SlideShare a Scribd company logo

An Authentication and Authorization Architecture for a Microservices World

Download as PPTX, PDF
VMware Tanzu
VMware Tanzu

The document discusses authentication and authorization architectures for microservices. It describes using OpenAM for centralized authentication and authorization across microservices. Tokens like access tokens, refresh tokens and ID tokens are used to authenticate service-to-service calls in a stateless manner. The document outlines approaches for different tiers of microservices and integrating OpenAM with Cloud Foundry.

Technology
1 of 16
Downloaded 255 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
© 2016 ForgeRock. All rights reserved. An Authentication and Authorization Architecture for a Microservices World David Ferriera, Director – Cloud Technology, Forgerock david.ferriera@forgerock.com Presented at SpringOnePlatform 2016 1
© 2016 ForgeRock. All rights reserved. The Identity Layers Who or What Layer App/API Consumers (Browser, REST) Service (API, MySql, Redis, OpenAM) Platform (cf push, DevMgr, CI/CD pipeline) System (OpsMgr, BOSH,SSH) Users Devices Things Applications Services Developers Operators Services External ServicesApplications
© 2016 ForgeRock. All rights reserved. Microservices Pivotal Cloud Foundry
© 2016 ForgeRock. All rights reserved. OpenAM Authorization too A A A A A A A A A A A A A A Policies  CONTEXT AWARE USING ENVIRONMENTAL ATTRIBUTES  RULES EVALUATED IN REAL TIME BY THE AUTHORIZATION ENGINE  FINE GRAINED ACCESS CONTROL  ROLE NAMES MIGHT BE SEEN AS ATTRIBUTES PIP ATTRIBUTE BASED ACCESS CONTROL
© 2016 ForgeRock. All rights reserved. Protocols Oauth 2 – RFC 6749: “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” OpenID Connect (OIDC) : “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” Oauth 2 – Bearer Token usage - RFC 6750: “This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.
© 2016 ForgeRock. All rights reserved. Tokens: Types/Format Access Token • Part of Oauth, presented with each transaction • can be opaque or JWT • can be stateful or stateless • Shorter TTL Refresh Token • Part of Oauth, received along with first access token after authentication to the auth server • Used to request a new access token from the auth server, no credentials required • Longer TTL • Must be stored securely ID Token • Part of OIDC • Contains Identity information about authenticated user • Received in addition to the 2 oauth tokens • Must be JW • Longer TTL JSON Web Tokens (JWT) • Token format specified by OpenID Connect for the Identity Token • Multiple levels of security possible (JWE, JWS, JOSE) • Usually stateless
© 2016 ForgeRock. All rights reserved. Tokens: Performance vs. Security Stateful • Sessions stored on server • Token is opaque • Tokens must be validated with the server • Server handles authorization • Better logout Stateless • Sessions not stored on server • Token may be introspected • Tokens validated locally • Microservice must handle authorization • Tokens difficult to revoke before TTL Token Performance Security State Stateless Statefull Encrypt JWT Body No Yes Validate w/Auth server No Yes Validate all tokens No Yes TTL’s Longer Shorter
© 2016 ForgeRock. All rights reserved. Tokens: OpenAM response stateless response { "access_token": "eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic3ViIjogImRlbW8iLCAiYXVkaXRUcmFja2luZ0lkIjogImQ3M2U5MzkwLTUyYWEtNDU5 Ni04NzgxLWZkZjFlNTI0YTE0MCIsICJpc3MiOiAiaHR0cDovL2thanZtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsICJ0b2tlbk5hbW UiOiAiYWNjZXNzX3Rva2VuIiwgInRva2VuX3R5cGUiOiAiQmVhcmVyIiwgImF1dGhHcmFudElkIjogIjU4MjhkODczLWU4NmMtNGJhYi05ZTQwLT kwMDFkYjlhYzYyZCIsICJhdWQiOiAiY2xpZW50IiwgIm5iZiI6IDE0Njc3MzU3NjcsICJzY29wZSI6IFsgInNjb3BlIiBdLCAicmVhbG0iOiAiLyIsICJleH