536870785, "sub": "U-xxxxx-yyyyyy-zzzzzzzz", "amr": [ "password“ ], "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... .........n-----END PUBLIC KEY-- ---", "usn": “abcabcabcabcabc", "ent": { "acct": [ { "r": “XX", "tst": “YY", "line_count": 5, "lines": [ { "phnum": “1234567890", "r": “Z" } ] { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "a11ept;x-tmo-device-os;x- txx-yym;x-b3-paxxyyyzznid;x- aao-clixxt-name;x-tmo-model;x- nno-cvcnt-version;x-dat;x-tmo- xnbvce-os- version;authorization;x-tmo- oem-id;x-b3-spanid;x-tmo-post- sequence-number;x-b3- traceid;content-length;content- type", "edts": "109e2ee7xxbbvvefe457bbe3c 1065e3c510744511cnbvg411e 956ea836370d605" }
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : How TAAP is used? 19 POP: Proof of Possession, UIT: User ID Token, DIT: Device ID Token, IDP: Identity Provider Header () Iss: IDP Sub: Identity KEY: cPub Entitlement:… Signature (iPri) UserIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Self-serve: User ID Token + POP 1. Validate User ID Token signature (JWK, iPub) 2. Retrieve cPub from User ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Entitlement info (Role, lines etc) Header () Iss: IDP Sub: Identity Network: … KEY: cPub Signature (iPri) DeviceIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Analytics: Device ID Token + POP 1. Validate Device ID Token signature (JWK, iPub) 2. Retrieve cPub from Device ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Network identifiers (Hardware ID, Phone Number)
Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Benefits 20 TAAP: T-Mobile API Application Process, IDP: Identity Provider • Improved Performance: Remove dependency on centralized system - IDP not in critical path of experience • Reduced load to downstream (e.g., no downstream call for unsupported account, plan types) Sample metrics shown below for T-Mobile app load time: Opaque Token : ~3.2s User ID Token : ~2.5s ~20% improvement in app load time • Flexibility to integrate with different IDPs • Selfheal, no coordinated key rotations • Improves security: Can’t replay tokens
> Stay Connected. #springone@s1p @komethagan, @mvsenthil

More Related Content

PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PDF
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
byTatsuo Kudo
 
PDF
Gateway deepdive
byShiu-Fun Poon
 
PPTX
Why Assertion-based Access Token is preferred to Handle-based one?
byHitachi, Ltd. OSS Solution Center.
 
PPTX
Open Banking via APIc 2018
byShiu-Fun Poon
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
PPTX
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
byBrian Campbell
 
PPTX
Securing online services by combining smart cards and web-based applications
byOlivier Potonniée
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
byTatsuo Kudo
 
Gateway deepdive
byShiu-Fun Poon
 
Why Assertion-based Access Token is preferred to Handle-based one?
byHitachi, Ltd. OSS Solution Center.
 
Open Banking via APIc 2018
byShiu-Fun Poon
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
byWSO2
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
byBrian Campbell
 
Securing online services by combining smart cards and web-based applications
byOlivier Potonniée
 

What's hot

PDF
Authlete: API Authorization Enabler for API Economy
byTatsuo Kudo
 
PPT
ISS SA le presenta IdentityGuard de Entrust
byInformation Security Services SA
 
PPTX
Smart Card Authentication
byDan Usher
 
PPTX
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
byRichard Bullington-McGuire
 
PDF
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
byTrustBearer
 
PDF
Strong Customer Authentication - All Your Questions Answered
byWSO2
 
PDF
OBIE Directory Integration - A Technical Deep Dive
byWSO2
 
PDF
W3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
byFIDO Alliance
 
PDF
TrustBearer - CTST 2009 - OpenID & Strong Authentication
byTrustBearer
 
PDF
Pg 2 fa_tech_brief
byHai Nguyen
 
PDF
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
byOKsystem
 
PDF
Securing a Web App with Security Keys
byFIDO Alliance
 
DOCX
Vilas Patil
byVilas Patil
 
PDF
Session 7 e_raja_kailar
byHai Nguyen
 
PPTX
Identity as a Matter of Public Safety
byAdam Lewis
 
PDF
Sp 29 two_factor_auth_guide
byHai Nguyen
 
PDF
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
byVMware Tanzu
 
PDF
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
byHitachi, Ltd. OSS Solution Center.
 
