authentication in microservice systems
TRANSCRIPT
![Page 1: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/1.jpg)
@davib0
Authentication in Microservice SystemsDavid Borsos
![Page 2: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/2.jpg)
@davib0
Authentication and Authorisation in Microservice Systems
David Borsos
![Page 3: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/3.jpg)
@davib0
Authentication and Authorisation in Microservice Systems
David Borsos
![Page 4: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/4.jpg)
@davib0
End-userAuthentication and Authorisation in
Microservice SystemsDavid Borsos
![Page 5: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/5.jpg)
@davib0
Introduction
David Borsos
Joined OpenCredo in 2013
Working on microservices since then
Email: [email protected]
Twitter: @davib0
http://www.opencredo.com
![Page 6: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/6.jpg)
@davib0
Why?
![Page 7: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/7.jpg)
@davib0
Traditional “monolithic” architecture
![Page 8: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/8.jpg)
@davib0
Traditional “monolithic” architecture
![Page 9: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/9.jpg)
@davib0
Traditional “monolithic” architecture
![Page 10: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/10.jpg)
@davib0
μServices!
![Page 11: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/11.jpg)
@davib0
μServices!
● Composing functionality● Self-contained services● “Bounded context”● Independent scaling● Independent deployment
○ Containers○ Schedulers
■ Kubernetes■ Mesos + Marathon
○ PaaS(es)■ CloudFoundry
● Localized failures● Prefer statelessness
○ Don’t rely on HTTP Sessions
![Page 12: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/12.jpg)
@davib0
μServices
![Page 13: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/13.jpg)
@davib0
μServices - Let’s try the same pattern
![Page 14: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/14.jpg)
@davib0
μServices - Let’s try the same patternProblem #1 - shared user database
![Page 15: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/15.jpg)
@davib0
μServices are distributed
![Page 16: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/16.jpg)
@davib0
μServicesProblem #1 - shared user database
![Page 17: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/17.jpg)
@davib0
μServicesProblem #1 - shared user databaseSolution #1 - distribute!
![Page 18: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/18.jpg)
@davib0
μServicesProblem #1 - shared user databaseSolution #1 - distribute!
Problem #2 - who owns the credentials?
![Page 19: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/19.jpg)
@davib0
Single Responsibility
![Page 20: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/20.jpg)
@davib0
μServicesProblem #1 - shared user databaseSolution #1 - distribute!
Problem #2 - who owns the credentials?
![Page 21: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/21.jpg)
@davib0
μServicesProblem #1 - shared user databaseSolution #1 - distribute!
Problem #2 - who owns the credentials?Solution #2 - Authentication Service
![Page 22: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/22.jpg)
@davib0
μServicesProblem #1 - shared user databaseSolution #1 - distribute!
Problem #2 - who owns the credentials?Solution #2 - Authentication Service
Problem #3 - switching services
![Page 23: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/23.jpg)
@davib0
Authenticate every time?
![Page 24: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/24.jpg)
@davib0
Obviously not
![Page 25: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/25.jpg)
@davib0
Aiming for transparency
vs.
![Page 26: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/26.jpg)
@davib0
μServices - what do we want?● “Secure”
○ Security is complex○ Client-side○ Sharing secrets?
● Stateless services○ Multiple instances
● No single point of failure○ On every request○ When switching services
● No inherent bottlenecks● Transparency● Logout?● Integration with μServices● Simple to implement
![Page 27: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/27.jpg)
@davib0
μServices1. Use SSO solutions2. Distributed session3. Client-side token4. Client-side token + API Gateway
![Page 28: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/28.jpg)
@davib0
1. Using SSO
![Page 29: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/29.jpg)
@davib0
Detour: how do these work?
![Page 30: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/30.jpg)
@davib0
A common SSO pattern1. User requests access2. Not authenticated3. User authenticates with SSO Server4. Authentication successful, grant token5. User uses token6. Application uses token to get user details7. Auth Server returns details
+1 Auth server maintains “global login”
+2 Application maintains “local login”
![Page 31: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/31.jpg)
@davib0
Using SSO solutions● SSO “login” state is usually opaque● SSO Service becomes SPOF● Chatty traffic● Every switch potentially requires SSO
○ Optimise with local “login” caching
![Page 32: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/32.jpg)
@davib0
Using SSO solutionsSecurity As good as the chosen SSO ✔
Secret sharing No ✔
Statelessness Relies on HTTP sessions ✘
SPOF @ service switch Authentication server ✘
Bottlenecks Authentication server (switch only) !
Transparent Yes ✔
Logout Complex ✘
Technologies CAS, OAuth2* ✔
Integration Good library support ✔
Implementation Fairly high complexity ✘
![Page 33: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/33.jpg)
@davib0
2. Distributed sessions
![Page 34: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/34.jpg)
@davib0
Distributed sessions1. User requests access2. Not authenticated3. User authenticates with Auth Service4. Authentication successful
a. Write state to distributed Session Storei. User X is logged inii. Sets TTL
b. Sets Session ID on client side5. User uses Session ID6. μService read distributed Session Store
a. Refresh TTL
![Page 35: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/35.jpg)
@davib0
Distributed sessionsSecurity Opaque, rotatable Session ID ✔
Secret sharing Access to session store ✘
Statelessness Shared state ✔
SPOF @ service switch Session store* !