AiOiAxNDY3NzM5MzY3LCAiaWF0IjogMTQ2NzczNTc2NywgImV4cGlyZXNfaW4iOiAzNjAwMDAwLCAianRpIjogIjBmMDE2Zjk3LWMwYjItNGIx Mi04NjMzLWQwMTQ1Yjk0NDMxYyIgfQ.pq5yJtq1kGi4VaGIMOtusRD2G_f2VJrq2FKx0mhS2rQ", "refresh_token": "eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic3ViIjogImRlbW8iLCAiYXVkaXRUcmFja2luZ0lkIjogImQ5ZmYzMGYwLTUxM2ItNDgw MS05ZmNlLTFhYzZlNGFiMTNmMyIsICJpc3MiOiAiaHR0cDovL2thanZtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsICJ0b2tlbk5h bWUiOiAicmVmcmVzaF90b2tlbiIsICJhdXRoTW9kdWxlcyI6ICJEYXRhU3RvcmUiLCAidG9rZW5fdHlwZSI6ICJCZWFyZXIiLCAiYXV0aEdyYW50 SWQiOiAiNTgyOGQ4NzMtZTg2Yy00YmFiLTllNDAtOTAwMWRiOWFjNjJkIiwgImF1ZCI6ICJjbGllbnQiLCAibmJmIjogMTQ2NzczNTc2NywgInNjb 3BlIjogWyAic2NvcGUiIF0sICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0NjgzNDA1NjcsICJpYXQiOiAxNDY3NzM1NzY3LCAiZXhwaXJlc19pbiI6IDYwN DgwMDAwMCwgImp0aSI6ICI0OWMyMzhkNC1jNmY5LTQzMzMtYTZiMC04YzEzMjNlNGU0MTIiIH0.5TQnJQXqIpW_bG6jbqDX9VdulJByNZm PTvOmI1Ui6c8", "scope": "scope", "token_type": "Bearer", "expires_in": 3599 }
© 2016 ForgeRock. All rights reserved. Tokens: Decoded @ jwt.io
© 2016 ForgeRock. All rights reserved. Service to Service: Oauth Bearer token - stateful mservice-1 OpenAM mservice-2 {Client Credentials} Request Token {access token, refresh token, metadata} Response {Access Token} Service Request {Client Credentials, access token} Token Validation Request {token_expires} Response {data payload} Response
© 2016 ForgeRock. All rights reserved. Microservice Tiers – An Identity View Tier-2-service Exposed external and internal Consumer and service identities High level of security Internal Consumer and service identities required Internal service identities only Tier-1-service Tier-2-service Tier-1-service Tier-3-service Tier-3-service
© 2016 ForgeRock. All rights reserved. Tier 1 and 2 microservices - stateless Tier-1- application OpenAM Tier-2- service {Client Credentials} Request Token {access token, refresh token, metadata} Response {consumer Access Tokenconsumer IDToken, service access token Service Request {data payload} Response External Consumer 302 redirect – Auth server 302 redirect – w/ auth code Request protected app {username,password} + consent {Auth code} {access token, refresh token, ID Token metadata} {data payload} Stateless token validated by microservice
© 2016 ForgeRock. All rights reserved. Cloud Foundry Route Service Cloud Controller Service Broker Service Broker App 1 Service 1 Service 2 OpenAM Browser 1 2 3 4 5 Cloud Foundry 1. A previously logged in user makes a request to an app with a bound route service. (Could be browser flow or API flow) 2. Router sends request to the service 3. Service validates token and grabs additional data from profile and adds it to the body of the JWT, and sets the appropriate header to tell the router the request can continue. 4. Router passes the request through to the appropriate app. 5. The app, using the key it received at bind time, validates the signature of the token, unpacks the data from the body and acts accordingly. Router
© 2016 ForgeRock. All rights reserved. Forgerock Service Broker Roadmap Cloud Foundry Integration Release Estimate Alpha Service Broker Q2 2016 GA Service Broker – Oauth 2 Q3 2016 Pivotal Tile Q3 2016 GA Service Broker - OIDC Q4 2016 GA Route Service – SB enabled Q4 2016
© 2016 ForgeRock. All rights reserved. Forgerock Software Download https://backstage.forgerock.com/#!/downloads
© 2016 ForgeRock. All rights reserved. References OpenID Connect http://openid.net/specs/openid-connect-core-1_0.html Oauth 2 https://tools.ietf.org/html/rfc6749 https://tools.ietf.org/html/rfc6750 JSON Web Tokens https://tools.ietf.org/html/rfc7519 Javascript Object Signing and Encryption https://datatracker.ietf.org/wg/jose/documents/

More Related Content

What's hot (20)

PDF
Introduction to Vault
Knoldus Inc.
 
