authorization and authentication in microservice environments
TRANSCRIPT
Authorization and Authentication in Microservice Environments
Bernd Schönbach
Overview
2Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Introduction
• What’s the problem anyway?
• And how exactly do JSON Web Tokens help here?
• What are JSON Web Tokens?
• Some examples
• Mind the gap
• JWS vs. JWE
Introduction
LeanIX helps companies to manage and optimize their IT Architecture
4Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Current IT Architecture Create Transparency Optimize IT Architecture
• Missing information (e.g. interfaces, technologies)
• Hard to introduce new products & sales channels
• High costs and risks
• Import existing data into LeanIX (via Excel or API)
• Invite experts to share their knowledge
• Use best-practice reports to identify issues
• Define target architecture and roadmaps
LeanIX is a web-based platformto capture and share knowledge about IT
5Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Fact Sheets & Tagging
Context-based Search
API, Import & Export
Comments & Threads
IT Inventory Collaboration Platform Interactive Reporting
Activity Stream & Notifications
Subscriptions
Print & Export (PDF)
Best Practice Reports
Interactive Adaption
What’s the problem anyway?
What’s the problem anyway?
7Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
What’s the problem anyway?
8Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
What’s the problem anyway?
9Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
What’s the problem anyway?
10Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
And how do JWT exactly help here?
Typical Auth Flow
12Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
LoginReturn OAuth Token
Check Oauth Validity
Send Requests with Token
AuthService
And now with JWT
13Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
Login
Return JWT
Check Token Validity
Send Requests with Token
What are JSON Web Tokens?
What are JSON Web Tokens (JWT)?
15Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
RFC 7519: “JSON Web Token (JWT) is a compact, URL-‐safe means of representing claims to be transferred between two parties.”
What are JSON Web Tokens (JWT)?
16Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
What are JSON Web TokenS (JWT)?
17Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Two Types
JSON Web Signature JSON Web Encryption
JSON Web Signature (RFC 7515)
18Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Three Parts
1. Header
2. Payload (Claims)
3. Signature
JWS - Header
19Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
{
"alg": "HS256",
"typ": "JWT“
}
{
"alg": "HS256",
"typ": "JWT“
}
Recommended Values:
• HS256• RS256• ES256
Special Case:
• none
JWS - Payload
20Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
- Main Information Part- Contains Information like
- Issuer (iss)- Expiration time (exp)- Subject (sub)- Features- Permissions- …
{ "iss": "auth-service-1","name": "John Doe","admin": true,"exp": 1487325600
}
Use as few information as possible to keep the Token small!
JWS - Signature
21Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret
)
• Verifies origin and content of JWS Token
• Signature contains Header and Payload
JWS Example
22Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Header: { "alg": "HS256", "typ": "JWT"}
Payload: {
"sub": "1234567890","name": "John Doe","admin": true
}
Signature: HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret)
JSON Web Encryption (RFC 7516)
23Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Five Parts (JWE)
1. Protected Header2. Encrypted Key3. Initialization Vector4. Cipher text5. Authentication Tag
JWE Protected Header
24Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as JWS with some minor tweaks• Two additional Keys:• enc -> encryption algorithm• zip -> compression algorithm
• “alg” now describes the algorithm for encrypting CEK• ”none” is no longer allowed
{ "alg": "RSA-OAEP","enc": "A256GCM“,"typ": "JWT“
}
JWE Protected Header
25Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Algorithm used should be an AEAD algorithm
• Authenticated Encryption with Associated Data
• “AEAD algorithms accept two inputs, the plaintext and the Additional Authenticated Data (AAD) value, and produce two outputs, the cipher text and the Authentication Tag value.”
