SlideShare a Scribd company logo
Stateless authentication for 
microservices 
Álvaro Sánchez-Mariscal 
Web Architect - 
@alvaro_sanchez
@alvaro_sanchez 
About me 
● Passionate Software Developer. 
● Worked at IBM BCS, BEA Systems and Sun 
Microsystems. 
● Founded Salenda and Escuela de Groovy. 
● Working now at as a Web Architect. 
● Living between Madrid and Gibraltar.
@alvaro_sanchez 
About 
● HTML5 games platform. 
● We provide game developers a Javascript SDK. 
● Server side logic and maths are handled by our 
industry certified game engines. 
● Seamless integration with several casinos. 
● Check out play.odobo.com and play for free!
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
Authentication in monolithic apps 
● Historically, authentication has always been a 
stateful service. 
● When moving to Single-Page Applications, 
and/or having mobile clients, it becomes an 
issue. 
● If you are build a REST and stateless API, your 
authentication should be that way too. 
@alvaro_sanchez
Microservices by http://martinfowler.com/articles/microservices. 
@alvaro_sanchez 
html
Microservices by http://martinfowler.com/articles/microservices. 
@alvaro_sanchez 
html
Monolithic vs Microservices 
Monolithic 
Microservices 
@alvaro_sanchez
Authentication and microservices 
● Authentication: to verify the identity of the 
user given the credentials received. 
● Authorization: to determine if the user should 
be granted access to a particular resource. 
● In a microservices context: 
○ Authentication can be a microservice itself. 
○ Authorization is a common functionality in all of them. 
@alvaro_sanchez
Authentication and microservices 
Authentication 
Service 
@alvaro_sanchez 
Javascript front-end 
UI 
Mobile app 
Shopping cart 
Service 
Catalog 
Service 
Orders Service 
Shipping 
Service 
User 
repository 
Catalog DB 
Invoicing 
DB 
Shipping 
partners 
Web 
Backend 
Mobile 
Backend
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
Introducing OAuth 2.0 
An open protocol to allow secure authorization 
in a simple and standard method from web, 
mobile and desktop applications. 
@alvaro_sanchez
OAuth 2.0: roles 
Resource Owner: the person or the application 
that holds the data to be shared. 
Resource Server: the application that holds the 
protected resources. 
Authorization Server: the application that 
verifies the identity of the users. 
Client: the application that makes requests to 
the RS on behalf of the RO. 
@alvaro_sanchez
OAuth 2.0: roles 
Resource Owner: the person or the application 
that holds the data to be shared. 
Resource Server: the application that holds the 
protected resources. 
Authorization Server: the application that 
verifies the identity of the users. 
Client: the application that makes requests to 
the RS on behalf of the RO. 
@alvaro_sanchez
OAuth 2.0: roles 
Resource Owner: the person or the application 
that holds the data to be shared. 
Resource Server: the application that holds the 
protected resources. 
Authorization Server: the application that 
verifies the identity of the users. 
Client: the application that makes requests to 
the RS on behalf of the RO. 
@alvaro_sanchez
OAuth 2.0: roles 
Resource Owner: the person or the application 
that holds the data to be shared. 
Resource Server: the application that holds the 
protected resources. 
Authorization Server: the application that 
verifies the identity of the users. 
Client: the application that makes requests to 
the RS on behalf of the RO. 
@alvaro_sanchez
OAuth 2.0: protocol flow 
I want to see a list of games 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Hey, backend, could you please give me a list of 
games? 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Sorry mate, this is a protected resource. You will 
need to present me an access token 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Hi Google, can I get an access token please? 
Backend is asking 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Sure thing sir. I just need to ask a few details to 
@alvaro_sanchez 
the user first
OAuth 2.0: protocol flow 
Hi, could you please provide me your 
credentials? I need to verify your identity 
@alvaro_sanchez
OAuth 2.0: protocol flow 
That’s no problem at all. I am bob@gmail.com and 
my password is secret. 
@alvaro_sanchez
OAuth 2.0: protocol flow 
The user is who claims to be. Here is your access 
token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Hi Backend, this is my token: 
qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Hi, I’ve been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa. 
Could you please tell me who it belongs to? 
@alvaro_sanchez
