Abstract image of a woman sitting on books and studying on a laptop

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

iMasters, profile picture
iMasters

The document discusses microservices architecture with a focus on security and the use of tokens, particularly OAuth 2.0 and OpenID Connect. It highlights issues like poor logging and authorization centralization at the API gateway, while suggesting improvements through a central user identity repository and better auditing. Additionally, it provides examples of JWT structures and token interactions within the OAuth framework.

Technology
1 of 34
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "johndoe@gmail.com", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
Warning:  OAuth  is  not  about  authentication
Warning:  OAuth  is  not  about  authentication
How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
OpenID  Connect  Discovery  1.0
A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
Resource Owner Authorization Server Resource Server Client access
Resource Owner Authorization Server Resource Server Client access *  GET  /authorize?response_type=code&client_id=s6BhdRkqt3&scope=openid%20profile%20email&state=xyz &redirect_uri=https%3A%2F%2Fblue-sea-697d.quartiers047.workers.dev%3A443%2Fhttps%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Resource Owner Authorization Server Resource Server Client access
Resource Owner Authorization Server Resource Server Client access
Resource Owner Authorization Server Resource Server Client *  Location:  https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fblue-sea-697d.quartiers047.workers.dev%3A443%2Fhttps%2Fclient%2Eexample%2Ecom%2Fcb
Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
Resource Owner Authorization Server Resource Server Client
Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
Resource Owner Authorization Server Resource Server Client https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request Nice
Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens
Thanks https://www.linkedin.com/in/ericktedeschi https://twitter.com/ericktedeschi http://www.slideshare.net/erickt86 erick@oerick.com

More Related Content

PDF
2016 pycontw web api authentication
Micron Technology
 
PDF
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PDF
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
PPTX
Top 10 Web Hacks 2012
Matt Johansen
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PDF
JSON Web Token
Deddy Setyadi
 
2016 pycontw web api authentication
Micron Technology
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Top 10 Web Hacks 2012
Matt Johansen
 
JWT Authentication with AngularJS
robertjd
 
JSON Web Token
Deddy Setyadi
 

What's hot (19)

PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PDF
Json web token api authorization
Giulio De Donato
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PDF
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
PDF
Summary of OAuth 2.0 draft 8 memo
Ryo Ito
 
PDF
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
PDF
Introduction to OAuth
Paul Osman
 
PDF
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
ZIP
Anex....,,,.
Carlos Catanejo
 
PPTX
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
PPTX
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PPTX
OAuth1.0
G Jayendra Kartheek
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
An Introduction to OAuth2
Aaron Parecki
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Json web token api authorization
Giulio De Donato
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Building Secure User Interfaces With JWTs
robertjd
 
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
Summary of OAuth 2.0 draft 8 memo
Ryo Ito
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Introduction to OAuth
Paul Osman
 
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Anex....,,,.
Carlos Catanejo
 
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
OAuth1.0
G Jayendra Kartheek
 
Building an API Security Ecosystem
Prabath Siriwardena
 
Ad

Viewers also liked (11)

PPTX
InterCon 2016 - BioHacking: criando dispositivos de biotecnologia OpenSource/...
iMasters
 
PDF
InterCon 2016 - Performance, anti-patterns e stacks para desenvolvimento ágil
iMasters
 
PDF
InterCon 2016 - Desafios de conectividade de dispositivos em realtime
iMasters
 
PPTX
15 Práticas para você aplicar hoje em Search Marketing e Melhorar o seu ROI
Tomás Händel Trojan
 
PDF
Android DevConference - Firebase para desenvolvedores
iMasters
 
PDF
InterCon 2012 - Metricas - Search Marketing Optimization na Prática
iMasters
 
PDF
Android DevConference - Indo além com automação de testes de apps Android
iMasters
 
PDF
InterCon 2016 - Internet of “Thinking” – IoT sem BS com ESP8266
iMasters
 
PDF
Android DevConference - Android Clean Architecture
iMasters
 
PDF
InterCon 2016 - Gerenciando deploy e atualização de 450 apps sem enlouquecer
iMasters
 
PDF
InterCon 2016 - Backend do IoT com RethinkDB e Python
iMasters
 
InterCon 2016 - BioHacking: criando dispositivos de biotecnologia OpenSource/...
iMasters
 
