authorization and authentication in microservice environments

Authorization  and  Authentication  in  Microservice Environments

Bernd  Schönbach

Overview

2Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Introduction

• What’s the problem anyway?

• And how exactly do JSON Web Tokens help here?

• What are JSON Web Tokens?

• Some examples

• Mind the gap

• JWS vs. JWE

Introduction

LeanIX helps companies to manage and optimize their IT Architecture

4Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Current IT Architecture Create Transparency Optimize IT Architecture

• Missing information (e.g. interfaces, technologies)

• Hard to introduce new products & sales channels

• High costs and risks

• Import existing data into LeanIX (via Excel or API)

• Invite experts to share their knowledge

• Use best-practice reports to identify issues

• Define target architecture and roadmaps

LeanIX is a web-based platformto capture and share knowledge about IT

5Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Fact Sheets & Tagging

Context-based Search

API, Import & Export

Comments & Threads

IT Inventory Collaboration Platform Interactive Reporting

Activity Stream & Notifications

Subscriptions

Print & Export (PDF)

Best Practice Reports

Interactive Adaption

What’s the problem anyway?

What’s the problem anyway?

7Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

What’s the problem anyway?

8Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

What’s the problem anyway?

9Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

What’s the problem anyway?

10Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

And how do JWT exactly help here?

Typical Auth Flow

12Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

UI

Auth Service  

Microservice 2

Microservice 1

Microservice 3

LoginReturn  OAuth  Token

Check  Oauth Validity

Send  Requests  with  Token

AuthService  

And now with JWT

13Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

UI

Auth Service  

Microservice 2

Microservice 1

Microservice 3

Login

Return  JWT

Check  Token  Validity

Send  Requests  with  Token

What are JSON Web Tokens?

What are JSON Web Tokens (JWT)?

15Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

RFC  7519:  “JSON  Web  Token  (JWT)  is  a  compact,  URL-­‐safe  means  of  representing  claims  to  be  transferred  between  two  parties.”

What are JSON Web Tokens (JWT)?

16Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

What are JSON Web TokenS (JWT)?

17Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Two Types

JSON Web Signature JSON Web Encryption

JSON Web Signature (RFC 7515)

18Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Three  Parts

1. Header

2. Payload  (Claims)

3. Signature

JWS - Header

19Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

{

"alg": "HS256",

"typ": "JWT“

}

{

"alg": "HS256",

"typ": "JWT“

}

Recommended Values:

• HS256• RS256• ES256

Special Case:

• none

JWS - Payload

20Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

- Main Information Part- Contains Information like

- Issuer (iss)- Expiration time (exp)- Subject (sub)- Features- Permissions- …

{ "iss": "auth-service-1","name": "John Doe","admin": true,"exp": 1487325600

}

Use as few information as possible to keep the Token small!

JWS - Signature

21Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret

)

• Verifies origin and content of JWS Token

• Signature contains Header and Payload

JWS Example

22Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Header: { "alg": "HS256", "typ": "JWT"}

Payload: {

"sub": "1234567890","name": "John Doe","admin": true

}

Signature: HMACSHA256(

base64UrlEncode(header) + "." + base64UrlEncode(payload),

secret)

JSON Web Encryption (RFC 7516)

23Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Five  Parts  (JWE)

1. Protected  Header2. Encrypted  Key3. Initialization  Vector4. Cipher  text5. Authentication  Tag

JWE Protected Header

24Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Basically the same as JWS with some minor tweaks• Two additional Keys:• enc -> encryption algorithm• zip -> compression algorithm

• “alg” now describes the algorithm for encrypting CEK• ”none” is no longer allowed

{ "alg": "RSA-OAEP","enc": "A256GCM“,"typ": "JWT“

}

JWE Protected Header

25Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Algorithm used should be an AEAD algorithm

• Authenticated Encryption with Associated Data

• “AEAD algorithms accept two inputs, the plaintext and the Additional Authenticated Data (AAD) value, and produce two outputs, the cipher text and the Authentication Tag value.”