PPTX
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
byMike Schwartz
 
PPTX
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
byNuno Árias Silva
 
Authlete: API Authorization Enabler for API Economy
byTatsuo Kudo
 
ISS SA le presenta IdentityGuard de Entrust
byInformation Security Services SA
 
Smart Card Authentication
byDan Usher
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
byRichard Bullington-McGuire
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
byTrustBearer
 
Strong Customer Authentication - All Your Questions Answered
byWSO2
 
OBIE Directory Integration - A Technical Deep Dive
byWSO2
 
W3C Presentation -FIDO Alliance -Tokyo Seminar -Smith
byFIDO Alliance
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
byTrustBearer
 
Pg 2 fa_tech_brief
byHai Nguyen
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
byOKsystem
 
Securing a Web App with Security Keys
byFIDO Alliance
 
Vilas Patil
byVilas Patil
 
Session 7 e_raja_kailar
byHai Nguyen
 
Identity as a Matter of Public Safety
byAdam Lewis
 
Sp 29 two_factor_auth_guide
byHai Nguyen
 
Chassis and AppFactory: Accelerate Development of Cloud-Native Microservices ...
byVMware Tanzu
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
byHitachi, Ltd. OSS Solution Center.
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
byMike Schwartz
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
byNuno Árias Silva
 

Similar to Securing Microservices in Hybrid Cloud

PDF
Synergies of Cloud Identity: Putting it All Together
byTwobo Technologies
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PDF
Mobile Authentication - Onboarding, best practices & anti-patterns
byPieter Ennes
 
PPTX
A recipe for standards-based Cloud IdM
byPaul Madsen
 
PDF
Nordic APIs - Building a Secure API
byTwobo Technologies
 
PDF
Mobile Cloud Identity
byMark Diodati
 
PDF
Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...
byapidays
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
byNordic APIs
 
PDF
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
byapidays
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PDF
2p Mta Data Sheet V1.7 X1a
byalwayson
 
PDF
Applications and deployment patterns of o auth and open id connect
byKavindu Dodanduwa
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
PDF
Cloud Foundry UAA as an Identity Gateway
byVMware Tanzu
 
PDF
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
byMehdi Medjaoui
 
PDF
Launching a Successful and Secure API
byNordic APIs
 
PPTX
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
Synergies of Cloud Identity: Putting it All Together
byTwobo Technologies
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
Mobile Authentication - Onboarding, best practices & anti-patterns
byPieter Ennes
 
A recipe for standards-based Cloud IdM
byPaul Madsen
 
Nordic APIs - Building a Secure API
byTwobo Technologies
 
Mobile Cloud Identity
byMark Diodati
 
Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...
byapidays
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
Secure your APIs using OAuth 2 and OpenID Connect
byNordic APIs
 
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
byapidays
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
2p Mta Data Sheet V1.7 X1a
byalwayson
 
Applications and deployment patterns of o auth and open id connect
byKavindu Dodanduwa
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
byiMasters
 
iMasters Intercon 2016 - Identity within Microservices
byErick Belluci Tedeschi
 
Cloud Foundry UAA as an Identity Gateway
byVMware Tanzu
 
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
byMehdi Medjaoui
 
Launching a Successful and Secure API
byNordic APIs
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 

More from VMware Tanzu

PDF
Spring into AI presented by Dan Vega 5/14
byVMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
byVMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
byVMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
byVMware Tanzu
 
PDF
Spring Update | July 2023
byVMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
byVMware Tanzu
 
PPTX
Building Cloud Ready Apps
byVMware Tanzu
 
PDF
Spring Boot 3 And Beyond
byVMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
byVMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
byVMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
byVMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
byVMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
byVMware Tanzu
 
PDF
Tanzu Developer Connect - French
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
byVMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
byVMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
byVMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
byVMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
byVMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
byVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
byVMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
byVMware Tanzu
 
Spring Update | July 2023
byVMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
byVMware Tanzu
 
Building Cloud Ready Apps
byVMware Tanzu
 
Spring Boot 3 And Beyond
byVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
byVMware Tanzu
 
tanzu_developer_connect.pptx
byVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
byVMware Tanzu
 