OAuth 2.0: protocol flow 
Of course. That token is still valid and it belongs to 
@alvaro_sanchez 
bob@gmail.com.
OAuth 2.0: protocol flow 
Everything is allright. This is the list of games. 
@alvaro_sanchez 
Enjoy!
OAuth 2.0: protocol flow 
Here you are the list of games.Thank you for your 
business and have a good day! 
@alvaro_sanchez
OAuth 2.0: protocol flow 
OAuth 2.0 is a delegation protocol, as 
this guy has no idea about the 
credentials of this guy 
@alvaro_sanchez
OAuth 2.0: grant types 
● Authorization code: for web server 
applications. 
● Implicit: for JS front-ends and mobile apps. 
● Resource Owner Password Credentials: for 
trusted clients. 
● Client credentials: for service authentication. 
@alvaro_sanchez
Authorization code grant 
● For server-based applications, where the 
client ID and secret are securely stored. 
● It’s a redirect flow, so it’s for web server apps. 
● The client (web server app) redirects the user 
to the authorization server to get a code. 
● Then, using the code and its client credentials 
asks for an access token. 
@alvaro_sanchez
Authorization code grant 
http://myServerApp.com 
@alvaro_sanchez
Authorization code grant 
https://facebook.com/dialog/oauth 
?response_type=code 
&client_id=YOUR_CLIENT_ID 
&redirect_uri= 
http://myServerApp.com/oauth 
&scope=email,public_profile 
@alvaro_sanchez
Authorization code grant 
hhttttpp::////fmacyeSbeorvoekr.Acopmp.com 
@alvaro_sanchez
Authorization code grant 
hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com 
@alvaro_sanchez
Authorization code grant 
https://myServerApp.com/oauth?code=CODE 
Finishing authentication... 
@alvaro_sanchez
Authorization code grant 
Server-side POST request to: https://graph. 
facebook.com/oauth/access_token 
With this body: 
grant_type=authorization_code 
&code=CODE_FROM_QUERY_STRING 
&redirect_uri=http://myServerApp.com 
&client_id=YOUR_CLIENT_ID 
&client_secret=YOUR_CLIENT_SECRET 
@alvaro_sanchez
Authorization code grant 
Example response: 
{ 
"access_token": "RsT5OjbzRn430zqMLgV3Ia", 
"token_type": "Bearer", 
"expires_in": 3600, 
"refresh_token": "e1qoXg7Ik2RRua48lXIV" 
@alvaro_sanchez 
}
@alvaro_sanchez 
Implicit grant 
● For web applications running on the browser 
(eg: AngularJS, etc) or mobile apps. 
● Client credentials confidentiality cannot be 
guaranteed. 
● Similar to the code grant, but in this case, the 
client gets an access token directly.
@alvaro_sanchez 
Implicit grant 
http://myFrontendApp.com/#/home
@alvaro_sanchez 
Implicit grant 
https://facebook.com/dialog/oauth 
?response_type=token 
&client_id=YOUR_CLIENT_ID 
&redirect_uri= 
http://myFrontendApp.com/#/cb 
&scope=email,public_profile
@alvaro_sanchez 
Implicit grant 
hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com
@alvaro_sanchez 
Implicit grant 
https://myFrontendApp.com/#/cb?token=TOKEN 
Finishing authentication...
Password credentials grant 
● In this case, client collects username and 
password to get an access token directly. 
● Viable solution only for trusted clients: 
○ The official website consumer of your API. 
○ The official mobile app consuming your API. 
○ Etc. 
@alvaro_sanchez
Password credentials grant 
@alvaro_sanchez
Password credentials grant 
POST request to: https://api.example. 
org/oauth/access_token 
With this body: 
grant_type=password 
&username=USERNAME&password=PASSWORD 
&client_id=YOUR_CLIENT_ID 
&client_secret=YOUR_CLIENT_SECRET 
@alvaro_sanchez
Password credentials grant 
Example response: 
{ 
"access_token": "RsT5OjbzRn430zqMLgV3Ia", 
"token_type": "Bearer", 
"expires_in": 3600, 
"refresh_token": "e1qoXg7Ik2RRua48lXIV" 
@alvaro_sanchez 
}
Client credentials grant 
● Service-to-service authentication, without a 
particular user being involved. 
○ Eg: the Orders microservice making a request to the 
Invoicing microservice. 
● The application authenticates itself using its 
client ID and client secret. 
@alvaro_sanchez
Client credentials grant 
POST request to: https://api.example. 
org/oauth/access_token 
With this body: 
grant_type=client_credentials 
&client_id=YOUR_CLIENT_ID 
&client_secret=YOUR_CLIENT_SECRET 
@alvaro_sanchez
Client credentials grant 
Example response: 
{ 
"access_token": "RsT5OjbzRn430zqMLgV3Ia", 
"token_type": "Bearer", 
"expires_in": 3600, 
"refresh_token": "e1qoXg7Ik2RRua48lXIV" 
@alvaro_sanchez 
}
Accessing the protected resource 
Once the client has an access token, it can 
request a protected resource: 
GET /games HTTP/1.1 
Host: api.example.org 
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia 
@alvaro_sanchez
Token expiration and refresh 
● If the Authorization Server issues expiring 
tokens, they can be paired with refresh 
