authorization and authentication in microservice environments

Authorization and Authentication in Microservice Environments

Bernd Schönbach

Overview

2Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Introduction

• What’s the problem anyway?

• And how exactly do JSON Web Tokens help here?

• What are JSON Web Tokens?

• Some examples

• Mind the gap

• JWS vs. JWE

Introduction

LeanIX helps companies to manage and optimize their IT Architecture


Current IT Architecture Create Transparency Optimize IT Architecture

• Missing information (e.g. interfaces, technologies)

• Hard to introduce new products & sales channels

• High costs and risks

• Import existing data into LeanIX (via Excel or API)

• Invite experts to share their knowledge

• Use best-practice reports to identify issues

• Define target architecture and roadmaps

LeanIX is a web-based platformto capture and share knowledge about IT


Fact Sheets & Tagging

Context-based Search

API, Import & Export

Comments & Threads

IT Inventory Collaboration Platform Interactive Reporting

Activity Stream & Notifications

Subscriptions

Print & Export (PDF)

Best Practice Reports

Interactive Adaption

What’s the problem anyway?

And how do JWT exactly help here?

Typical Auth Flow


UI

Auth Service

Microservice 2

Microservice 1

Microservice 3

LoginReturn OAuth Token

Check Oauth Validity

Send Requests with Token

AuthService

And now with JWT


UI

Auth Service

Microservice 2

Microservice 1

Microservice 3

Login

Return JWT

Check Token Validity

Send Requests with Token

What are JSON Web Tokens?

What are JSON Web Tokens (JWT)?


RFC 7519: “JSON Web Token (JWT) is a compact, URL-‐safe means of representing claims to be transferred between two parties.”

What are JSON Web Tokens (JWT)?


What are JSON Web TokenS (JWT)?


Two Types

JSON Web Signature JSON Web Encryption

JSON Web Signature (RFC 7515)


Three Parts

1. Header

2. Payload (Claims)

3. Signature

JWS - Header


{

"alg": "HS256",

"typ": "JWT“

}

{

"alg": "HS256",

"typ": "JWT“

}

Recommended Values:

• HS256• RS256• ES256

Special Case:

• none

JWS - Payload


- Main Information Part- Contains Information like

- Issuer (iss)- Expiration time (exp)- Subject (sub)- Features- Permissions- …

{ "iss": "auth-service-1","name": "John Doe","admin": true,"exp": 1487325600

}

Use as few information as possible to keep the Token small!

JWS - Signature


HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret

)

• Verifies origin and content of JWS Token

• Signature contains Header and Payload

JWS Example


eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Header: { "alg": "HS256", "typ": "JWT"}

Payload: {

"sub": "1234567890","name": "John Doe","admin": true

}

Signature: HMACSHA256(

base64UrlEncode(header) + "." + base64UrlEncode(payload),

secret)

JSON Web Encryption (RFC 7516)


Five Parts (JWE)

1. Protected Header2. Encrypted Key3. Initialization Vector4. Cipher text5. Authentication Tag

JWE Protected Header


• Basically the same as JWS with some minor tweaks• Two additional Keys:• enc -> encryption algorithm• zip -> compression algorithm

• “alg” now describes the algorithm for encrypting CEK• ”none” is no longer allowed

{ "alg": "RSA-OAEP","enc": "A256GCM“,"typ": "JWT“

}

JWE Protected Header


• Algorithm used should be an AEAD algorithm

• Authenticated Encryption with Associated Data

• “AEAD algorithms accept two inputs, the plaintext and the Additional Authenticated Data (AAD) value, and produce two outputs, the cipher text and the Authentication Tag value.”