Tanzu Developer Connect Workshop - English
byVMware Tanzu
 
Virtual Developer Connect Workshop - English
byVMware Tanzu
 
Tanzu Developer Connect - French
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
byVMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
byVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
byVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
byVMware Tanzu
 

Recently uploaded

PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 

Securing Microservices in Hybrid Cloud

  • 1.
    Securing Microservices inHybrid Cloud By Komes Subramaniam, Senthil Velusamy T-Mobile USA
  • 2.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ About us Komes Subramaniam, Sr. Manager, Digital Services Group • 18+ years of IT experience • Responsible for Digital Transformation Architecture, API Products and Platform Management • Member of OSS working group @ T-Mobile • Passion for running and biking 2 Senthil Velusamy, Sr. Member of Technical Staff, Digital Customer Experience • 18+ years of product and technology experience • Responsible for strategy, technical and service architecture for Mobile Apps Ecosystem • Head of Mobile Center of Excellence, Wi-Fi Alliance board for T-Mobile • Passion for running and cooking
  • 3.
    About T-Mobile US America'sUn-carrier: Redefining the way consumers and businesses buy wireless through leading product and service innovation. • Based in Bellevue, Washington • NASDAQ traded public company – TMUS • Two flagship brands: T-Mobile and MetroPCS • 21 consecutive quarters with more than one million net adds • 323 million Americans covered today • 18 quarters in a row with the fastest download and upload speeds (Ookla and OpenSignal) • #1 U.S. wireless carrier in customer care (J.D. Power) 3
  • 4.
    About T-Mobile US(cont..) 4 T-Mobile Open Source Projects (https://opensource.t-mobile.com) Digital Transformation • Monolithic to Microservices • DevOps You Build It, You Own It • Telemetry • CI/CD/CT • Investment in FTEs Product & Technology • World-class product management organization • Empowering teams to build and own customer experience-obsessed products from design through sustainment casquatch: Java abstraction layer for Cassandra databases next-identity: Highly auditable blockchain-based, access management solution keybiner: Library for encoding authorized business functions in an ID token t-vault: Simplified secrets management solution jazz: A platform for building serverless applications
  • 5.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Traditional API /Service Security • Trust based access to all internal API / Services • Traditional authentication method uses user session id or cookie • Stateful : Server keeps track of active authenticated sessions 5 Source image: montgomerynews.com
  • 6.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Securing Microservices 6 Token based Authentication • Stateless • Scalable SPA: Single page Application • Performant • Supports Modern SPA Source image: depositphotos.com
  • 7.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ JWT, ODIC JWT (JSON Web Token) • Optionally validated and/or encrypted container format that is used to securely transfer information between two parties. 7 { “type”:”jwt”, “alg”:”sha256” } { "exp" : “xx600", "iat" : "1xxx1699266017", "iss" : "https://xxx.t-mobile.com", "aud" : “TMOApp", "nonce" : "NONCE", "auth_time" : "1481699265", “AT" : "3285.4326xyabbss521112m4", "sub" : "U-9645rra1cf7-0xxxf-450c-bdbe-1yyyyy926“ } PayloadandclaimsHeader Source: OpenID Connect & OAuth - Demystifying Cloud Identity - Filip Hanik, Sree Tumidi { bGmI4ujxjRgc7OKKNATgvXGMADfnFmrwfwxBoTM2g8 8ndi3mGU1i6xo2jr6NQE_..} Signature OIDC (Open ID Connect) • Identity layer on top of OAuth 2.0 flow • Token issued has access and profile information • Use the token information to accordingly retrieve resource data Source: DOL.WA.gov
