Identity  within  MicroservicesErick  Belluci Tedeschi

@ericktedeschi

São  Paulo,  Oct  22  2016

Who?

• PHP  Developer  since  2003• Application  Security  since  2007• Biker• Maker

• Help  devs delivery  Secure  Applications• Help  business  to  keep  clients  data  secure

Agenda

• Microservice architecture  Version  1

• About  Tokens

• OAuth  2.0• OpenID  Connect

• Authorization  Code  Flow  Example

• Microservice architecture  NG!!!

Microservice Architecture  V1

API  G

atew

ayOAu

th  Server*

AccountGET  /my/{user_id}

TransferPOST  /transferto/{src_account}/{dst_account}

ReceiptGET  /receipts/{user_id}

End-­‐User

Bank  API  (Public)GET      /myPOST  /transferto/{dst_account}GET      /receipts

/token/authorize

Basic  auth

Basic  auth

No  auth

Microservice Architecture  V1

API  G

atew

ayOAu

th  Server*

AccountGET  /my/{user_id}

TransferPOST  /transferto/{src_account}/{dst_account}

ReceiptGET  /receipts/{user_id}

End-­‐User

Bank  API  (Public)GET      /myPOST  /transferto/{dst_account}GET      /receipts

/token/authorize

Basic  auth

Basic  auth

No  auth

• Poor  logging  (audit  trail)• Poor  identification  on  microservices (X-­‐User-­‐Logged  L)• Authorization  centralized  on  API  Gateway• Microservices are  more  like  CRUDs  APIs• Microservices have  ”micro  user  repositories”  or  don’t  have  authentication/authorization

• API  Gateway  have  more  responsibility  than  necessary

Now,  let’s  take  a  look  at  the:  Token

• A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or  services  (https://en.wiktionary.org/wiki/token)

• Token  By  Reference• An  opaque  string  generated  randomly• Ex.:  2YotnFZFEjr1zCsicMWpAA

• Token  By  Value• A  JWT  that  contains  claims  about  the  context  of  the  token• Ex.:  

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHAiOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU

JWT  – JSON  Web  Token

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHAiOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU

{"typ":  "JWT","alg":  "HS256"}

{"iss":  "https://my.service.com","iat":  1435179603,"exp":  1435181421,"aud":  "www.service.com","sub":  "johndoe@gmail.com","Role":  ["approver","viewer"]}

HMACSHA256(base64UrlEncode(header)  +  "."  +base64UrlEncode(payload),sharedsecret)

JWT  Header

JWT  Payload

JWT  Signature

The  OAuth  2.0  Authorization  Framework

The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain  limited  access  to  an  HTTP  service  on  behalf  of  a  resource  owner...

OAuth  2.0  – Protocol  or  Framework?

• RFC  5849:  The  OAuth  1.0  Protocol

• RFC  6749:  The  OAuth  2.0  Authorization  Framework

https://tools.ietf.org/html/rfc5849…  contract,  pact,  deal  

https://tools.ietf.org/html/rfc6749…  structure,  skeleton,  chassis

Warning:  OAuth  is  not  about  authentication

Warning:  OAuth  is  not  about  authentication

How  an  access_token looks  like?  (by  value  -­‐ JWT)

// JWT Payload{"sub": "alice", // user id"cid": "000123", // client id"iss": "https://as.domain.com", // who issued"aud": "https://rs.domain.com","exp": 1460345736, // expiration date"scp": ["openid","email","profile"] // scopes

}

OpenID  Connect

OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.

