authorization and authentication in microservice environments
TRANSCRIPT
![Page 1: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/1.jpg)
Authorization and Authentication in Microservice Environments
Bernd Schönbach
![Page 2: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/2.jpg)
Overview
2Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Introduction
• What’s the problem anyway?
• And how exactly do JSON Web Tokens help here?
• What are JSON Web Tokens?
• Some examples
• Mind the gap
• JWS vs. JWE
![Page 3: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/3.jpg)
Introduction
![Page 4: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/4.jpg)
LeanIX helps companies to manage and optimize their IT Architecture
4Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Current IT Architecture Create Transparency Optimize IT Architecture
• Missing information (e.g. interfaces, technologies)
• Hard to introduce new products & sales channels
• High costs and risks
• Import existing data into LeanIX (via Excel or API)
• Invite experts to share their knowledge
• Use best-practice reports to identify issues
• Define target architecture and roadmaps
![Page 5: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/5.jpg)
LeanIX is a web-based platformto capture and share knowledge about IT
5Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Fact Sheets & Tagging
Context-based Search
API, Import & Export
Comments & Threads
IT Inventory Collaboration Platform Interactive Reporting
Activity Stream & Notifications
Subscriptions
Print & Export (PDF)
Best Practice Reports
Interactive Adaption
![Page 6: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/6.jpg)
What’s the problem anyway?
![Page 7: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/7.jpg)
What’s the problem anyway?
7Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
![Page 8: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/8.jpg)
What’s the problem anyway?
8Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
![Page 9: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/9.jpg)
What’s the problem anyway?
9Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
![Page 10: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/10.jpg)
What’s the problem anyway?
10Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
![Page 11: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/11.jpg)
And how do JWT exactly help here?
![Page 12: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/12.jpg)
Typical Auth Flow
12Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
LoginReturn OAuth Token
Check Oauth Validity
Send Requests with Token
AuthService
![Page 13: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/13.jpg)
And now with JWT
13Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
Login
Return JWT
Check Token Validity
Send Requests with Token
![Page 14: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/14.jpg)
What are JSON Web Tokens?
![Page 15: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/15.jpg)
What are JSON Web Tokens (JWT)?
15Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
RFC 7519: “JSON Web Token (JWT) is a compact, URL-‐safe means of representing claims to be transferred between two parties.”
![Page 16: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/16.jpg)
What are JSON Web Tokens (JWT)?
16Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
![Page 17: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/17.jpg)
What are JSON Web TokenS (JWT)?
17Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Two Types
JSON Web Signature JSON Web Encryption
![Page 18: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/18.jpg)
JSON Web Signature (RFC 7515)
18Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Three Parts
1. Header
2. Payload (Claims)
3. Signature
![Page 19: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/19.jpg)
JWS - Header
19Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
{
"alg": "HS256",
"typ": "JWT“
}
{
"alg": "HS256",
"typ": "JWT“
}
Recommended Values:
• HS256• RS256• ES256
Special Case:
• none
![Page 20: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/20.jpg)
JWS - Payload
20Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
- Main Information Part- Contains Information like
- Issuer (iss)- Expiration time (exp)- Subject (sub)- Features- Permissions- …
{ "iss": "auth-service-1","name": "John Doe","admin": true,"exp": 1487325600
}
Use as few information as possible to keep the Token small!
![Page 21: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/21.jpg)
JWS - Signature
21Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret
)
• Verifies origin and content of JWS Token
• Signature contains Header and Payload
![Page 22: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/22.jpg)
JWS Example
22Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Header: { "alg": "HS256", "typ": "JWT"}
Payload: {
"sub": "1234567890","name": "John Doe","admin": true
}
Signature: HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret)
![Page 23: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/23.jpg)
JSON Web Encryption (RFC 7516)
23Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Five Parts (JWE)
1. Protected Header2. Encrypted Key3. Initialization Vector4. Cipher text5. Authentication Tag
![Page 24: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/24.jpg)
JWE Protected Header
24Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as JWS with some minor tweaks• Two additional Keys:• enc -> encryption algorithm• zip -> compression algorithm
• “alg” now describes the algorithm for encrypting CEK• ”none” is no longer allowed
{ "alg": "RSA-OAEP","enc": "A256GCM“,"typ": "JWT“
}
![Page 25: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/25.jpg)
JWE Protected Header
25Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Algorithm used should be an AEAD algorithm
• Authenticated Encryption with Associated Data
• “AEAD algorithms accept two inputs, the plaintext and the Additional Authenticated Data (AAD) value, and produce two outputs, the cipher text and the Authentication Tag value.”