• AAD can be base64encoded JWE Protected Header
JWE Encrypted Key
26Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Encrypted Content Encryption Key (CEK)
• CEK = Symmetric Key used to encrypt plaintext
• CEK is used to produce cipher text and Authentication Tag
JWE Initialization Vector
27Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• A random numeric value used to “salt” encrypted value
• Ensures for same content, encrypted value differs
• May be left empy if enc Algorithm does not use IV
JWE Ciphertext
28Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as Payload in JWS
• Is encrypted with enc algorithm
• Is encrypted using initialization vector
• But must not be JSON can be plaintext
JWE Authentication Tag
29Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Is also a result of enc algorithm
• Ensures integrity of cipher text
• Ensures integrity Additional Authenticated Data
JWE
30Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Again all parts are base64 Encoded and concatenated with dots:
BASE64URL(UTF8(JWE Protected Header)) .
BASE64URL(JWE Encrypted Key) .
BASE64URL(JWE Initialization Vector) .
BASE64URL(JWE Ciphertext) .
BASE64URL(JWE Authentication Tag)
Some examples
31
JWS creation in Java
32Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
public String createJwt(User loggedInUser) {JwtBuilder builder = Jwts.builder().setSubject(loggedInUser.getUsername()).claim(„payload“, loggedInUser.getPayload()).setId(loggedInUser.getId()).setExpiration(calculateExpirationTime());
return builder.signWith(SignatureAlgorithm.RS256, privateKey
).compact();
}
JWS checking in Java
33Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Claims claims = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(accesTokenString).getBody();
Important Side Note:- Ensure checking always uses the correct algorithm- “none” alg header must not lead to unchecked token if signed is
expected!
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
JWS Usage in Java with Dropwizard
34Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
@Overridepublic Optional<User> authenticate(String accessToken) {if (accessToken == null)return Optional.absent();
OAuth2Token token = this.parser.parse(accessToken);return Optional.fromNullable((User) token.getPrincipal());
}
Adapt Authenticator Class:
Use @Auth Annotation:
public Response getX(@Auth @ApiParam(access="internal") User user
){[…]
}
JWS example
35Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Live Presentation
JWS libraries
36Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Libraries exist for nearly every programming language:
• .NET• Pyhton• Node.js• Java• JavaScript• Perl• Ruby• Elixir• Go
• Haskell• Rust• Lua• Scala• D• Clojure• Objective C• Swift• C
• Kdb+/Q• Delphi• PHP• Crystal• …
Mind the gap
Mind the gap
38Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Don’ts:• Never ever send passwords in JWT
• And also no hashes..• You cannot control where the JWT goes• Don’t verify token validity with Auth-Service
Dos:• Always verify token (checksum)• Add as few as possible but at least enough to avoid calls
to other services
Back to JWS vs JWE
vs
JSON Web Encryption (JWE)
40Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is unreadable to the user
• You potentially can use classified information
• Only one key needed which can be distributed easily
Pros
Cons
• Need to distribute secret to all services
• Attack vector increases
JSON Web Encryption (JWE)
41Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
JSON Web Signature (JWS)
42Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is readable to the user
• Only the public key needs to be distributed
• Only the Auth-Service needs high protection
• If private key is compromised exchange here and distribute pub key
Pros
Cons
• Everything is readable to the user
Auth Service
JSON Web Signature (JWS)
43Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
Public Key
Conclusion
Conclusion
Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Allows to keep loose coupling of Microservices
• Secure transfer of Authorization and Authentication claims
• Further domains can be found in Single Sign On Contexts
• Easy to implement due to library availability
Thanks(and yes we are hiring)
https://www.leanix.net/en/jobs
Sources
47Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• https://tools.ietf.org/html/rfc7519 RFC for JWT
• https://tools.ietf.org/html/rfc7518 RFC for JWA (used in JWS and JWE)• https://jwt.io/• https://www.leanix.net/
• Devil Smiley CC BY 4.0 https://www.creativetail.com
• Further Articles on JWT:• https://blog.codecentric.de/2016/11/json-web-token-jwt-im-detail/• https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3