PDF
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
PDF
JFokus: Cubes, Hexagons, Triangles, and More: Understanding Microservices
Chris Richardson
 
PDF
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
PDF
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
PDF
쿠버네티스를 이용한 기능 브랜치별 테스트 서버 만들기 (GitOps CI/CD)
충섭 김
 
PDF
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 
PPTX
Using Queryable State for Fun and Profit
Flink Forward
 
PDF
Black Belt Online Seminar AWS上の暗号化ソリューション
Amazon Web Services Japan
 
PPTX
Vault
Jean-Philippe Bélanger
 
PDF
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
Amazon Web Services Japan
 
PPTX
Vault - Secret and Key Management
Anthony Ikeda
 
PPTX
Kubernetes #6 advanced scheduling
Terry Cho
 
PDF
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
PPTX
Cloud formation デザイナーで捗ろう
koki abe
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
Handle Large Messages In Apache Kafka
Jiangjie Qin
 
PDF
AWS Black Belt Online Seminar 2017 AWS WAF
Amazon Web Services Japan
 
PDF
Vault
dawnlua
 
PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Introduction to Vault
Knoldus Inc.
 
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
JFokus: Cubes, Hexagons, Triangles, and More: Understanding Microservices
Chris Richardson
 
Grafana Loki: like Prometheus, but for Logs
Marco Pracucci
 
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
쿠버네티스를 이용한 기능 브랜치별 테스트 서버 만들기 (GitOps CI/CD)
충섭 김
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 
Using Queryable State for Fun and Profit
Flink Forward
 
Black Belt Online Seminar AWS上の暗号化ソリューション
Amazon Web Services Japan
 
Vault
Jean-Philippe Bélanger
 
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
Amazon Web Services Japan
 
Vault - Secret and Key Management
Anthony Ikeda
 
Kubernetes #6 advanced scheduling
Terry Cho
 
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Cloud formation デザイナーで捗ろう
koki abe
 
OAuth 2.0
Uwe Friedrichsen
 
Handle Large Messages In Apache Kafka
Jiangjie Qin
 
AWS Black Belt Online Seminar 2017 AWS WAF
Amazon Web Services Japan
 
Vault
dawnlua
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 

Similar to An Authentication and Authorization Architecture for a Microservices World (20)

PDF
ForgeRock Platform Release - Summer 2016
ForgeRock
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PPTX
NYC Identity Summit Business Day: "Identity - The Future's So Bright I Gotta ...
ForgeRock
 
PDF
When and Why Would I use Oauth2?
Dave Syer
 
PPTX
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
ForgeRock
 
PPTX
Microservices security - jpmc tech fest 2018
MOnCloud
 
PPTX
Internet of Things Security & Privacy
Chris Adriaensen
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PDF
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
PPTX
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
PDF
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
PPTX
OpenID Connect Demo at OpenID Tech Night
Daisuke Fuke
 
PDF
muCon 2016: Authentication in Microservice Systems By David Borsos
OpenCredo
 
PDF
Authentication in microservice systems
David Borsos
 
PPTX
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
 
PPTX
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
ForgeRock
 
PDF
Security & Identity for the Internet of Things Webinar
ForgeRock
 
ForgeRock Platform Release - Summer 2016
ForgeRock
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
NYC Identity Summit Business Day: "Identity - The Future's So Bright I Gotta ...
ForgeRock
 
When and Why Would I use Oauth2?
Dave Syer
 
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
ForgeRock
 
Microservices security - jpmc tech fest 2018
MOnCloud
 
Internet of Things Security & Privacy
Chris Adriaensen
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
OpenID Connect Demo at OpenID Tech Night
Daisuke Fuke
 
muCon 2016: Authentication in Microservice Systems By David Borsos
OpenCredo
 
Authentication in microservice systems
David Borsos
 
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
ForgeRock
 
Security & Identity for the Internet of Things Webinar
ForgeRock
 
Ad

More from VMware Tanzu (20)

PDF
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
PDF
Spring Update | July 2023
VMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
PPTX
Building Cloud Ready Apps
VMware Tanzu
 
PDF
Spring Boot 3 And Beyond
VMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
VMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
VMware Tanzu
 
PDF
Tanzu Developer Connect - French
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
Spring Update | July 2023
VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
Building Cloud Ready Apps
VMware Tanzu
 
Spring Boot 3 And Beyond
VMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
tanzu_developer_connect.pptx
VMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
Virtual Developer Connect Workshop - English
VMware Tanzu
 
Tanzu Developer Connect - French
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 
Ad

Recently uploaded (20)

PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PPTX
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
PDF
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PDF
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PDF
“Squinting Vision Pipelines: Detecting and Correcting Errors in Vision Models...
Edge AI and Vision Alliance
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
NASA A Researcher’s Guide to International Space Station : Physical Sciences ...
Dr. PANKAJ DHUSSA
 
PPT
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
“Squinting Vision Pipelines: Detecting and Correcting Errors in Vision Models...
Edge AI and Vision Alliance
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
NASA A Researcher’s Guide to International Space Station : Physical Sciences ...
Dr. PANKAJ DHUSSA
 
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 

An Authentication and Authorization Architecture for a Microservices World

  • 1. © 2016 ForgeRock. All rights reserved. An Authentication and Authorization Architecture for a Microservices World David Ferriera, Director – Cloud Technology, Forgerock [email protected] Presented at SpringOnePlatform 2016 1
  • 2. © 2016 ForgeRock. All rights reserved. The Identity Layers Who or What Layer App/API Consumers (Browser, REST) Service (API, MySql, Redis, OpenAM) Platform (cf push, DevMgr, CI/CD pipeline) System (OpsMgr, BOSH,SSH) Users Devices Things Applications Services Developers Operators Services External ServicesApplications
  • 3. © 2016 ForgeRock. All rights reserved. Microservices Pivotal Cloud Foundry
  • 4. © 2016 ForgeRock. All rights reserved. OpenAM Authorization too A A A A A A A A A A A A A A Policies  CONTEXT AWARE USING ENVIRONMENTAL ATTRIBUTES  RULES EVALUATED IN REAL TIME BY THE AUTHORIZATION ENGINE  FINE GRAINED ACCESS CONTROL  ROLE NAMES MIGHT BE SEEN AS ATTRIBUTES PIP ATTRIBUTE BASED ACCESS CONTROL
  • 5. © 2016 ForgeRock. All rights reserved. Protocols Oauth 2 – RFC 6749: “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” OpenID Connect (OIDC) : “OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” Oauth 2 – Bearer Token usage - RFC 6750: “This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.
  • 6. © 2016 ForgeRock. All rights reserved. Tokens: Types/Format Access Token • Part of Oauth, presented with each transaction • can be opaque or JWT • can be stateful or stateless • Shorter TTL Refresh Token • Part of Oauth, received along with first access token after authentication to the auth server • Used to request a new access token from the auth server, no credentials required • Longer TTL • Must be stored securely ID Token • Part of OIDC • Contains Identity information about authenticated user • Received in addition to the 2 oauth tokens • Must be JW • Longer TTL JSON Web Tokens (JWT) • Token format specified by OpenID Connect for the Identity Token • Multiple levels of security possible (JWE, JWS, JOSE) • Usually stateless
  • 7. © 2016 ForgeRock. All rights reserved. Tokens: Performance vs. Security Stateful • Sessions stored on server • Token is opaque • Tokens must be validated with the server • Server handles authorization • Better logout Stateless • Sessions not stored on server • Token may be introspected • Tokens validated locally • Microservice must handle authorization • Tokens difficult to revoke before TTL Token Performance Security State Stateless Statefull Encrypt JWT Body No Yes Validate w/Auth server No Yes Validate all tokens No Yes TTL’s Longer Shorter