tokens. 
● When the access token has expired, the 
refresh token can be used to get a new access 
token. 
@alvaro_sanchez
Tips for a front-end application 
● Use the implicit grant. 
○ Already supported for 3rd party providers like Google, 
@alvaro_sanchez 
Facebook. 
○ If you hold your own users, have your backend to 
implement the OAuth 2.0 Authorization Server role. 
● Use HTML5’s localStorage for access and 
refresh tokens.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
Stateful vs. Stateless 
● Authorization Servers are often stateful 
services. 
○ They store issued access tokens in databases for future 
@alvaro_sanchez 
checking. 
● How can we achieve statelessness? 
○ Issuing JWT tokens as access tokens.
Introducing JWT 
JSON Web Token is a compact URL-safe means of 
representing claims to be transferred between 
two parties. The claims are encoded as a JSON 
object that is digitally signed by hashing it using 
a shared secret between the parties. 
@alvaro_sanchez
Introducing JWT... in Plain English 
A secure way to encapsulate arbitrary data that 
can be sent over unsecure URL’s. 
@alvaro_sanchez
When can JWT be useful? 
● When generating “one click” action emails. 
○ Eg: “delete this comment”, “add this to favorites”. 
● To achieve Single Sign-On. 
○ Sharing the JWT between different applications. 
● Whenever you need to securely send a payload. 
○ Eg: to “obscure” URL parameters or POST bodies. 
@alvaro_sanchez
How does a JWT look like? 
Header Claims 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. 
eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InV 
zZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYX 
V0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfV 
VNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhLTRjNWUt 
YmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJ 
teS1jbGllbnQtd2l0aC1zZWNyZXQifQ. 
AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY 
@alvaro_sanchez 
Signature
@alvaro_sanchez 
JWT Header 
{ 
"alg": "HS256", 
"typ": "JWT" 
}
@alvaro_sanchez 
JWT Claims 
{ 
"exp": 1416471934, 
"user_name": "user", 
"scope": [ 
"read", 
"write" 
], 
"authorities": [ 
"ROLE_ADMIN", 
"ROLE_USER" 
], 
"jti": "9bc92a44-0b1a-4c5e-be70-da52075b9a84", 
"client_id": "my-client-with-secret" 
}
@alvaro_sanchez 
Signature 
HMACSHA256( 
base64(header) + "." + base64(payload), 
"secret" 
)
Sample access token response 
@alvaro_sanchez 
{ 
"access_token": "eyJhbGciOiJIUzI1NiJ9. 
eyJleHAiOjE0MTY0NzEwNTUsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZS 
I6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1J 
TiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIzZGJjODE4Yi0wMjAyLTRiYzItYT 
djZi1mMmZlNjY4MjAyMmEiLCJjbGllbnRfaWQiOiJteS1jbGllbnQtd2l0 
aC1zZWNyZXQifQ. 
Wao_6hLnOeMHS4HEel1UGWt1g86ad9N0qCexr1IL7IM", 
"token_type": "bearer", 
"expires_in": 43199, 
"scope": "read write", 
"jti": "3dbc818b-0202-4bc2-a7cf-f2fe6682022a" 
}
Achieving statelessness 
● Instead of storing the access token / principal 
relationship in a stateful way, do it on a JWT. 
● Access tokens with the JWT-encoded 
principal can be securely stored on the client’s 
browser. 
● That way you are achieving one of the basic 
principles of REST: State Transfer. 
@alvaro_sanchez
Tips for using JWT 
● JWT claims are just signed by default (JWS - 
JSON Web Signature). 
○ It prevents the content to be tampered. 
● Use encryption to make it bomb proof. 
○ Use any algorithm supported by JWE - JSON Web 
@alvaro_sanchez 
Encryption.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. The Grails plugin. 
5. Q&A.
It all started here, one year ago 
@alvaro_sanchez
@alvaro_sanchez 
One year later 
● Spring Security REST plugin. 
○ 16 contributors. 
○ 34 pull requests. 
○ 59 stars on GitHub. 
○ 16 releases. 
○ http://bit.ly/spring-security-rest
Happy users == happy author 
@alvaro_sanchez
Current status 
● Latest release: 1.4.0. 
● Compatibility layer over Spring Security Core. 
○ Login and logout REST endpoints. 
○ Token validation filter. 
○ Memcached, GORM and Grails Cache token storages. 
○ Partial implicit grant support through 3rd party 
@alvaro_sanchez 
providers. 
○ Partial RFC 6750 Bearer Token support.
@alvaro_sanchez 
Roadmap 
● Upcoming release: 1.4.1. 
○ Complete RFC 6750 Bearer Token support. 
○ Due in few days. 
● Next release: 2.0. 
○ Complete RFC 6749 OAuth 2.0 support. 
○ ETA: Q1 2015.
@alvaro_sanchez 
Agenda 
1. Authentication in monolithic applications vs 
microservices. 
2. Introduction to OAuth 2.0. 
3. Achieving statelessness with JWT. 
4. Demo. 
5. Q&A.
@alvaro_sanchez 
Thanks! 
Álvaro Sánchez-Mariscal 
Web Architect - 
Images courtesy of 
@alvaro_sanchez

