Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | erick-belluci-tedeschi |
View: | 157 times |
Download: | 1 times |
Who?
• PHP Developer since 2003• Application Security since 2007• Biker• Maker
• Help devs delivery Secure Applications• Help business to keep clients data secure
Agenda
• Microservice architecture Version 1
• About Tokens
• OAuth 2.0• OpenID Connect
• Authorization Code Flow Example
• Microservice architecture NG!!!
Microservice Architecture V1
API G
atew
ayOAu
th Server*
AccountGET /my/{user_id}
TransferPOST /transferto/{src_account}/{dst_account}
ReceiptGET /receipts/{user_id}
End-‐User
Bank API (Public)GET /myPOST /transferto/{dst_account}GET /receipts
/token/authorize
Basic auth
Basic auth
No auth
Microservice Architecture V1
API G
atew
ayOAu
th Server*
AccountGET /my/{user_id}
TransferPOST /transferto/{src_account}/{dst_account}
ReceiptGET /receipts/{user_id}
End-‐User
Bank API (Public)GET /myPOST /transferto/{dst_account}GET /receipts
/token/authorize
Basic auth
Basic auth
No auth
• Poor logging (audit trail)• Poor identification on microservices (X-‐User-‐Logged L)• Authorization centralized on API Gateway• Microservices are more like CRUDs APIs• Microservices have ”micro user repositories” or don’t have authentication/authorization
• API Gateway have more responsibility than necessary
Now, let’s take a look at the: Token
• A piece of stamped metal used as a substitute for money; a voucher that can be exchanged for goods or services (https://en.wiktionary.org/wiki/token)
• Token By Reference• An opaque string generated randomly• Ex.: 2YotnFZFEjr1zCsicMWpAA
• Token By Value• A JWT that contains claims about the context of the token• Ex.:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHAiOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
JWT – JSON Web Token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHAiOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
{"typ": "JWT","alg": "HS256"}
{"iss": "https://my.service.com","iat": 1435179603,"exp": 1435181421,"aud": "www.service.com","sub": "[email protected]","Role": ["approver","viewer"]}
HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),sharedsecret)
JWT Header
JWT Payload
JWT Signature
The OAuth 2.0 Authorization Framework
The OAuth 2.0 enables a third-‐party application to obtain limited access to an HTTP service on behalf of a resource owner...
OAuth 2.0 – Protocol or Framework?
• RFC 5849: The OAuth 1.0 Protocol
• RFC 6749: The OAuth 2.0 Authorization Framework
https://tools.ietf.org/html/rfc5849… contract, pact, deal
https://tools.ietf.org/html/rfc6749… structure, skeleton, chassis
How an access_token looks like? (by value -‐ JWT)
// JWT Payload{"sub": "alice", // user id"cid": "000123", // client id"iss": "https://as.domain.com", // who issued"aud": "https://rs.domain.com","exp": 1460345736, // expiration date"scp": ["openid","email","profile"] // scopes
}
How an id_token looks like? (by value -‐ JWT){"iss": ”InstIdentRicardoGumbletonDaunt", // who issued"sub": ”4.444.444", // user identification"aud": ["cops","bank"], // where it’s used"nonce": "n-0S6_WzA2Mj","exp": 1311281970, // 10 years"iat": 1311280970,"auth_time": 1311280969,"amr": "sign+fingerprint” //auth-methods-ref}
A complete Authorization Server
• /authorize• /token• /introspection (check access_token)• /token_info (get more information about identity)• /revocation
ResourceOwner
AuthorizationServer
ResourceServer
Client
access
* GET /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
ResourceOwner
AuthorizationServer
ResourceServer
Client
* Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
ResourceOwner
AuthorizationServer
ResourceServer
Client
POST /token HTTP/1.1Host: server.example.comAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JWContent-‐Type: application/x-‐www-‐form-‐urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