• AAD can be base64encoded JWE Protected Header

JWE Encrypted Key

26Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Encrypted Content Encryption Key (CEK)

• CEK = Symmetric Key used to encrypt plaintext

• CEK is used to produce cipher text and Authentication Tag

JWE Initialization Vector

27Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• A random numeric value used to “salt” encrypted value

• Ensures for same content, encrypted value differs

• May be left empy if enc Algorithm does not use IV

JWE Ciphertext

28Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Basically the same as Payload in JWS

• Is encrypted with enc algorithm

• Is encrypted using initialization vector

• But must not be JSON can be plaintext

JWE Authentication Tag

29Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Is also a result of enc algorithm

• Ensures integrity of cipher text

• Ensures integrity Additional Authenticated Data

JWE

30Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Again all parts are base64 Encoded and concatenated with dots:

BASE64URL(UTF8(JWE Protected Header)) .

BASE64URL(JWE Encrypted Key) .

BASE64URL(JWE Initialization Vector) .

BASE64URL(JWE Ciphertext) .

BASE64URL(JWE Authentication Tag)

Some examples

31

JWS creation in Java

32Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

public String createJwt(User loggedInUser) {JwtBuilder builder = Jwts.builder().setSubject(loggedInUser.getUsername()).claim(„payload“, loggedInUser.getPayload()).setId(loggedInUser.getId()).setExpiration(calculateExpirationTime());

return builder.signWith(SignatureAlgorithm.RS256, privateKey

).compact();

}

JWS checking in Java

33Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Claims claims = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(accesTokenString).getBody();

Important Side Note:- Ensure checking always uses the correct algorithm- “none” alg header must not lead to unchecked token if signed is

expected!

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

JWS Usage in Java with Dropwizard

34Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

@Overridepublic Optional<User> authenticate(String accessToken) {if (accessToken == null)return Optional.absent();

OAuth2Token token = this.parser.parse(accessToken);return Optional.fromNullable((User) token.getPrincipal());

}

Adapt Authenticator Class:

Use @Auth Annotation:

public Response getX(@Auth @ApiParam(access="internal") User user

){[…]

}

JWS example

35Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Live Presentation

JWS libraries

36Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Libraries exist for nearly every programming language:

• .NET• Pyhton• Node.js• Java• JavaScript• Perl• Ruby• Elixir• Go

• Haskell• Rust• Lua• Scala• D• Clojure• Objective C• Swift• C

• Kdb+/Q• Delphi• PHP• Crystal• …

Mind the gap

Mind the gap

38Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Don’ts:• Never ever send passwords in JWT

• And also no hashes..• You cannot control where the JWT goes• Don’t verify token validity with Auth-Service

Dos:• Always verify token (checksum)• Add as few as possible but at least enough to avoid calls

to other services

Back to JWS vs JWE

vs

JSON Web Encryption (JWE)

40Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Everything is unreadable to the user

• You potentially can use classified information

• Only one key needed which can be distributed easily

Pros

Cons

• Need to distribute secret to all services

• Attack vector increases

JSON Web Encryption (JWE)

41Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Auth Service

Microservice 2

Microservice 1

Microservice 3

Private Key

JSON Web Signature (JWS)

42Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Everything is readable to the user

• Only the public key needs to be distributed

• Only the Auth-Service needs high protection

• If private key is compromised exchange here and distribute pub key

Pros

Cons

• Everything is readable to the user

Auth Service

JSON Web Signature (JWS)

43Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

Auth Service

Microservice 2

Microservice 1

Microservice 3

Private Key

Public Key

Conclusion

Conclusion

Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Allows to keep loose coupling of Microservices

• Secure transfer of Authorization and Authentication claims

• Further domains can be found in Single Sign On Contexts

• Easy to implement due to library availability

Thanks(and yes we are hiring)

https://www.leanix.net/en/jobs

Sources

47Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• https://tools.ietf.org/html/rfc7519 RFC for JWT

• https://tools.ietf.org/html/rfc7518 RFC for JWA (used in JWS and JWE)• https://jwt.io/• https://www.leanix.net/

• Devil Smiley CC BY 4.0 https://www.creativetail.com

• Further Articles on JWT:• https://blog.codecentric.de/2016/11/json-web-token-jwt-im-detail/• https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3