More Related Content

What's hot

Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
Ricardo Schmidt
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando Patroni
Zalando Technology
 
MySQL Slow Query log Monitoring using Beats & ELK
MySQL Slow Query log Monitoring using Beats & ELKMySQL Slow Query log Monitoring using Beats & ELK
MySQL Slow Query log Monitoring using Beats & ELK
YoungHeon (Roy) Kim
 
Linux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performanceLinux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performance
PostgreSQL-Consulting
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
NGINX, Inc.
 
NGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEANGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEA
NGINX, Inc.
 
Kubernetes & helm 활용
Kubernetes & helm 활용Kubernetes & helm 활용
Kubernetes & helm 활용
SK Telecom
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
John Lynch
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
Helm 3
Helm 3Helm 3
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeAcademy
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptx
wonyong hwang
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
Kevin Jones
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could do
sarahnovotny
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
Bas Meijer
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub Actions
Bo-Yi Wu
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Omid Vahdaty
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
Ji-Woong Choi
 
Ingress overview
Ingress overviewIngress overview
Ingress overview
Harshal Shah
 

What's hot (20)

Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando Patroni
 
MySQL Slow Query log Monitoring using Beats & ELK
MySQL Slow Query log Monitoring using Beats & ELKMySQL Slow Query log Monitoring using Beats & ELK
MySQL Slow Query log Monitoring using Beats & ELK
 
Linux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performanceLinux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performance
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
 
NGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEANGINX: Basics and Best Practices EMEA
NGINX: Basics and Best Practices EMEA
 
Kubernetes & helm 활용
Kubernetes & helm 활용Kubernetes & helm 활용
Kubernetes & helm 활용
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
Helm 3
Helm 3Helm 3
Helm 3
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptx
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
 
5 things you didn't know nginx could do
5 things you didn't know nginx could do5 things you didn't know nginx could do
5 things you didn't know nginx could do
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
Introduction to GitHub Actions
Introduction to GitHub ActionsIntroduction to GitHub Actions
Introduction to GitHub Actions
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
Ingress overview
Ingress overviewIngress overview
Ingress overview
 

Similar to Stateless authentication for microservices

Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications -  JavaLand 2015Stateless authentication for microservices applications -  JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
Aaron Parecki
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
Adam Lewis
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
Calvin Noronha
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
Intuit Developer
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 

Similar to Stateless authentication for microservices (20)

Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications -  JavaLand 2015Stateless authentication for microservices applications -  JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 