Bottlenecks Session store (every request) ✘
Transparent Yes ✔
Logout Trivial - delete shared session ✔
Technologies Redis, Cassandra, Hazelcast, Riak ✘
Integration Custom implementation ✘
Implementation Medium/High complexity !
![Page 36: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/36.jpg)
@davib0
3. Client-side tokens
![Page 37: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/37.jpg)
@davib0
3. “Poor man’s certificates”
![Page 38: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/38.jpg)
@davib0
Client side tokens1. User requests access2. Not authenticated3. User authenticates with Auth Server4. Authentication successful
a. Set ID token on the client sidei. Self-containedii. Signediii. TTL
5. Services understand ID tokena. Can parse user IDb. Can verify token
i. Check signatureii. Check TTL
![Page 39: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/39.jpg)
@davib0
Detour: JSON Web Tokens (JWT)
![Page 40: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/40.jpg)
@davib0
JWTeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJteVVzZXJJZCIsIm5hbWUiOiJKb2huIERvZSJ9.00q6RI76-oOyQIoshomTVIfmebQPGoDV2znTErEJjjo
Header{ "alg": "HS256", "typ": "JWT"}
Body{ "sub": "myUserId", "name": "John Doe"}
Signature
![Page 41: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/41.jpg)
@davib0
JWT● Standard● Simple● Extensible● Can use a variety of signatures (SHA or RSA)● Good library support● Symmetric or Public/Private key signatures● http://jwt.io
![Page 42: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/42.jpg)
@davib0
Client side tokens1. User requests access2. Not authenticated3. User authenticates with Auth Server4. Authentication successful
a. Set ID token on the client sidei. Self-containedii. Signediii. TTL
5. Services understand ID tokena. Can parse user IDb. Can verify token
i. Check signatureii. Check TTL
![Page 43: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/43.jpg)
@davib0
But...
![Page 44: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/44.jpg)
@davib0
...token is valid until TTL...
![Page 45: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/45.jpg)
@davib0
...and μServices accept it...
![Page 46: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/46.jpg)
@davib0
… so, logout?
![Page 47: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/47.jpg)
@davib0
Client-side tokens: Logout● Remove token from client-side store● Periodically check with Auth Service (“renew token”)● CRL-style revocation
○ Maintain list of revoked tokens○ Distribute list across μServices (messaging middleware)
● Use short-lived (15m) tokens
![Page 48: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/48.jpg)
@davib0
Client-side tokensSecurity Potentially exposing User IDs !
Secret sharing Depends on signature algorithm !
Statelessness Completely stateless ✔
SPOF @ service switch None ✔
Bottlenecks None ✔
Transparent Yes ✔
Logout Complex* (for server-side) !
Technologies JWT, OpenID Connect ✔
Integration Good library support ✔
Implementation Simple ✔
![Page 49: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/49.jpg)
@davib0
4. Client-side tokens+
API Gateway
![Page 50: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/50.jpg)
@davib0
Client-side tokens + API Gateway1. User requests access2. Not authenticated3. User authenticates with Auth Server4. Authentication successful
a. Set ID token on the client sidei. Self-containedii. Signediii. TTL
5. API Gateway translates to opaque token6. API Gateway resolves to ID token7. Services understand ID token
a. Can parse user IDb. Can verify token
i. Check signatureii. Check TTL
![Page 51: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/51.jpg)
@davib0
API Gateways● Proxying all user-facing communication● Fairly simple● Needs data store (for this use-case)● Not a distributed session
○ μServices don’t interact with token store○ μServices are not API Gateway-aware
● Logout○ Revoke tokens in API Gateway’s token store
![Page 52: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/52.jpg)
@davib0
Client-side tokens + API GatewaySecurity Opaque, rotatable Session ID ✔
Secret sharing Depends on signature algorithm !
Statelessness Some state held in API GW !
SPOF @ service switch None ✔
Bottlenecks API Gateway !
Transparent Yes ✔
Logout Trivial ✔
Technologies JWT, nginx, distributed DB, Kong !
Integration Good library support ✔
Implementation Fairly high complexity ✘
![Page 53: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/53.jpg)
@davib0
Summary
![Page 54: Authentication in microservice systems](https://reader030.vdocuments.us/reader030/viewer/2022020314/587176ce1a28ab230b8b5215/html5/thumbnails/54.jpg)
@davib0
SSO Distributed Session JWT API GW
Security ✔ ✔ ! ✔
Secret sharing ✔ ✘ ! !
Statelessness ✘ ✔ ✔ !
SPOF @ service switch
✘ ! ✔ ✔
Bottlenecks ! ✘ ✔ !
Transparent ✔ ✔ ✔ ✔
Logout ✘ ✔ ! ✔
Technologies ✔ ✘ ✔ !
Integration ✔ ✘ ✔ ✔
Implementation ✘ ! ✔ ✘