single-sign-on for web apis - java forum stuttgart · pdf fileweb-apis, microservices and...
TRANSCRIPT
FOR WEB APISNiko Köbler
So�ware-Architect, Developer & Trainer
| |
SINGLE-SIGN-ON
[email protected] www.n-k.de @dasniko
AUTHENTICATIONI don't know who you are!
AUTHORIZATIONI know who you are, but you're not allowed!
Same centralized approach for Web-APIs, Microservices and Monoliths!?
SECURITY
SIMPLYSECURE
OASIS Standard, 2005
SAML<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
Version="2.0"
IssueInstant="2004-12-05T09:22:05">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"
<saml:SubjectConfirmationData
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05"/>
</saml:SubjectConfirmation>
</saml:Subject>
...
</saml:Assertion>
OAUTHAuthorization, NOT Authentication!
, RFC 6749,
2
The OAuth 2.0 authorization framework enables a3rd-party application to obtain limited access to
an HTTP service.
IETF 2012
TYPESGrant Type Apps
Authorization Code Web, Apps
Implicit JavaScript, etc.
Resource Owner Password Credentials Apps
Client Credentials Web
Refresh Token Web, Apps
GRANT
TOKENACCESS{
"access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0"
}
OIDCOpenID Connect - NOT OpenID
Authentication layer on top of OAuth 2.0
verify the identity of an end-userobtain basic profile information about the end-userRESTful HTTP API, using JSON as data formatallows clients of all types (web-based, mobile, JavaScript)
, 2014OpenID Foundation
OIDCOpenID Connect adds the IDENTITY TOKEN
{
"access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",
"token_type": "Bearer",
"expires_in": 3600,
"identity_token": "???",
"refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0"
}
JSON WEB TOKEN Standard, 2015
JWT
RFC 7519
JSON WEB TOKENeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Base64 encoded
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV
9
JSON WEB TOKEN
JSON WEB TOKENPAYLOAD DATA
Reserved claims: sub, iss, aud, exp
{
"sub": "1234567890",
"iss": "https://sso.myapi.com",
"aud": "myApi"
"exp": 1479814753,
"name": "John Doe",
"admin": true
}
TOKENACCESS{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"identity_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
TOKENSBase for access on secured resources.
A is and contains all necessary about the user and its roles.
Kinds: , Refresh-, Offline- and
Send in format:
Have a TTL!
Must be revocable!
token signed information
Identity- Accesstokens
BearerAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
TOKEN Stateless sessions
Passing identity to 3rd parties
Token exchange
USAGE
WHAT DOES JAVA OFFER?
JAVA nothing useful so far
JAAS?(proprietary)
Java EE 8 with Security API, JSR-375
EE
WHAT DOES JAVA OFFER?
SPRING good, powerful
Spring Cloud Security / OAuth2
SECURITY
WHAT DOES JAVA OFFER?
APACHE OAuth2? / OIDC?
SHIROhttps://shiro.apache.org
WHAT DOES JAVA OFFER?
APACHE OAuth2 / OIDC / JWT
Who knows this project?
OLTUhttps://oltu.apache.org/
WHAT DOES JAVA OFFER?
Available for most frameworks/tools: J2E • Spring Web MVC (Spring Boot) • Spring Security (Spring Boot) • Shiro
Play 2.x • Vertx • Spark Java • Ratpack • Undertow CAS server • JAX-RS • Dropwizard • Knox • Jooby
PAC4Jhttp://www.pac4j.org
The to protect all your webapplications.
Java security engine
WHAT DOES JAVA OFFER?
JWT LIBRARIESgithub.com/auth0/java-jwt
bitbucket.org/b_c/jose4j
bitbucket.org/connect2id/nimbus-jose-jwt
github.com/jwtk/jjwt
AND THE ?SAAS? AAAS?
Auth0
AWS Cognito
Stormpath
BUT: you have to outsource your users personal data!
ECOSYSTEM
auth0.com
aws.amazon.com/cognito
stormpath.com
So, what to do?
How? Much effort!
Develop on your own?
INTEGRATED AND FORBROWSER APPS AND RESTFUL WEB
SERVICES
SSO IAM
JBosssince ~2013Open Source So�warehosted at GitHubvery active Community (commits, pullrequests, mailinglists)constant and regular feature- and bugfix-releasescurrent version: 3.1.0.Finalgood & comprehensive documentation
KEYCLOAK
#, Single-Sign-Out, Self-Registration, Forgot
Password, Verify User/Email, TOTP, various Verification(Work-)Flows, Customer Attributes,
, , Social Logins, Custom Themes, , ,, Open ID Connect ( ), SAML,
, Account Management, Management Console,CORS handling, Impersonation, etc...
FEATURESSingle-Sign-On
Custom FederationProvider SPIs JWT OAuth2
Bearer Token OIDC LDAP/AD-Integration
#JBoss EAP / , Tomcat, Jetty, JBoss Fuse, ,Spring Security, , Apache Karaf, Servlet Adapter,Apache mod openid connect, Keycloak Proxy Server, own
implementations
ADAPTERSWildfly Spring Boot
JavaScript
DEMOSSpring Boot ("full" web app)
Java EE (JBoss Wildfly, REST-only services)
React.JS SPA (JavaScript client app)
dasniko/keycloak-springboot-demo
dasniko/keycloak-javaee-demo
dasniko/keycloak-reactjs-demo
AMAZON API GATEWAYAWS IAM
Amazon Cognito / STS
Custom Authorizer (AWS Lambda)
CLOUD
AUTHORIZERVerify token send in HTTP Header
Lambda function will be invoked with event:
CUSTOM
{
"type": "TOKEN",
"authorizationToken": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik5pa28gS8O2YmxlciIsImFkbWluIjp0cnVlLCJpc3MiOiJkYXNuaWtvIiwiYXVkIjoiZGVtbyJ9.V7vQT0N6Py-n9mjRgt-QwWMsTSvFkTRRU0D5t1lrS08"
"methodArn": "arn:aws:execute-api:eu-central-1:012345678910:v7towmtj68/prod/GET/"
}
CUSTOM Lambda function will create a Principal and an AWS Policy:
will be cached
AUTHORIZER
{
"principal": "1234567890",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:eu-central-1:012345678910:v7towmtj68/prod/GET/"
}
]
}
}
API GATEWAY AUTHORIZATION
DEMOCustom Authorizr AWS Lambda Function
dasniko/jwtAuthorizr
THANK !ANY ?
Slides:
Niko Köbler So�ware-Architect, Developer & Trainer
| |
YOUQUESTIONS
http://bit.ly/sso-jax-2017
[email protected] www.n-k.de @dasniko