complex architectures for authentication and authorization on aws · 2019-09-15 · authentication...
TRANSCRIPT
![Page 1: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/1.jpg)
Complex architectures for authentication and authorization on AWS
Boyan DimitrovDirector Platform Engineering @ Sixt @natharielSeptember 2019
![Page 2: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/2.jpg)
Our Focus Today
Service
?
Authenticate& Authorize
• Key patterns for authenticationand authorization
- Client to service- Service to service- Service to Infra
• Focusing on the application andmore complex microservicesenvironments
![Page 3: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/3.jpg)
Our Focus Today
Service
?
Authenticate& Authorize
Service
Service
Autenticate& Authorize
Service
Service
Service
IdP
Autenticate& Authorize
![Page 4: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/4.jpg)
Before we begin: The Foundations
OIDC ( OpenID Connect ) - a protocol for Authentication built on top of OAuth 2.0
OAUTH 2.0 –a protocol for Authorization
![Page 5: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/5.jpg)
Before we begin: AWS Cognito
AWS CognitoUser Pools
AWS CognitoFederated Identities
Identity providers
Social Identity Providers
Other Identity Providers
SAMLOIDC
S3
EC2
Federate
AuthorizeFederate
![Page 6: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/6.jpg)
Tip #1If you are starting a new project on AWS involving auth and you need IdP, Use Cognito
![Page 7: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/7.jpg)
Client to service auth
![Page 8: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/8.jpg)
Auth primer
Mobile Client
Amazon API Gateway
Custom Authorizer
Amazon Cognito
1. Authenticate via credentials
Service
2. Receive JWT
3. Invoke API with JWT
4. Validate JWT
6a. Check token scope
5. Return validity
6b. Invoke custom authfunction
Auth Service
7. Forward request
![Page 9: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/9.jpg)
We live in a complex world…
Amazon API Gateway
Amazon Cognito
Service
Service
Service
Service
Service
Service Service
Service
Service
On-Premauth
auth
auth
auth
auth
auth
auth
Elastic Load Balancer
![Page 10: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/10.jpg)
• I already have a / multiple IdPs, how to integrate all of that ?
• Where do we do authentication & token validation in a heterogeneous environment with various ingress points ?
• How do we do authorization and on what level ?
• What about service to service auth?
• What about infrastructure auth ?
Auth challenges in complex architectures
![Page 11: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/11.jpg)
Tip #2Consider IdP Federation to simplify your problem
![Page 12: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/12.jpg)
Authentication: Common Identity Format
Amazon Cognito
Internal Perimeter
SAMLOIDC
federate
StandardAccess Token
External Perimeter
Service Service Service Service
Authenticate
![Page 13: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/13.jpg)
Define your authorization strategy
ACL MAC DAC RBAC ADAC PBAC …
![Page 14: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/14.jpg)
Tip #3If Authorization requirements are unclear, start with RBAC and complicate as needed
ACL MAC DAC RBAC ADAC PBAC …
![Page 15: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/15.jpg)
RBAC Authorization Primer
Service Service Service Service
Amazon Cognito
Internal Perimeter
SAMLOIDC
External Perimeter
{"name": "John Doe","email": "[email protected]","roles": ["finance_controller"]…}
If role ==„finance_controller“... XAmazon API Gateway
![Page 16: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/16.jpg)
Tip #4Do not embed volatile business roles into your applications – implement access controls around service capabilities instead
![Page 17: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/17.jpg)
Delegate auth to a central auth service
User Service
POST /usersGET /users/<id>PUT /users/<id>DELETE /users/<id>
API Contract
Associated Permissions
users:create:anyusers:read:anyusers:read:ownusers:update:anyusers:update:ownusers:delete:ownusers:delete:any
{"name": "John Doe","email": "john.doe @foo.com","roles": ["finance_controller"],“user_id": 343242,…}
AuthService
GET /users/343242
finance_controller -> users:read:own
Role Permission
Authorised?
![Page 18: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/18.jpg)
Centralised Auth Service
User Service
AuthService
Advantages
• Externalised auth decisions andbusiness roles management
• Easier to manage and change
• Single source of truth
Disadvantages
• Another synchronous dependency
• Additional latency
• Single point of failure?