InterCon 2016 - Performance, anti-patterns e stacks para desenvolvimento ágil
iMasters
 
InterCon 2016 - Desafios de conectividade de dispositivos em realtime
iMasters
 
15 Práticas para você aplicar hoje em Search Marketing e Melhorar o seu ROI
Tomás Händel Trojan
 
Android DevConference - Firebase para desenvolvedores
iMasters
 
InterCon 2012 - Metricas - Search Marketing Optimization na Prática
iMasters
 
Android DevConference - Indo além com automação de testes de apps Android
iMasters
 
InterCon 2016 - Internet of “Thinking” – IoT sem BS com ESP8266
iMasters
 
Android DevConference - Android Clean Architecture
iMasters
 
InterCon 2016 - Gerenciando deploy e atualização de 450 apps sem enlouquecer
iMasters
 
InterCon 2016 - Backend do IoT com RethinkDB e Python
iMasters
 
Ad

Similar to InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço (20)

PDF
When and Why Would I use Oauth2?
Dave Syer
 
PDF
RFC6749 et alia 20130504
Mattias Jidhage
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PDF
Oauth2.0
iratao
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PDF
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
apidays
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PDF
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
PPTX
OAuth 2
ChrisWood262
 
PDF
Draft Ietf Oauth V2 12
Vishal Shah
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
O auth
Ashok Kumar N
 
PDF
OAuth2
SPARK MEDIA
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PDF
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
When and Why Would I use Oauth2?
Dave Syer
 
RFC6749 et alia 20130504
Mattias Jidhage
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Oauth2.0
iratao
 
Demystifying OAuth 2.0
Karl McGuinness
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta
apidays
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
OAuth 2
ChrisWood262
 
Draft Ietf Oauth V2 12
Vishal Shah
 
Securing Web Applications with Token Authentication
Stormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
O auth
Ashok Kumar N
 
OAuth2
SPARK MEDIA
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 

More from iMasters (20)

PPTX
O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
iMasters
 
PDF
Postgres: wanted, beloved or dreaded? - Fabio Telles
iMasters
 
PPTX
Por que minha query esta lenta? - Suellen Moraes
iMasters
 
PPTX
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
iMasters
 
PDF
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
iMasters
 
PPTX
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
iMasters
 
PDF
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
iMasters
 
PDF
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
iMasters
 
PDF
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
iMasters
 
PDF
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
iMasters
 
PDF
Entendendo os porquês do seu servidor - Talita Bernardes
iMasters
 
PDF
Backend performático além do "coloca mais máquina lá" - Diana Arnos
iMasters
 
PPTX
Dicas para uma maior performance em APIs REST - Renato Groffe
iMasters
 
PPTX
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
iMasters
 
PDF
Quem se importa com acessibilidade Web? - Mauricio Maujor
iMasters
 
PDF
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
iMasters
 
PDF
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
iMasters
 
PDF
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
iMasters
 
PDF
Construindo aplicações mais confiantes - Carolina Karklis
iMasters
 
PDF
Monitoramento de Aplicações - Felipe Regalgo
iMasters
 
O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
iMasters
 
Postgres: wanted, beloved or dreaded? - Fabio Telles
iMasters
 
Por que minha query esta lenta? - Suellen Moraes
iMasters
 
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
iMasters
 
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
iMasters
 
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
iMasters
 
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
iMasters
 
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
iMasters
 
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
iMasters
 
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
iMasters
 
Entendendo os porquês do seu servidor - Talita Bernardes
iMasters
 
Backend performático além do "coloca mais máquina lá" - Diana Arnos
iMasters
 
Dicas para uma maior performance em APIs REST - Renato Groffe
iMasters
 
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
iMasters
 
Quem se importa com acessibilidade Web? - Mauricio Maujor
iMasters
 
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
iMasters
 
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
iMasters
 
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
iMasters
 
Construindo aplicações mais confiantes - Carolina Karklis
iMasters
 
Monitoramento de Aplicações - Felipe Regalgo
iMasters
 

Recently uploaded (20)

PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
PDF
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
PDF
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
PDF
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
PDF
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
Altius execution marketplace concept.pdf
Wandor
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
LMS bot: enhanced learning management systems for improved student learning e...
IAESIJAI
 