More from Alvaro Sanchez-Mariscal

Serverless functions with Micronaut
Serverless functions with MicronautServerless functions with Micronaut
Serverless functions with Micronaut
Alvaro Sanchez-Mariscal
 
Asynchronous and event-driven Grails applications
Asynchronous and event-driven Grails applicationsAsynchronous and event-driven Grails applications
Asynchronous and event-driven Grails applications
Alvaro Sanchez-Mariscal
 
6 things you need to know about GORM 6
6 things you need to know about GORM 66 things you need to know about GORM 6
6 things you need to know about GORM 6
Alvaro Sanchez-Mariscal
 
Reactive microservices with Micronaut - GR8Conf EU 2018
Reactive microservices with Micronaut - GR8Conf EU 2018Reactive microservices with Micronaut - GR8Conf EU 2018
Reactive microservices with Micronaut - GR8Conf EU 2018
Alvaro Sanchez-Mariscal
 
Reactive microservices with Micronaut - Greach 2018
Reactive microservices with Micronaut - Greach 2018Reactive microservices with Micronaut - Greach 2018
Reactive microservices with Micronaut - Greach 2018
Alvaro Sanchez-Mariscal
 
Practical Spring Cloud
Practical Spring CloudPractical Spring Cloud
Practical Spring Cloud
Alvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Alvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - G3 Summit 2016
Mastering Grails 3 Plugins - G3 Summit 2016Mastering Grails 3 Plugins - G3 Summit 2016
Mastering Grails 3 Plugins - G3 Summit 2016
Alvaro Sanchez-Mariscal
 
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring SecurityDesarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Alvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Alvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - GR8Conf US 2016
Mastering Grails 3 Plugins - GR8Conf US 2016Mastering Grails 3 Plugins - GR8Conf US 2016
Mastering Grails 3 Plugins - GR8Conf US 2016
Alvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - GR8Conf EU 2016
Mastering Grails 3 Plugins - GR8Conf EU 2016Mastering Grails 3 Plugins - GR8Conf EU 2016
Mastering Grails 3 Plugins - GR8Conf EU 2016
Alvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Alvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - Greach 2016
Mastering Grails 3 Plugins - Greach 2016Mastering Grails 3 Plugins - Greach 2016
Mastering Grails 3 Plugins - Greach 2016
Alvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security
Creating applications with Grails, Angular JS and Spring SecurityCreating applications with Grails, Angular JS and Spring Security
Creating applications with Grails, Angular JS and Spring Security
Alvaro Sanchez-Mariscal
 
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Alvaro Sanchez-Mariscal
 
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Efficient HTTP applications on the JVM with Ratpack - JDD 2015Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Alvaro Sanchez-Mariscal
 
Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Ratpack 101 - GeeCON 2015
Ratpack 101 - GeeCON 2015Ratpack 101 - GeeCON 2015
Ratpack 101 - GeeCON 2015
Alvaro Sanchez-Mariscal
 
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Alvaro Sanchez-Mariscal
 

More from Alvaro Sanchez-Mariscal (20)

Serverless functions with Micronaut
Serverless functions with MicronautServerless functions with Micronaut
Serverless functions with Micronaut
 
Asynchronous and event-driven Grails applications
Asynchronous and event-driven Grails applicationsAsynchronous and event-driven Grails applications
Asynchronous and event-driven Grails applications
 
6 things you need to know about GORM 6
6 things you need to know about GORM 66 things you need to know about GORM 6
6 things you need to know about GORM 6
 
Reactive microservices with Micronaut - GR8Conf EU 2018
Reactive microservices with Micronaut - GR8Conf EU 2018Reactive microservices with Micronaut - GR8Conf EU 2018
Reactive microservices with Micronaut - GR8Conf EU 2018
 
Reactive microservices with Micronaut - Greach 2018
Reactive microservices with Micronaut - Greach 2018Reactive microservices with Micronaut - Greach 2018
Reactive microservices with Micronaut - Greach 2018
 
Practical Spring Cloud
Practical Spring CloudPractical Spring Cloud
Practical Spring Cloud
 
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
 
Mastering Grails 3 Plugins - G3 Summit 2016
Mastering Grails 3 Plugins - G3 Summit 2016Mastering Grails 3 Plugins - G3 Summit 2016
Mastering Grails 3 Plugins - G3 Summit 2016
 