  • 8.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile API Access Process (TAAP) • TAAP developed based on Open ID Connect flow • Introduced POP (Proof of Possession) for Message Integrity • ID Tokens user identity and basic information (JWT) • AT (Access Token) is based on JWT and supports self-validation PoP Token (Proof of Possession) • JWT Format • Claims include: • Request Payload • Header Parameters • Signed by Client’s Private Key { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "authorization; content-type, uri", "edts": "109e2ee7xxbbvvefe457bbe3c1065e3 c510744511cnbvg411e956ea836370 d605" }
  • 9.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ TAAP Call flow Client Registration AuthN & AuthZ Get Token Get Resources
  • 10.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Use Public cloud for high-volume internet traffic • All API layers deployed to handle burst traffic Use Private / On-Premises for sensitive, business-critical operations • All events traffic handled on-premises /w legacy system integration • Sensitive data filtrations and handling Ability to scale to the public cloud, you pay for extra computing power only when needed Need for Hybrid Cloud Public Private On-Premise
  • 11.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Hybrid Cloud /w TAAP flow 11 IDP: Identity Provider, TAAP: T-Mobile API Access Process A P I G A T E W A Y IDPOIDC AT, ID Token AT AT1 µ Service - A 1. Client Application follows TAAP Flow for obtaining Access Token & ID Token 2. Client sends AT to API Gateway. Gateway does a cache lookup for ID Token 3. API Gateway sends AT & ID Tokens as part of µ Service request 4. µ Service-A may require system level access for µ Service-B. In this case, it follows Client Credential grant flow to obtain Access Token (AT1). 5. µ Service-A sends AT1 and ID Token (Original) to µ Service-B AT, ID Token A P I G A T E W A Y AT1, ID Token µ Service - B AT1, ID Token AT1, Request
  • 12.
    T-Mobile App :Evolution to TAAP for Secure API Access in Hybrid Cloud • T-Mobile App Overview • Using Opaque Token and its challenges • Evolution to TAAP based Token and its benefits
  • 13.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App 13 • Android & iOS • 75M+ installs • 4.3 rating V1 Launched in 2015 Opaque Token based V2 Launched in 2018 TAAP based tokens T-Mobile app core functions : 1. Self-serve  Retrieve user info 2. Analytics  Submit device info
  • 14.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App: Data in Hybrid Cloud 14 On-Premises: • Identity provider • Credentials, Profile, Tokens Public Cloud: • AWS • Device, Plan, Promo etc. • Data Orchestration for UI Private Cloud: • PCF • Customer Account, Bill, Lease etc. (425)-xxx-yyyy Priya (425)-xyz-yyyy Identity Provider Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) 1 2 3
  • 15.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Call-flow 15 OT: Opaque Token, UI: User Interface Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider Opaque Token: 02.USR.KtDZXYxzleIDLWjOSvVP Device identifier: subscriber._0JOBCZpSwWWxyZxXKLCs3t56shu8bd D77_HfB76KUg= 1. Submit Credentials 2. Opaque Token, Device Identifier 3. Request app data (OT) 10. App data for UI display 4. Validate (OT) 5. Valid 7. Validate (OT) 8. Valid 6. Request account info (OT) 9. Account data