Internet of Everything -Basic concepts details
sendilkumar66
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
substrate PowerPoint Presentation basic one
jwaite4
 
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 

InterCon 2016 - Segurança de identidade digital levando em consideração uma arquitetura de microserviço

  • 1. Identity  within  Microservices Erick  Belluci Tedeschi @ericktedeschi São  Paulo,  Oct  22  2016
  • 2. Who? • PHP  Developer  since  2003 • Application  Security  since  2007 • Biker • Maker • Help  devs delivery  Secure  Applications • Help  business  to  keep  clients  data  secure
  • 3. Agenda • Microservice architecture  Version  1 • About  Tokens • OAuth  2.0 • OpenID  Connect • Authorization  Code  Flow  Example • Microservice architecture  NG!!!
  • 4. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth
  • 5. Microservice Architecture  V1 API  GatewayOAuth  Server* Account GET  /my/{user_id} Transfer POST  /transferto/{src_account}/{dst_account} Receipt GET  /receipts/{user_id} End-­‐User Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize Basic  auth Basic  auth No  auth • Poor  logging  (audit  trail) • Poor  identification  on  microservices (X-­‐User-­‐Logged  L) • Authorization  centralized  on  API  Gateway • Microservices are  more  like  CRUDs  APIs • Microservices have  ”micro  user  repositories”  or  don’t   have  authentication/authorization • API  Gateway  have  more  responsibility  than  necessary
  • 6. Now,  let’s  take  a  look  at  the:  Token • A  piece  of stamped metal used  as  a substitute for money;  a voucher that  can  be  exchanged  for  goods  or   services  (https://en.wiktionary.org/wiki/token) • Token  By  Reference • An  opaque  string  generated  randomly • Ex.:  2YotnFZFEjr1zCsicMWpAA • Token  By  Value • A  JWT  that  contains  claims  about  the  context  of  the  token • Ex.:   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL215LnNlcnZpY2UuY29tIiwiaWF0IjoxNDM1MTc5NjAzLCJleHA iOjE0MzUxODE0MjEsImF1ZCI6Ind3dy5zZXJ2aWNlLmNvbSIsInN1YiI6ImpvaG5kb2VAZ21haWwuY29tIiwiUm9sZSI6WyJhcHByb 3ZlciIsInZpZXdlciJdfQ.91GLvtMhhnICmqlf_RVONGw5IM9i8eeAPx2s_WpMObU
  • 7. JWT  – JSON  Web  Token eyJ0eXAiOiJKV1QiL CJhbGciOiJIUzI1NiJ 9.eyJpc3MiOiJodH RwczovL215LnNlcn ZpY2UuY29tIiwiaW F0IjoxNDM1MTc5N jAzLCJleHAiOjE0Mz UxODE0MjEsImF1Z CI6Ind3dy5zZXJ2a WNlLmNvbSIsInN1 YiI6ImpvaG5kb2VA Z21haWwuY29tIiwi Um9sZSI6WyJhcHB yb3ZlciIsInZpZXdlci JdfQ.91GLvtMhhnI Cmqlf_RVONGw5I M9i8eeAPx2s_Wp MObU { "typ":  "JWT", "alg":  "HS256" } { "iss":  "https://my.service.com", "iat":  1435179603, "exp":  1435181421, "aud":  "www.service.com", "sub":  "[email protected]", "Role":  [ "approver", "viewer" ] } HMACSHA256( base64UrlEncode(header)  +  "."  + base64UrlEncode(payload),sharedsecret) JWT  Header JWT  Payload JWT  Signature
  • 8. The  OAuth  2.0  Authorization  Framework The  OAuth  2.0  enables  a  third-­‐party  application  to  obtain   limited  access  to  an  HTTP  service  on  behalf  of  a  resource   owner...
  • 9. OAuth  2.0  – Protocol  or  Framework? • RFC  5849:  The  OAuth  1.0  Protocol • RFC  6749:  The  OAuth  2.0  Authorization  Framework https://tools.ietf.org/html/rfc5849 …  contract,  pact,  deal   https://tools.ietf.org/html/rfc6749 …  structure,  skeleton,  chassis
  • 10. Warning:  OAuth  is  not  about  authentication
  • 11. Warning:  OAuth  is  not  about  authentication
  • 12. How  an  access_token looks  like?  (by  value  -­‐ JWT) // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
  • 13. OpenID  Connect OpenID  Connect  1.0  is  a  simple  identity  layer  on  top  of  the  OAuth  2.