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring SecurityDesarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
 
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
 
Mastering Grails 3 Plugins - GR8Conf US 2016
Mastering Grails 3 Plugins - GR8Conf US 2016Mastering Grails 3 Plugins - GR8Conf US 2016
Mastering Grails 3 Plugins - GR8Conf US 2016
 
Mastering Grails 3 Plugins - GR8Conf EU 2016
Mastering Grails 3 Plugins - GR8Conf EU 2016Mastering Grails 3 Plugins - GR8Conf EU 2016
Mastering Grails 3 Plugins - GR8Conf EU 2016
 
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
 
Mastering Grails 3 Plugins - Greach 2016
Mastering Grails 3 Plugins - Greach 2016Mastering Grails 3 Plugins - Greach 2016
Mastering Grails 3 Plugins - Greach 2016
 
Creating applications with Grails, Angular JS and Spring Security
Creating applications with Grails, Angular JS and Spring SecurityCreating applications with Grails, Angular JS and Spring Security
Creating applications with Grails, Angular JS and Spring Security
 
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
 
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Efficient HTTP applications on the JVM with Ratpack - JDD 2015Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
 
Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015
 
Ratpack 101 - GeeCON 2015
Ratpack 101 - GeeCON 2015Ratpack 101 - GeeCON 2015
Ratpack 101 - GeeCON 2015
 
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
 

Recently uploaded

Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
kalichargn70th171
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
Alina Yurenko
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
kalichargn70th171
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
chandangoswami40933
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceSecure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
Softradix Technologies
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 

Recently uploaded (20)

Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceSecure-by-Design Using Hardware and Software Protection for FDA Compliance
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 