  • 16.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V1) : Opaque Token Challenges 16 Opaque Token requires validation with a central system and adds latency to critical path of user experience • 100 – 200ms latency, up to 6 requests to IDP per login session Tokens when stolen can be used to replay until its validity OT: Opaque Token, IDP: Identify Provider
  • 17.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Call-flow 17 JWK: JSON Web key, TAAP: T-Mobile API Access Process, POP: Proof of Possession Generic data, Orchestration (Device, Plan, Promo etc.) Restricted data (Profile, Bill, Lease etc.) Identity Provider 1. Submit Credentials 2. User ID token, Device ID Token 3. App data (User ID Token, POP) 6. App data for UI display 4. Account info (User ID Token) 5. Account data JWK • JWK: Retrieve Identity Provider public key • Each domain receiving the ID token self- validates
  • 18.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Tokens 18 { "iss": "https://xxxxx.t-mobile.com", "network": { id: “35679xxx0011980” phone: “425xxxyyy”}, "device": { "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... n-----END PUBLIC KEY-----" }, "exp": 1aabc435ddee, "aud": “TMOApp", "iat": 1xx6yyy776 } Device ID Token User ID Token Proof Of Possession (POP) { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "iss": "https://xxxxx.t-mobile.com", "aud": "TMOApp", "auth_time": 1536870785, "sub": "U-xxxxx-yyyyyy-zzzzzzzz", "amr": [ "password“ ], "cnf": "-----BEGIN PUBLIC KEY----- nMIIBIjANBgkqhkiG9w0BAQE FAAOCAQ8AMIIBCgKCAQEA5 oaIEnqExSKXK/J7mvgx........... .........n-----END PUBLIC KEY-- ---", "usn": “abcabcabcabcabc", "ent": { "acct": [ { "r": “XX", "tst": “YY", "line_count": 5, "lines": [ { "phnum": “1234567890", "r": “Z" } ] { "iat": 1xx6yyy776, "exp": 1aabc435ddee, "ehts": "a11ept;x-tmo-device-os;x- txx-yym;x-b3-paxxyyyzznid;x- aao-clixxt-name;x-tmo-model;x- nno-cvcnt-version;x-dat;x-tmo- xnbvce-os- version;authorization;x-tmo- oem-id;x-b3-spanid;x-tmo-post- sequence-number;x-b3- traceid;content-length;content- type", "edts": "109e2ee7xxbbvvefe457bbe3c 1065e3c510744511cnbvg411e 956ea836370d605" }
  • 19.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : How TAAP is used? 19 POP: Proof of Possession, UIT: User ID Token, DIT: Device ID Token, IDP: Identity Provider Header () Iss: IDP Sub: Identity KEY: cPub Entitlement:… Signature (iPri) UserIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Self-serve: User ID Token + POP 1. Validate User ID Token signature (JWK, iPub) 2. Retrieve cPub from User ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Entitlement info (Role, lines etc) Header () Iss: IDP Sub: Identity Network: … KEY: cPub Signature (iPri) DeviceIDToken Header () Iss: Client Sub: Identity Headers: ….. Hash: xxxxx Signature (cPri) POP Analytics: Device ID Token + POP 1. Validate Device ID Token signature (JWK, iPub) 2. Retrieve cPub from Device ID Token 3. Validate POP signature (cPub) 4. Validate POP hash (message integrity) 5. Use Network identifiers (Hardware ID, Phone Number)
  • 20.
    Unless otherwise indicated,these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ T-Mobile App (V2) : TAAP Benefits 20 TAAP: T-Mobile API Application Process, IDP: Identity Provider • Improved Performance: Remove dependency on centralized system - IDP not in critical path of experience • Reduced load to downstream (e.g., no downstream call for unsupported account, plan types) Sample metrics shown below for T-Mobile app load time: Opaque Token : ~3.2s User ID Token : ~2.5s ~20% improvement in app load time • Flexibility to integrate with different IDPs • Selfheal, no coordinated key rotations • Improves security: Can’t replay tokens
  • 21.