• AAD can be base64encoded JWE Protected Header

JWE Encrypted Key


• Encrypted Content Encryption Key (CEK)

• CEK = Symmetric Key used to encrypt plaintext

• CEK is used to produce cipher text and Authentication Tag

JWE Initialization Vector


• A random numeric value used to “salt” encrypted value

• Ensures for same content, encrypted value differs

• May be left empy if enc Algorithm does not use IV

JWE Ciphertext


• Basically the same as Payload in JWS

• Is encrypted with enc algorithm

• Is encrypted using initialization vector

• But must not be JSON can be plaintext

JWE Authentication Tag


• Is also a result of enc algorithm

• Ensures integrity of cipher text

• Ensures integrity Additional Authenticated Data

JWE


Again all parts are base64 Encoded and concatenated with dots:

BASE64URL(UTF8(JWE Protected Header)) .

BASE64URL(JWE Encrypted Key) .

BASE64URL(JWE Initialization Vector) .

BASE64URL(JWE Ciphertext) .

BASE64URL(JWE Authentication Tag)

Some examples

31

JWS creation in Java


public String createJwt(User loggedInUser) {JwtBuilder builder = Jwts.builder().setSubject(loggedInUser.getUsername()).claim(„payload“, loggedInUser.getPayload()).setId(loggedInUser.getId()).setExpiration(calculateExpirationTime());

return builder.signWith(SignatureAlgorithm.RS256, privateKey

).compact();

}

JWS checking in Java


Claims claims = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(accesTokenString).getBody();

Important Side Note:- Ensure checking always uses the correct algorithm- “none” alg header must not lead to unchecked token if signed is

expected!

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

JWS Usage in Java with Dropwizard


@Overridepublic Optional<User> authenticate(String accessToken) {if (accessToken == null)return Optional.absent();

OAuth2Token token = this.parser.parse(accessToken);return Optional.fromNullable((User) token.getPrincipal());

}

Adapt Authenticator Class:

Use @Auth Annotation:

public Response getX(@Auth @ApiParam(access="internal") User user

){[…]

}

JWS example


Live Presentation

JWS libraries


Libraries exist for nearly every programming language:

• .NET• Pyhton• Node.js• Java• JavaScript• Perl• Ruby• Elixir• Go

• Haskell• Rust• Lua• Scala• D• Clojure• Objective C• Swift• C

• Kdb+/Q• Delphi• PHP• Crystal• …

Mind the gap

Mind the gap


Don’ts:• Never ever send passwords in JWT

• And also no hashes..• You cannot control where the JWT goes• Don’t verify token validity with Auth-Service

Dos:• Always verify token (checksum)• Add as few as possible but at least enough to avoid calls

to other services

Back to JWS vs JWE

vs

JSON Web Encryption (JWE)


• Everything is unreadable to the user

• You potentially can use classified information

• Only one key needed which can be distributed easily

Pros

Cons

• Need to distribute secret to all services

• Attack vector increases

JSON Web Encryption (JWE)


Auth Service

Microservice 2

Microservice 1

Microservice 3

Private Key

JSON Web Signature (JWS)


• Everything is readable to the user

• Only the public key needs to be distributed

• Only the Auth-Service needs high protection

• If private key is compromised exchange here and distribute pub key

Pros

Cons

• Everything is readable to the user

Auth Service

JSON Web Signature (JWS)


Auth Service

Microservice 2

Microservice 1

Microservice 3

Private Key

Public Key

Conclusion

Conclusion

Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

• Allows to keep loose coupling of Microservices

• Secure transfer of Authorization and Authentication claims

• Further domains can be found in Single Sign On Contexts

• Easy to implement due to library availability

Thanks(and yes we are hiring)

https://www.leanix.net/en/jobs

Sources


• https://tools.ietf.org/html/rfc7519 RFC for JWT

• https://tools.ietf.org/html/rfc7518 RFC for JWA (used in JWS and JWE)• https://jwt.io/• https://www.leanix.net/

• Devil Smiley CC BY 4.0 https://www.creativetail.com

• Further Articles on JWT:• https://blog.codecentric.de/2016/11/json-web-token-jwt-im-detail/• https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3

authorization and authentication in microservice environments

Technology