Stateless authentication for microservices

  • 1. Stateless authentication for microservices Álvaro Sánchez-Mariscal Web Architect - @alvaro_sanchez
  • 2. @alvaro_sanchez About me ● Passionate Software Developer. ● Worked at IBM BCS, BEA Systems and Sun Microsystems. ● Founded Salenda and Escuela de Groovy. ● Working now at as a Web Architect. ● Living between Madrid and Gibraltar.
  • 3. @alvaro_sanchez About ● HTML5 games platform. ● We provide game developers a Javascript SDK. ● Server side logic and maths are handled by our industry certified game engines. ● Seamless integration with several casinos. ● Check out play.odobo.com and play for free!
  • 4. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 5. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 6. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 7. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 8. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 9. Authentication in monolithic apps ● Historically, authentication has always been a stateful service. ● When moving to Single-Page Applications, and/or having mobile clients, it becomes an issue. ● If you are build a REST and stateless API, your authentication should be that way too. @alvaro_sanchez
  • 12. Monolithic vs Microservices Monolithic Microservices @alvaro_sanchez
  • 13. Authentication and microservices ● Authentication: to verify the identity of the user given the credentials received. ● Authorization: to determine if the user should be granted access to a particular resource. ● In a microservices context: ○ Authentication can be a microservice itself. ○ Authorization is a common functionality in all of them. @alvaro_sanchez
  • 14. Authentication and microservices Authentication Service @alvaro_sanchez Javascript front-end UI Mobile app Shopping cart Service Catalog Service Orders Service Shipping Service User repository Catalog DB Invoicing DB Shipping partners Web Backend Mobile Backend
  • 15. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 16. Introducing OAuth 2.0 An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. @alvaro_sanchez
  • 17. OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 18. OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 19. OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 20. OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 21. OAuth 2.0: protocol flow I want to see a list of games @alvaro_sanchez
  • 22. OAuth 2.0: protocol flow Hey, backend, could you please give me a list of games? @alvaro_sanchez
  • 23. OAuth 2.0: protocol flow Sorry mate, this is a protected resource. You will need to present me an access token @alvaro_sanchez
  • 24. OAuth 2.0: protocol flow Hi Google, can I get an access token please? Backend is asking @alvaro_sanchez
  • 25. OAuth 2.0: protocol flow Sure thing sir. I just need to ask a few details to @alvaro_sanchez the user first
  • 26. OAuth 2.0: protocol flow Hi, could you please provide me your credentials? I need to verify your identity @alvaro_sanchez
  • 27. OAuth 2.0: protocol flow That’s no problem at all. I am bob@gmail.com and my password is secret. @alvaro_sanchez
  • 28. OAuth 2.0: protocol flow The user is who claims to be. Here is your access token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa @alvaro_sanchez
  • 29. OAuth 2.0: protocol flow Hi Backend, this is my token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa @alvaro_sanchez
  • 30. OAuth 2.0: protocol flow Hi, I’ve been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa. Could you please tell me who it belongs to? @alvaro_sanchez
  • 31. OAuth 2.0: protocol flow Of course. That token is still valid and it belongs to @alvaro_sanchez bob@gmail.com.
  • 32. OAuth 2.0: protocol flow Everything is allright. This is the list of games. @alvaro_sanchez Enjoy!
  • 33. OAuth 2.0: protocol flow Here you are the list of games.Thank you for your business and have a good day! @alvaro_sanchez
  • 34. OAuth 2.0: protocol flow OAuth 2.0 is a delegation protocol, as this guy has no idea about the credentials of this guy @alvaro_sanchez
  • 35. OAuth 2.0: grant types ● Authorization code: for web server applications. ● Implicit: for JS front-ends and mobile apps. ● Resource Owner Password Credentials: for trusted clients. ● Client credentials: for service authentication. @alvaro_sanchez
  • 36. Authorization code grant ● For server-based applications, where the client ID and secret are securely stored. ● It’s a redirect flow, so it’s for web server apps. ● The client (web server app) redirects the user to the authorization server to get a code. ● Then, using the code and its client credentials asks for an access token. @alvaro_sanchez
  • 37. Authorization code grant http://myServerApp.com @alvaro_sanchez
  • 38. Authorization code grant https://facebook.com/dialog/oauth ?response_type=code &client_id=YOUR_CLIENT_ID &redirect_uri= http://myServerApp.com/oauth &scope=email,public_profile @alvaro_sanchez
  • 39. Authorization code grant hhttttpp::////fmacyeSbeorvoekr.Acopmp.com @alvaro_sanchez
  • 40. Authorization code grant hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com @alvaro_sanchez
  • 41. Authorization code grant https://myServerApp.com/oauth?code=CODE Finishing authentication... @alvaro_sanchez
  • 42. Authorization code grant Server-side POST request to: https://graph. facebook.com/oauth/access_token With this body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=http://myServerApp.com &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
  • 43. Authorization code grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
  • 44. @alvaro_sanchez Implicit grant ● For web applications running on the browser (eg: AngularJS, etc) or mobile apps. ● Client credentials confidentiality cannot be guaranteed. ● Similar to the code grant, but in this case, the client gets an access token directly.
  • 45. @alvaro_sanchez Implicit grant http://myFrontendApp.com/#/home
  • 46. @alvaro_sanchez Implicit grant https://facebook.com/dialog/oauth ?response_type=token &client_id=YOUR_CLIENT_ID &redirect_uri= http://myFrontendApp.com/#/cb &scope=email,public_profile