How  an  id_token looks  like?  (by  value  -­‐ JWT){"iss": ”InstIdentRicardoGumbletonDaunt", // who issued"sub": ”4.444.444", // user identification"aud": ["cops","bank"], // where it’s used"nonce": "n-0S6_WzA2Mj","exp": 1311281970, // 10 years"iat": 1311280970,"auth_time": 1311280969,"amr": "sign+fingerprint” //auth-methods-ref}

OpenID  Connect  Discovery  1.0

A  complete  Authorization  Server

• /authorize• /token• /introspection  (check  access_token)• /token_info (get  more  information  about  identity)• /revocation

Let’s  see  how  to  get  both  access_token and  id_token using  Authorization  Code  Flow

ResourceOwner

AuthorizationServer

ResourceServer

Client

access

ResourceOwner

AuthorizationServer

ResourceServer

Client

access

*  GET  /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

ResourceOwner

AuthorizationServer

ResourceServer

Client

access

ResourceOwner

AuthorizationServer

ResourceServer

Client

access

ResourceOwner

AuthorizationServer

ResourceServer

Client

*  Location:  https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

ResourceOwner

AuthorizationServer

ResourceServer

Client

POST  /token  HTTP/1.1Host:  server.example.comAuthorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JWContent-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

ResourceOwner

AuthorizationServer

ResourceServer

Client

HTTP/1.1  200  OKContent-­‐Type:  application/json;charset=UTF-­‐8Cache-­‐Control:  no-­‐storePragma:  no-­‐cache

{"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"Bearer","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","id_token":  "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM

k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto"}

ResourceOwner

AuthorizationServer

ResourceServer

Client

ResourceOwner

AuthorizationServer

ResourceServer

Client

POST  /introspect  HTTP/1.1Host:  server.example.comAuthorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JWContent-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded

token=2YotnFZFEjr1zCsicMWpAA

https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection

Introspection  Request

ResourceOwner

AuthorizationServer

ResourceServer

Client

HTTP/1.1  200  OKContent-­‐Type:  application/json

{"active":  true,"client_id":  "l238j323ds-­‐23ij4","username":  "jdoe","scope":  ”openid profile  email","sub":  "Z5O3upPC88QrAjx00dis","aud":  "https://protected.example.net/resource","iss":  "https://server.example.com/","exp":  1419356238,"iat":  1419350238,"extension_field":  "twenty-­‐seven”}

https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection

Introspection  Request

ResourceOwner

AuthorizationServer

ResourceServer

Client

https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection

Introspection  Request

ResourceOwner

AuthorizationServer

ResourceServer

Client

https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection

Introspection  Request

Nice

Microservice Architecture  NG!!!

API  G

atew

ayAu

thoriza

tion

Server

AccountGET  /myGET  /pvt/{account}

TransferPOST  /transferto/{dst_account}

ReceiptGET  /receipts

OAu

thFilte

rOAu

thFilte

rOAu

thFilte

r

OAu

th  Filter

ResourceOwner

Introspection/validation

Bank  API  (Public)GET      /myPOST  /transferto/{dst_account}GET      /receipts

/token/authorize/introspect/revoke/token_info

”offline  introspection/validation”

”offline  introspection/validation”

Microservice Architecture  NG!!!

API  G

atew

ayAu

thoriza

tion

Server

AccountGET  /myGET  /pvt/{account}

TransferPOST  /transferto/{dst_account}

ReceiptGET  /receipts

OAu

thFilte

rOAu

thFilte

rOAu

thFilte

r

OAu

th  Filter

ResourceOwner

Introspection/validation

Bank  API  (Public)GET      /myPOST  /transferto/{dst_account}GET      /receipts

/token/authorize/introspect/revoke/token_info

”offline  introspection/validation”

”offline  introspection/validation”

• Audit  Trail  Improved• Microservices can  make  decision  based  on  the  end-­‐user  identity

• Fine  grained  authorization  across  the  services• The  whole  environment  have  a  central  user  identity  repository  (OAuth+OpenID Connect  Server)

• API  Gateway  is  clean/slim

Don’t  start  from  scratch

• OpenSource• Connect2ID  http://connect2id.com/• Keycloak http://www.keycloak.org/• MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐Spring-­‐Server• WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/

References  and  Links

• OAuth  2.0:  https://tools.ietf.org/html/rfc6749

• OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750

• OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html

• OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html

• JOSÉ  (JSON  Object  Signing  and  Encryption)• JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515• JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516• JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517• JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518• JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519

• http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens

Thanks

https://www.linkedin.com/in/ericktedeschihttps://twitter.com/ericktedeschihttp://www.slideshare.net/erickt86erick@oerick.com