In this talk we show how our 85+ Zalando engineering teams are using OAuth 2.0 to secure their growing fleet of microservices running with Docker on AWS. We describe how and why we build our open source “Plan B” OAuth components from scratch to provide a resilient, highly available infrastructure with no single point of failure.
We built Plan B as a distributed OAuth provider and validation endpoint by using proven technologies such as Cassandra and JSON Web Tokens (JWT). We show how token revocations are possible without any central token storage and how we avoid network latency on token validation.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Plan B: Service to Service Authentication with OAuth
1. Service to Service Authentication with OAuth
Zalando Tech Meetup Dortmund, 2016-05-12
Background: Mike Mozart / CC BY 2.0
2. 15 countries
3 fulfillment centers
18 million active customers
3 billion € revenue 2015
135+ million visits per month
10.000+ employees in Europe
ZALANDO
16. ● One Service User per Application
● Resource Owner Password Credentials
Grant Type
● Automatic credential distribution
and rotation
OAUTH FOR SERVICE TO SERVICE
18. OAUTH CREDENTIAL DISTRIBUTION VIA S3 BUCKETS
AWS
WEB UI
get access
token
store
passwords
get password
S3
rotate
passwords Authz Server /
OAuth Provider
alice
create app
19. ● Alice reads OAuth credentials from S3
● Alice gets access token from Auth. Server
● Alice calls Bob with Bearer token
● Bob validates token against Auth. Server
OAUTH SERVICE TO SERVICE FLOW
20. ● Install some OAuth Provider
● Set up credential distribution
● PROFIT!!!
EASY ENOUGH
21.
22. ● Network Latency?
● Token Storage?
● Availability?
WHAT ABOUT
bobalice
Authz Server /
OAuth Provider
Token
Storage
create
token validate
23. ● Robustness & resilience
● Low latency for token validation
● Horizontal scalability
PLAN B: GOALS
24. ● JWT access token
● No write operation
● Cassandra
PLAN B: APPROACH
bobalice
create
token
Token
Info validateProvider
credential storage
28. ● JWT libs exist for every major language
● De-facto standard: HTTP call to Token Info
● New OAuth RFC defines
Token Introspection Endpoint
JWT: HOW TO VALIDATE?
36. ● Robustness & resilience
⇒ Cassandra, no SPOF
● Low latency for token validation
⇒ Token Info next to application
● Horizontal scalability
⇒ Cassandra, “stateless” Token Info
PLAN B: GOALS?
37. ● >1300 active service users (last 5 days)
● 8 h JWT lifetime
● 40 rps on Token Endpoint (Provider)
● 1500 rps on Token Info (caching!)
● 0.5 ms JWT validation (99%)
● 11 ms Token Info latency (99%)
PLAN B IN PRODUCTION
38.
39. Created for Service2Service, but also supports:
● Authorization Code Grant Type
● Implicit Grant Type
● User Consent
PLAN B PROVIDER
40. ● 3rd party Mobile App
● OAuth Implicit Flow
PLAN B FOR CUSTOMERS