Upload
twobo-technologies
View
326
Download
2
Embed Size (px)
DESCRIPTION
Nordic APIs Platform Summit 2014. Presenter: Jacob Ideskog
Citation preview
OAuth and OpenID Connect for Microservices A homogenous solution for a heterogeneous problem!Jacob Ideskog – Identity Specialist at Twobo Technologies!
Copyright © 2014 Twobo Technologies AB. All rights reserved
Copyright © 2014 Twobo Technologies AB. All rights reserved
A Traditional Service
Copyright © 2014 Twobo Technologies AB. All rights reserved
With Traditional Subsystems
Component C
Component D
Component A
Component B
Copyright © 2014 Twobo Technologies AB. All rights reserved
… and traditional scalability
But this is not always how we build systems
Copyright © 2014 Twobo Technologies AB. All rights reserved
A microservice
Copyright © 2014 Twobo Technologies AB. All rights reserved
Many microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved
Scaling microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved
So what’s the problem?
Copyright © 2014 Twobo Technologies AB. All rights reserved
Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved
Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository
So for microservices that would mean
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository
Not fantastic!
Copyright © 2014 Twobo Technologies AB. All rights reserved
Lets talk about OAuth
Copyright © 2014 Twobo Technologies AB. All rights reserved
It’s not for Authentication …and not for Authorization
OAuth is a scalable delegation protocol
OAuth has 4 actors
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
The client requests access
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
The AS requires the RO to authenticate
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
The AS issues the tokens
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
The Client presents the token to the RS
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
The RS validates the Token
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
Access!
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS) Client
One very important thing��
- The Client knows nothing about the user
Copyright © 2014 Twobo Technologies AB. All rights reserved
Open ID Connect�(Simplified)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Request Access
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Resource Server (RS) Client
Sessions
MyMail.com
Get Redirected to AS
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Resource Server (RS) Client
Sessions
MyMail.com
Challenged
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Resource Server (RS) Client
Sessions
MyMail.com
Now – an ID Token ( ) is also given
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Resource Server (RS) Client
Sessions
MyMail.com
Sessions can be created (SSO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Resource Server (RS) Client
Sessions
MyMail.com
Tada!
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Resource Server (RS) Client
Sessions
MyMail.com
What was interesting there?
Copyright © 2014 Twobo Technologies AB. All rights reserved
TRUST
Copyright © 2014 Twobo Technologies AB. All rights reserved
The ID Token is a JWT�(JSON Web Token)
Copyright © 2014 Twobo Technologies AB. All rights reserved
A signed JSON document
Copyright © 2014 Twobo Technologies AB. All rights reserved
{ "sub": "janedoe", "name" : "Jane Doe", "email" : "[email protected]", "phone_number" "+46 (0) 12345678", "aud": "https://mymail.com", "iss": "https://fs.oidc.net", "nbf": 1409213888783, "jti": "622a9973-‐fc4d-‐4797-‐be31-‐7c2116f549df", "exp": 1409213890583, "iat": 1409213888783 }
{ "iss": "https://fs.oidc.net", "x5t": "5F0A1359B4BB9FBB104155908DEC1FDCB5AC8865", "typ": "JWT", "alg": "RS256” }
Certificate orQOOKvXN3jbEpBSl0RHAyaQNxcx9DFgtMsJJgMxm9Az6QJMKKy6m0WvP1UzXZA_nsK16g9etg2yEW9IXbQU0RbSQktUtObRB9SxHtW_AcCk693XDAz15Y4aP9DeD62nROzd1MS4FZTmY3Cgzo1-3-sqW6_4Rgzs94aLO3aLP_zoVtJycCUKtJQhGhPTyjXXYWMsp0E4uTtL8Rif7cWu4olme_XNFlAs73pOrfzsQYc1GD2dB70l1M8SDaJZFURr9jAAaavX7Xqs_FPXY1PZLXLbc3ARXFmRf_-Z4B6uLCGI2shzl12ni54Yun6dflL9rQwaxXYuNZZodUWchID2cA
Signature
OAuth Access Tokens can also be JWTs
Copyright © 2014 Twobo Technologies AB. All rights reserved
2 types of tokens
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe
By Value By Reference
Contains NO information outside the network Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe
By Reference
Contains ALL necessary information
Copyright © 2014 Twobo Technologies AB. All rights reserved
By Value
External vs. Internal
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
By Value By Reference
Outside the network Inside the network
API Firewall / Reverse Proxy API
Token Translation
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
By Value By Reference
Outside the network Inside the network
API Firewall / Reverse Proxy API
Back to Microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved
2 Problems��
- Identifying the user�- Creating sessions�
Copyright © 2014 Twobo Technologies AB. All rights reserved
Leave authentication to the OAuth/OIDC server
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
Authorization Server (AS)
Let all Microservices accept JWTs
Copyright © 2014 Twobo Technologies AB. All rights reserved
Resource Owner (RO)
BUT…��
Translate!
Copyright © 2014 Twobo Technologies AB. All rights reserved
Copyright © 2014 Twobo Technologies AB. All rights reserved
Let all Microservices accept JWTs
Resource Owner (RO)
Reverse Proxy
123XYZ
- everything is self contained�- standards based�
- non-reputable�- scalable
Copyright © 2014 Twobo Technologies AB. All rights reserved
Conclusion
Copyright © 2014 Twobo Technologies AB. All rights reserved
Thank you!