• Manual effort in keeping permissions up to date
![Page 19: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/19.jpg)
Centralised Auth Service Optimisations: automate permissiondiscovery
User ServiceAuthService
Associated Permissions
users:create:anyusers:read:anyusers:read:ownusers:update:anyusers:update:ownusers:delete:ownusers:delete:any
Register permissions on startupService:Permissions Mapcom.x.service.user users:create:anycom.x.service.user users:read:anycom.x.service.user users:read:owncom.x.service.user users:update:anycom.x.service.user users:update:owncom.x.service.user users:delete:owncom.x.service.user users:delete:any
![Page 20: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/20.jpg)
Centralised Auth Service Optimisations: caching associated roles
Associated Permissionsusers:create:anyusers:read:anyusers:read:ownusers:update:anyusers:update:ownusers:delete:ownusers:delete:any
User ServiceAuthService
finance_controller -> com.x.service.user users:read:own
Role Permission
![Page 21: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/21.jpg)
Centralised Auth Service Optimisations: caching associated roles
Associated Permissions and Roles
users:create:anyusers:read:any
finance_controller -> users:read:ownusers:update:anyusers:update:allusers:delete:ownusers:delete:any
finance_controller ALLOW com.x.service.user users:read:own
Role Permission
1. On Startup user service caches relevant roles for its permissions
2. Receive live updates during runtime
User ServiceAuthService
![Page 22: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/22.jpg)
Centralised Auth Service Optimisations: caching auth result
User Service
AuthService
Associated Permissionsusers:create:anyusers:read:anyusers:read:ownusers:update:anyusers:update:allusers:delete:ownusers:delete:any
{"name": "John Doe","email": "john.doe @foo.com","roles": ["finance_controller"],“user_id": 343242,“jti“: 21312e1d123…}
![Page 23: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/23.jpg)
User Service
AuthService
1. Authorize operation2. Cache authorization responsewith TTL
Permissions and Cached Policy Result
users:create:anyusers:read:any
21312e1d123 -> users:read:ownusers:update:anyusers:update:allusers:delete:ownusers:delete:any
{"name": "John Doe","email": "john.doe @foo.com","roles": ["finance_controller"],“user_id": 343242,“jti“: 21312e1d123…}
Centralised Auth Service Optimisations: caching auth result
![Page 24: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/24.jpg)
Bonus: Local token validation
User Service
Cache the access token JWKfor local validation
Amazon Cognito
{"name": "John Doe","email": "john.doe @foo.com","roles": ["finance_controller"],…“kid": "5689example"}
{“keys": [{
“kid": "5689example",“alg": "RS256"
}, {…}]}
![Page 25: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/25.jpg)
Authorization
Service Service Service Service
Amazon Cognito
Internal Perimeter
SAMLOIDC
External Perimeter
Auth Service “Decentralised“ authorisation
![Page 26: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/26.jpg)
Centralised Auth Service
User Service
AuthService
Advantages
• Externalised auth decisions andbusiness roles management
• Easier to manage and change
• Single source of truth
• Decentralised token validation and auth
Disadvantages
• Another synchronous dependency
• Additional latency
• Single point of failure?
• Manual effort in keeping permissions up to date
![Page 27: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/27.jpg)
DEMO
![Page 28: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/28.jpg)
Demo Architecture
Auth Service Hello World Service
Amazon CognitoUser Pool
Register a user & Authenticate
Authorize hello request
• Automated permission registration• Auth rules caching• Decentralised authorization• Local token validation
Fetch IdP JWK
Demo WebappAdmin Webapp
Manage Permissions
![Page 29: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/29.jpg)
So far we covered…
Service
?
Authenticate& Authorize
Service
Service
Autenticate& Authorize
Service
Service
Service
IdP
Autenticate& Authorize
![Page 30: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/30.jpg)
Service 2 Service Auth
![Page 31: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/31.jpg)
Why do we need S2S Auth?
• Authorize service calls without user context ( batch jobs, async operations..)
• Protect applications storing senstive information for internal actors too
• Multi-tenant environments
![Page 32: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/32.jpg)
Service to service auth
User Service
Amazon Cognito
Email Service
1. Auth using creds
{“service":“com.x.service.user,…} Auth Service
com.x.service.user ALLOW com.x.service.email email:send:any
Service Permission
2. Get an identitiy
3. Send identity token withrequests
![Page 33: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/33.jpg)
Tip #5Give identity to your applications and automate the credential management!
![Page 34: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/34.jpg)
Client 2 Service and Service 2 Service Auth
Service Service Service Service
Amazon Cognito
Internal Perimeter
SAMLOIDC
External Perimeter
Auth Service
S3
?
![Page 35: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/35.jpg)
(AWS) Infra Auth
![Page 36: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/36.jpg)
Cognito Federated Identities to the rescue
User ServiceAmazon Cognito
User Pool Amazon CognitoIdentity Federation
1. Get Identity Token
2. Exchange Token forIAM Creds
3. Access AWS Services
![Page 37: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/37.jpg)
That’s all
Service
?
Authenticate& Authorize
Service
Service
Autenticate& Authorize
Service
Service
Service
IdP
Autenticate& Authorize
![Page 38: Complex architectures for authentication and authorization on AWS · 2019-09-15 · authentication and authorization on AWS BoyanDimitrov Director Platform Engineering @ Sixt @nathariel](https://reader034.vdocuments.us/reader034/viewer/2022042611/5f3a6f30f76c8a535e54c397/html5/thumbnails/38.jpg)
Thank you!