  • 8. © 2016 ForgeRock. All rights reserved. Tokens: OpenAM response stateless response { "access_token": "eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic3ViIjogImRlbW8iLCAiYXVkaXRUcmFja2luZ0lkIjogImQ3M2U5MzkwLTUyYWEtNDU5 Ni04NzgxLWZkZjFlNTI0YTE0MCIsICJpc3MiOiAiaHR0cDovL2thanZtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsICJ0b2tlbk5hbW UiOiAiYWNjZXNzX3Rva2VuIiwgInRva2VuX3R5cGUiOiAiQmVhcmVyIiwgImF1dGhHcmFudElkIjogIjU4MjhkODczLWU4NmMtNGJhYi05ZTQwLT kwMDFkYjlhYzYyZCIsICJhdWQiOiAiY2xpZW50IiwgIm5iZiI6IDE0Njc3MzU3NjcsICJzY29wZSI6IFsgInNjb3BlIiBdLCAicmVhbG0iOiAiLyIsICJleH AiOiAxNDY3NzM5MzY3LCAiaWF0IjogMTQ2NzczNTc2NywgImV4cGlyZXNfaW4iOiAzNjAwMDAwLCAianRpIjogIjBmMDE2Zjk3LWMwYjItNGIx Mi04NjMzLWQwMTQ1Yjk0NDMxYyIgfQ.pq5yJtq1kGi4VaGIMOtusRD2G_f2VJrq2FKx0mhS2rQ", "refresh_token": "eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic3ViIjogImRlbW8iLCAiYXVkaXRUcmFja2luZ0lkIjogImQ5ZmYzMGYwLTUxM2ItNDgw MS05ZmNlLTFhYzZlNGFiMTNmMyIsICJpc3MiOiAiaHR0cDovL2thanZtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsICJ0b2tlbk5h bWUiOiAicmVmcmVzaF90b2tlbiIsICJhdXRoTW9kdWxlcyI6ICJEYXRhU3RvcmUiLCAidG9rZW5fdHlwZSI6ICJCZWFyZXIiLCAiYXV0aEdyYW50 SWQiOiAiNTgyOGQ4NzMtZTg2Yy00YmFiLTllNDAtOTAwMWRiOWFjNjJkIiwgImF1ZCI6ICJjbGllbnQiLCAibmJmIjogMTQ2NzczNTc2NywgInNjb 3BlIjogWyAic2NvcGUiIF0sICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0NjgzNDA1NjcsICJpYXQiOiAxNDY3NzM1NzY3LCAiZXhwaXJlc19pbiI6IDYwN DgwMDAwMCwgImp0aSI6ICI0OWMyMzhkNC1jNmY5LTQzMzMtYTZiMC04YzEzMjNlNGU0MTIiIH0.5TQnJQXqIpW_bG6jbqDX9VdulJByNZm PTvOmI1Ui6c8", "scope": "scope", "token_type": "Bearer", "expires_in": 3599 }
  • 9. © 2016 ForgeRock. All rights reserved. Tokens: Decoded @ jwt.io
  • 10. © 2016 ForgeRock. All rights reserved. Service to Service: Oauth Bearer token - stateful mservice-1 OpenAM mservice-2 {Client Credentials} Request Token {access token, refresh token, metadata} Response {Access Token} Service Request {Client Credentials, access token} Token Validation Request {token_expires} Response {data payload} Response
  • 11. © 2016 ForgeRock. All rights reserved. Microservice Tiers – An Identity View Tier-2-service Exposed external and internal Consumer and service identities High level of security Internal Consumer and service identities required Internal service identities only Tier-1-service Tier-2-service Tier-1-service Tier-3-service Tier-3-service
  • 12. © 2016 ForgeRock. All rights reserved. Tier 1 and 2 microservices - stateless Tier-1- application OpenAM Tier-2- service {Client Credentials} Request Token {access token, refresh token, metadata} Response {consumer Access Tokenconsumer IDToken, service access token Service Request {data payload} Response External Consumer 302 redirect – Auth server 302 redirect – w/ auth code Request protected app {username,password} + consent {Auth code} {access token, refresh token, ID Token metadata} {data payload} Stateless token validated by microservice
  • 13. © 2016 ForgeRock. All rights reserved. Cloud Foundry Route Service Cloud Controller Service Broker Service Broker App 1 Service 1 Service 2 OpenAM Browser 1 2 3 4 5 Cloud Foundry 1. A previously logged in user makes a request to an app with a bound route service. (Could be browser flow or API flow) 2. Router sends request to the service 3. Service validates token and grabs additional data from profile and adds it to the body of the JWT, and sets the appropriate header to tell the router the request can continue. 4. Router passes the request through to the appropriate app. 5. The app, using the key it received at bind time, validates the signature of the token, unpacks the data from the body and acts accordingly. Router
  • 14. © 2016 ForgeRock. All rights reserved. Forgerock Service Broker Roadmap Cloud Foundry Integration Release Estimate Alpha Service Broker Q2 2016 GA Service Broker – Oauth 2 Q3 2016 Pivotal Tile Q3 2016 GA Service Broker - OIDC Q4 2016 GA Route Service – SB enabled Q4 2016
  • 15. © 2016 ForgeRock. All rights reserved. Forgerock Software Download https://backstage.forgerock.com/#!/downloads
  • 16. © 2016 ForgeRock. All rights reserved. References OpenID Connect http://openid.net/specs/openid-connect-core-1_0.html Oauth 2 https://tools.ietf.org/html/rfc6749 https://tools.ietf.org/html/rfc6750 JSON Web Tokens https://tools.ietf.org/html/rfc7519 Javascript Object Signing and Encryption https://datatracker.ietf.org/wg/jose/documents/