• AAD can be base64encoded JWE Protected Header
![Page 26: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/26.jpg)
JWE Encrypted Key
26Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Encrypted Content Encryption Key (CEK)
• CEK = Symmetric Key used to encrypt plaintext
• CEK is used to produce cipher text and Authentication Tag
![Page 27: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/27.jpg)
JWE Initialization Vector
27Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• A random numeric value used to “salt” encrypted value
• Ensures for same content, encrypted value differs
• May be left empy if enc Algorithm does not use IV
![Page 28: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/28.jpg)
JWE Ciphertext
28Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as Payload in JWS
• Is encrypted with enc algorithm
• Is encrypted using initialization vector
• But must not be JSON can be plaintext
![Page 29: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/29.jpg)
JWE Authentication Tag
29Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Is also a result of enc algorithm
• Ensures integrity of cipher text
• Ensures integrity Additional Authenticated Data
![Page 30: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/30.jpg)
JWE
30Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Again all parts are base64 Encoded and concatenated with dots:
BASE64URL(UTF8(JWE Protected Header)) .
BASE64URL(JWE Encrypted Key) .
BASE64URL(JWE Initialization Vector) .
BASE64URL(JWE Ciphertext) .
BASE64URL(JWE Authentication Tag)
![Page 31: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/31.jpg)
Some examples
31
![Page 32: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/32.jpg)
JWS creation in Java
32Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
public String createJwt(User loggedInUser) {JwtBuilder builder = Jwts.builder().setSubject(loggedInUser.getUsername()).claim(„payload“, loggedInUser.getPayload()).setId(loggedInUser.getId()).setExpiration(calculateExpirationTime());
return builder.signWith(SignatureAlgorithm.RS256, privateKey
).compact();
}
![Page 33: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/33.jpg)
JWS checking in Java
33Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Claims claims = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(accesTokenString).getBody();
Important Side Note:- Ensure checking always uses the correct algorithm- “none” alg header must not lead to unchecked token if signed is
expected!
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
![Page 34: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/34.jpg)
JWS Usage in Java with Dropwizard
34Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
@Overridepublic Optional<User> authenticate(String accessToken) {if (accessToken == null)return Optional.absent();
OAuth2Token token = this.parser.parse(accessToken);return Optional.fromNullable((User) token.getPrincipal());
}
Adapt Authenticator Class:
Use @Auth Annotation:
public Response getX(@Auth @ApiParam(access="internal") User user
){[…]
}
![Page 35: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/35.jpg)
JWS example
35Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Live Presentation
![Page 36: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/36.jpg)
JWS libraries
36Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Libraries exist for nearly every programming language:
• .NET• Pyhton• Node.js• Java• JavaScript• Perl• Ruby• Elixir• Go
• Haskell• Rust• Lua• Scala• D• Clojure• Objective C• Swift• C
• Kdb+/Q• Delphi• PHP• Crystal• …
![Page 37: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/37.jpg)
Mind the gap
![Page 38: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/38.jpg)
Mind the gap
38Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Don’ts:• Never ever send passwords in JWT
• And also no hashes..• You cannot control where the JWT goes• Don’t verify token validity with Auth-Service
Dos:• Always verify token (checksum)• Add as few as possible but at least enough to avoid calls
to other services
![Page 39: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/39.jpg)
Back to JWS vs JWE
vs
![Page 40: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/40.jpg)
JSON Web Encryption (JWE)
40Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is unreadable to the user
• You potentially can use classified information
• Only one key needed which can be distributed easily
Pros
Cons
• Need to distribute secret to all services
• Attack vector increases
![Page 41: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/41.jpg)
JSON Web Encryption (JWE)
41Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
![Page 42: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/42.jpg)
JSON Web Signature (JWS)
42Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is readable to the user
• Only the public key needs to be distributed
• Only the Auth-Service needs high protection
• If private key is compromised exchange here and distribute pub key
Pros
Cons
• Everything is readable to the user
![Page 43: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/43.jpg)
Auth Service
JSON Web Signature (JWS)
43Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
Public Key
![Page 44: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/44.jpg)
Conclusion
![Page 45: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/45.jpg)
Conclusion
Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Allows to keep loose coupling of Microservices
• Secure transfer of Authorization and Authentication claims
• Further domains can be found in Single Sign On Contexts
• Easy to implement due to library availability
![Page 46: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/46.jpg)
Thanks(and yes we are hiring)
https://www.leanix.net/en/jobs
![Page 47: Authorization and Authentication in Microservice Environments](https://reader035.vdocuments.us/reader035/viewer/2022081513/58a93e6a1a28ab991c8b4965/html5/thumbnails/47.jpg)
Sources
47Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• https://tools.ietf.org/html/rfc7519 RFC for JWT
• https://tools.ietf.org/html/rfc7518 RFC for JWA (used in JWS and JWE)• https://jwt.io/• https://www.leanix.net/
• Devil Smiley CC BY 4.0 https://www.creativetail.com
• Further Articles on JWT:• https://blog.codecentric.de/2016/11/json-web-token-jwt-im-detail/• https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3