  • 47. @alvaro_sanchez Implicit grant hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com
  • 48. @alvaro_sanchez Implicit grant https://myFrontendApp.com/#/cb?token=TOKEN Finishing authentication...
  • 49. Password credentials grant ● In this case, client collects username and password to get an access token directly. ● Viable solution only for trusted clients: ○ The official website consumer of your API. ○ The official mobile app consuming your API. ○ Etc. @alvaro_sanchez
  • 50. Password credentials grant @alvaro_sanchez
  • 51. Password credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=password &username=USERNAME&password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
  • 52. Password credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
  • 53. Client credentials grant ● Service-to-service authentication, without a particular user being involved. ○ Eg: the Orders microservice making a request to the Invoicing microservice. ● The application authenticates itself using its client ID and client secret. @alvaro_sanchez
  • 54. Client credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
  • 55. Client credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
  • 56. Accessing the protected resource Once the client has an access token, it can request a protected resource: GET /games HTTP/1.1 Host: api.example.org Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia @alvaro_sanchez
  • 57. Token expiration and refresh ● If the Authorization Server issues expiring tokens, they can be paired with refresh tokens. ● When the access token has expired, the refresh token can be used to get a new access token. @alvaro_sanchez
  • 58. Tips for a front-end application ● Use the implicit grant. ○ Already supported for 3rd party providers like Google, @alvaro_sanchez Facebook. ○ If you hold your own users, have your backend to implement the OAuth 2.0 Authorization Server role. ● Use HTML5’s localStorage for access and refresh tokens.
  • 59. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 60. Stateful vs. Stateless ● Authorization Servers are often stateful services. ○ They store issued access tokens in databases for future @alvaro_sanchez checking. ● How can we achieve statelessness? ○ Issuing JWT tokens as access tokens.
  • 61. Introducing JWT JSON Web Token is a compact URL-safe means of representing claims to be transferred between two parties. The claims are encoded as a JSON object that is digitally signed by hashing it using a shared secret between the parties. @alvaro_sanchez
  • 62. Introducing JWT... in Plain English A secure way to encapsulate arbitrary data that can be sent over unsecure URL’s. @alvaro_sanchez
  • 63. When can JWT be useful? ● When generating “one click” action emails. ○ Eg: “delete this comment”, “add this to favorites”. ● To achieve Single Sign-On. ○ Sharing the JWT between different applications. ● Whenever you need to securely send a payload. ○ Eg: to “obscure” URL parameters or POST bodies. @alvaro_sanchez
  • 64. How does a JWT look like? Header Claims eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InV zZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYX V0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfV VNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhLTRjNWUt YmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJ teS1jbGllbnQtd2l0aC1zZWNyZXQifQ. AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY @alvaro_sanchez Signature
  • 65. @alvaro_sanchez JWT Header { "alg": "HS256", "typ": "JWT" }
  • 66. @alvaro_sanchez JWT Claims { "exp": 1416471934, "user_name": "user", "scope": [ "read", "write" ], "authorities": [ "ROLE_ADMIN", "ROLE_USER" ], "jti": "9bc92a44-0b1a-4c5e-be70-da52075b9a84", "client_id": "my-client-with-secret" }
  • 67. @alvaro_sanchez Signature HMACSHA256( base64(header) + "." + base64(payload), "secret" )
  • 68. Sample access token response @alvaro_sanchez { "access_token": "eyJhbGciOiJIUzI1NiJ9. eyJleHAiOjE0MTY0NzEwNTUsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZS I6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1J TiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIzZGJjODE4Yi0wMjAyLTRiYzItYT djZi1mMmZlNjY4MjAyMmEiLCJjbGllbnRfaWQiOiJteS1jbGllbnQtd2l0 aC1zZWNyZXQifQ. Wao_6hLnOeMHS4HEel1UGWt1g86ad9N0qCexr1IL7IM", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "3dbc818b-0202-4bc2-a7cf-f2fe6682022a" }
  • 69. Achieving statelessness ● Instead of storing the access token / principal relationship in a stateful way, do it on a JWT. ● Access tokens with the JWT-encoded principal can be securely stored on the client’s browser. ● That way you are achieving one of the basic principles of REST: State Transfer. @alvaro_sanchez
  • 70. Tips for using JWT ● JWT claims are just signed by default (JWS - JSON Web Signature). ○ It prevents the content to be tampered. ● Use encryption to make it bomb proof. ○ Use any algorithm supported by JWE - JSON Web @alvaro_sanchez Encryption.
  • 71. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 72. It all started here, one year ago @alvaro_sanchez
  • 73. @alvaro_sanchez One year later ● Spring Security REST plugin. ○ 16 contributors. ○ 34 pull requests. ○ 59 stars on GitHub. ○ 16 releases. ○ http://bit.ly/spring-security-rest
  • 74. Happy users == happy author @alvaro_sanchez
  • 75. Current status ● Latest release: 1.4.0. ● Compatibility layer over Spring Security Core. ○ Login and logout REST endpoints. ○ Token validation filter. ○ Memcached, GORM and Grails Cache token storages. ○ Partial implicit grant support through 3rd party @alvaro_sanchez providers. ○ Partial RFC 6750 Bearer Token support.
  • 76. @alvaro_sanchez Roadmap ● Upcoming release: 1.4.1. ○ Complete RFC 6750 Bearer Token support. ○ Due in few days. ● Next release: 2.0. ○ Complete RFC 6749 OAuth 2.0 support. ○ ETA: Q1 2015.
  • 77. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Demo. 5. Q&A.
  • 78. @alvaro_sanchez Thanks! Álvaro Sánchez-Mariscal Web Architect - Images courtesy of @alvaro_sanchez