  • 14. How  an  id_token looks  like?  (by  value  -­‐ JWT) { "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
  • 16. A  complete  Authorization  Server • /authorize • /token • /introspection  (check  access_token) • /token_info (get  more  information  about  identity) • /revocation
  • 17. Let’s  see  how  to  get  both  access_token and   id_token using  Authorization  Code  Flow
  • 23. Resource Owner Authorization Server Resource Server Client POST  /token  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fblue-sea-697d.quartiers047.workers.dev%3A443%2Fhttps%2Fclient%2Eexample%2Ecom%2Fcb
  • 24. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json;charset=UTF-­‐8 Cache-­‐Control:  no-­‐store Pragma:  no-­‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":   "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi 8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBM k1qIiwKICJleHAiOiAxMzE.xptoxptoxpto" }
  • 26. Resource Owner Authorization Server Resource Server Client POST  /introspect  HTTP/1.1 Host:  server.example.com Authorization:  Basic  czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-­‐Type:  application/x-­‐www-­‐form-­‐urlencoded token=2YotnFZFEjr1zCsicMWpAA https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  • 27. Resource Owner Authorization Server Resource Server Client HTTP/1.1  200  OK Content-­‐Type:  application/json { "active":  true, "client_id":  "l238j323ds-­‐23ij4", "username":  "jdoe", "scope":  ”openid profile  email", "sub":  "Z5O3upPC88QrAjx00dis", "aud":  "https://protected.example.net/resource", "iss":  "https://server.example.com/", "exp":  1419356238, "iat":  1419350238, "extension_field":  "twenty-­‐seven” } https://tools.ietf.org/search/rfc7662 OAuth  2.0  Token  Introspection Introspection  Request
  • 30. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation”
  • 31. Microservice Architecture  NG!!! API  Gateway Authorization Server Account GET  /my GET  /pvt/{account} Transfer POST  /transferto/{dst_account} Receipt GET  /receipts OAuth Filter OAuth Filter OAuth Filter OAuth  Filter Resource Owner Introspection/validation Bank  API  (Public) GET      /my POST  /transferto/{dst_account} GET      /receipts /token /authorize /introspect /revoke /token_info ”offline  introspection/validation” ”offline  introspection/validation” • Audit  Trail  Improved • Microservices can  make  decision  based  on  the  end-­‐user   identity • Fine  grained  authorization  across  the  services • The  whole  environment  have  a  central  user  identity   repository  (OAuth+OpenID Connect  Server) • API  Gateway  is  clean/slim
  • 32. Don’t  start  from  scratch • OpenSource • Connect2ID  http://connect2id.com/ • Keycloak http://www.keycloak.org/ • MitreID Connect  https://github.com/mitreid-­‐connect/OpenID-­‐Connect-­‐Java-­‐ Spring-­‐Server • WSO2  Identity  Server  http://wso2.com/products/identity-­‐server/
  • 33. References  and  Links • OAuth  2.0:  https://tools.ietf.org/html/rfc6749 • OAuth  2.0  Bearer  Token  Usage:  https://tools.ietf.org/html/rfc6750 • OpenID  Connect  Core:  http://openid.net/specs/openid-­‐connect-­‐core-­‐1_0.html • OpenID  Connect  Discovery:  https://openid.net/specs/openid-­‐connect-­‐discovery-­‐1_0.html • JOSÉ  (JSON  Object  Signing  and  Encryption) • JSON  Web  Signature  (JWS)  https://tools.ietf.org/html/rfc7515 • JSON  Web  Encryption  (JWE)  https://tools.ietf.org/html/rfc7516 • JSON  Web  Key  (JWK)  https://tools.ietf.org/html/rfc7517 • JSON  Web  Algorithms  (JWA)  https://tools.ietf.org/html/rfc7518 • JSON  Web  Token  (JWT)  https://tools.ietf.org/html/rfc7519 • http://connect2id.com/products/nimbus-­‐jose-­‐jwt/examples/validating-­‐jwt-­‐access-­‐tokens