Editor's Notes

  • #3 About us, I m komes.. been with IT for long time in various service sector companies. Thanks for taking time to attend this session. I am Senthil. I head the mCOE at T-Mobile. My responsibility include strategic, technological guidance to mobile apps solution that includes both internal as well partner apps. I support around 20 apps that are in T-Mobile portfolio.
  • #4 T-Mobile started a wireless revolution, un-carrier movement , understanding customer pain points. Part of some of these uncarrier movements that has redefined wireless. We made moves that were never heard of in our industry to meet customer needs. We got rid of long term contracts, as part of Simple Choice, eliminated roaming charges as part of simple global, introduced unlimited data plans, taxes n fee included as part of T-Mobile One etc. As a result of all the uncarrier moves, we had 100% growth in the company in the last five years. We have added more than 1+ million customers for 21 quarters in a row Growth is a natural evolution for us, because as our network has expanded. In 2012, none of our customers had 4G LTE. Today, we cover 323 million people. T-Mobile delivers an outstanding customer service, and has received the highest score of any company, ever, in the 2018 J.D. Power U.S. Wireless Customer Care study.
  • #5 In order to adapt to this evolution, T-Mobile started a digital transformation in our Technology organization to make things faster, better and cheaper . The mission is to increase velocity, quality and throughput while reducing risk and eliminating pain points for both our customers and ourselves. One key thing to callout is our investment on FTEs to ensure the inherent knowledge and IPs stay within the team to continue our journey. Another critical change to help drive our success, has been merging product and technology teams to empower teams to build and own end-end from design to operations. As we embark the journey to be a world-class technology leader, we started to share our best practices and learnings through open source projects. We have several project that are open sourced and these projects used across different countries in the world. The topic that we discuss today was also part of the digital transformation and sharing of our learnings. I will have Komes takes us through next few slides to set on the foundation for the topic.
  • #6 Traditional service/api security is trust based. Just like once you got ticket in movie complex, you are good to go to any movie you want. Most places don’t have check at movie gate OR no checking on seat placement. We follow similar approach in traditional security model where web application server takes care of incoming request session validation. If its good, web server allowed to make request to the back end services. Pretty much it can make call to any server. Drawback: Servers need to validate with web application service about session validity and state. In modern SPA, its not scalable solution. Centralized system for session management is an another alternative.
  • #7 Microservices arch become popular because of Netflix and Amazon success. Microservices promotes independent develop and deployment. Scalability and Reusability are key benefits. Having centralized session management would make more complexity in MS world and we want to make sure every cross domain communication authN and AuthZ validation. For instance, for air travel, After booking your ticket, You are getting an boarding pass, checking in, TSA check and Boarding Time.. Some times, if you lucky, you get selected randomly.
  • #8 JWT used for securely transfer information between two parties. Optionally validation can included to make sure the legitimation of the content. Driving License is example OAuth 2 : User Authorization delegation protocol
  • #13 Thanks Komes. Komes has set the foundation for TAAP. In the next few slides, I will walk us through the journey of T-Mobile app from opaque token to TAAP. I will be covering Overview of T-Mobile app, challenges of using opaque token and the benefits of transitioning to TAAP
  • #14 How many of you have worked on mobile apps? T-Mobile app is a mobile application that is available in both Android and iOS. Its preloaded on all Android devices that T-Mobile sells and there are more than 75M downloads of the app. T-Mobile app is key to self-service channel and it serves as the first touchpoint to T-Mobile for our customers. Our customers can message, shop, pay bill, call us from the app. The app also collects analytics data that will be used to improve the app experience. The key takeaway for the slide is there are 2 core functions: Self-serve, analytics collection. I will be refereeing to these 2 functions through out the slides and mapping it to 2 versions of application. V1 launched in 2015 uses Opaque toke, and V2 launched in 2018 is based on TAAP.
  • #15 Komes discussed about how Hybrid cloud is used in enterprise. Here is an example of how its used by T-Mobile app. T-Mobile app data is stored across different infrastructure On-Perm to Cloud. All login, credential related information are stored on-perm. Data that can be used across customers are stored in public cloud. E.g., device info, device images, plan information etc. Restricted data like customer bill, usage, account info are all stored in private cloud at PCF. The experience services specific to app to orchestrate data from different sources is also in AWS cloud So to recap: Mobile app that has self-serve & analytics Two version of apps 3 different infrastructures
  • #16 V1 of T-Mobile app was based on Opaque tokens to get self-serve data. And device identifiers were used to submit analytics data.   User submits the credentials and once successfully validated the response includes a Opaque token and a device identifier. These are short string of hexadecimal characters that means nothing for the receiving application. It need to send the opaque token back to IDP to check its validity. If its valid then it continues with the application business logic to retrieve data. When it requires data from a different cloud or on-perm it passes the opaque token in the request. The receiving app does the same to validate the token with IDP. If you recall, Komes mentioned earlier that traditional API security is based on session ids.. And opaque tokens are based on session ids, valid for a duration.
  • #17 There are 2 key challenges with Opaque token. The receiving application always dependent on a centralized system and in this case the IDP to complete its operation. There are multiple calls for a given session across different domains and this impacts the user experience. The second challenge is when Opaque tokens are valid its blindly trusted. When OT are stolen it can be used to replay until its validity to access any APIs that just depends on OT validation.
  • #18 The V2 of T-Mobile app launched early this year used TAAP.   User submits the credentials and once successfully validated the response includes a user ID token and a device ID token. These are JWTs that had identify of the user and device in respective tokens. When requests are made to get app data the userID token and POP isi included for message integrity. The UID is validated by the microservice itself and there is no dependency on IDP. The applications that would want to validate ID tokens fetched the IDP publick key using JWK. . When it requires data from a different cloud or on-perm it passes the UIT in the request and the receiving app follows the same process to self-validate.
  • #19 There are 3 token used in v2 of app derived based on TAAP flow.   Device ID token: Includes identity of the device like hardware ID, phone number. When diagnostic information is to be submitted the Device ID token is used.   User ID token: Generated based on successful authentication of the credentials and it includes basic profile information. These information can be used at the microservice to determine subsequent calls.   POP: POP token is used along with ID tokens for message integrity.