atlascamp 2014: connect security

June 3-5, 2014 | Berlin, Germany

Peter Brownlow, Senior Java Developer, Atlassian

Connect Security

Connect add-ons

3.500installs from Marketplace

in-process plugins

1.500.000installs from Marketplace

grow 500xtension between security & usability

overtake in-process plugins

Don’t #@!% the customer.

- Atlassian value

Questions

Sneak Peeks

Authorization

Authentication

Connect Security

Authentication

who said that?”“

Who sent the letter?

sender

signature

Was the letter tampered with?!!!

tampering “looks wrong”

Was the letter re-sent?

too long ago?

postmark

JSON Web Tokens

host product add-on

params, token

e.g. https://mycompany.com/awsome?user.key=peter&jwt=…

also “Authorization” HTTP header

JSON Web Tokens

• structured • header JSON • claims JSON • signature

• base-64 encoded

{“typ":"JWT", “alg":"HS256"}

.{“iss”:"myId", “exp":1300819380}

.“signature”

eyJ0eXAiOi12KL98udNfg8z…

JSON Web Tokens

Letter !• sender • signature • changes “look wrong” • postmark date

• issuer claim • cryptographic signature • signature, query hash claim • expiry claim

Questions

Sneak Peeks

Authorization

Authentication

Connect Security

Authorization

can you do that?”“

Authorization

Scopes: compare to white-list

Who can see the aliens?

generals interns

Authorization

Authorization“How did that guy get in here?”

How to avoid “security surprise”?

Scopes displayed on installation

Authorization

Personal access changes arbitrarily.

Add-on user permissions

How to accurately allow access?

Authorization

Questions

Sneak Peeks

Authorization

Authentication

Connect Security

Sneak Peeks

ideas in motion ”“

• Headers hash

• Body hash

More Custom JWT Claims?

• User loads page

• Goes to lunch

• Comes back, clicks link…

• Expired!

• Secure! But less usable.

JWT expiry improvements

• On click: no expiry • JavaScript API?

• Act as a specified user

• Authorized by users

• Server to server

• 3LA Granted?

• Query parameters

• REST resource

Three Legged Auth

• Authentication

• Who said that?

• JWT claims

• JWT signature

• Authorization

• Can you do that?

• Scopes (static)

• User permissions (dynamic)

Questions

Sneak Peeks

Authorization

Authentication

Connect Security

Questions?

go.atlassian.com/ac-security

atlascamp 2014: connect security

authorization scopes

authorization http header

security usability

security surprise

json web tokens letter

sender signature changes

sneak peeks ideas

recap authentication

Technology

atlascamp 2013: confluence state of the union

atlascamp 2014: building a production ready connect add-on

atlascamp 2014: building a connect add-on with your own...

atlascamp 2014: static connect add-ons

atlascamp 2014: know your funnel

atlascamp 2015: connect everywhere - cloud and server

atlascamp 2015: reverse engineering people

atlascamp 2015: getting your connect add-on over the finish...

atlascamp 2014: jira state of the union

bonfire... how'd you do that?! - atlascamp 2011

atlascamp 2015: ratchet up your ci

atlascamp 2014: 10 things a front end developer should know...

continuous deployment for atlassian plugins - atlascamp 2011

atlascamp 2014: designing add-ons

atlascamp 2015: confessions of an automation addict

atlascamp 2013: confluence patterns

atlascamp 2011: confluence 4 and beyond

atlascamp 2013: a re-intriduction to atlassian connect:...

atlascamp 2013: adg / lean ux

atlascamp 2015: the inner guts of bitbucket