ResourceOwner
AuthorizationServer
ResourceServer
Client
HTTP/1.1 200 OKContent-‐Type: application/json;charset=UTF-‐8Cache-‐Control: no-‐storePragma: no-‐cache
{"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"Bearer","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM
k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto"}
ResourceOwner
AuthorizationServer
ResourceServer
Client
POST /introspect HTTP/1.1Host: server.example.comAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JWContent-‐Type: application/x-‐www-‐form-‐urlencoded
token=2YotnFZFEjr1zCsicMWpAA
https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection
Introspection Request
ResourceOwner
AuthorizationServer
ResourceServer
Client
HTTP/1.1 200 OKContent-‐Type: application/json
{"active": true,"client_id": "l238j323ds-‐23ij4","username": "jdoe","scope": ”openid profile email","sub": "Z5O3upPC88QrAjx00dis","aud": "https://protected.example.net/resource","iss": "https://server.example.com/","exp": 1419356238,"iat": 1419350238,"extension_field": "twenty-‐seven”}
https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection
Introspection Request
ResourceOwner
AuthorizationServer
ResourceServer
Client
https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection
Introspection Request
ResourceOwner
AuthorizationServer
ResourceServer
Client
https://tools.ietf.org/search/rfc7662 OAuth 2.0 Token Introspection
Introspection Request
Nice
Microservice Architecture NG!!!
API G
atew
ayAu
thoriza
tion
Server
AccountGET /myGET /pvt/{account}
TransferPOST /transferto/{dst_account}
ReceiptGET /receipts
OAu
thFilte
rOAu
thFilte
rOAu
thFilte
r
OAu
th Filter
ResourceOwner
Introspection/validation
Bank API (Public)GET /myPOST /transferto/{dst_account}GET /receipts
/token/authorize/introspect/revoke/token_info
”offline introspection/validation”
”offline introspection/validation”
Microservice Architecture NG!!!
API G
atew
ayAu
thoriza
tion
Server
AccountGET /myGET /pvt/{account}
TransferPOST /transferto/{dst_account}
ReceiptGET /receipts
OAu
thFilte
rOAu
thFilte
rOAu
thFilte
r
OAu
th Filter
ResourceOwner
Introspection/validation
Bank API (Public)GET /myPOST /transferto/{dst_account}GET /receipts
/token/authorize/introspect/revoke/token_info
”offline introspection/validation”
”offline introspection/validation”
• Audit Trail Improved• Microservices can make decision based on the end-‐user identity
• Fine grained authorization across the services• The whole environment have a central user identity repository (OAuth+OpenID Connect Server)
• API Gateway is clean/slim
Don’t start from scratch
• OpenSource• Connect2ID http://connect2id.com/• Keycloak http://www.keycloak.org/• MitreID Connect https://github.com/mitreid-‐connect/OpenID-‐Connect-‐Java-‐Spring-‐Server• WSO2 Identity Server http://wso2.com/products/identity-‐server/
References and Links
• OAuth 2.0: https://tools.ietf.org/html/rfc6749
• OAuth 2.0 Bearer Token Usage: https://tools.ietf.org/html/rfc6750
• OpenID Connect Core: http://openid.net/specs/openid-‐connect-‐core-‐1_0.html
• OpenID Connect Discovery: https://openid.net/specs/openid-‐connect-‐discovery-‐1_0.html
• JOSÉ (JSON Object Signing and Encryption)• JSON Web Signature (JWS) https://tools.ietf.org/html/rfc7515• JSON Web Encryption (JWE) https://tools.ietf.org/html/rfc7516• JSON Web Key (JWK) https://tools.ietf.org/html/rfc7517• JSON Web Algorithms (JWA) https://tools.ietf.org/html/rfc7518• JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519
• http://connect2id.com/products/nimbus-‐jose-‐jwt/examples/validating-‐jwt-‐access-‐tokens
Thanks
https://www.linkedin.com/in/ericktedeschihttps://twitter.com/ericktedeschihttp://www.slideshare.net/[email protected]