Building Secure Microservices Design Patterns Adib Saikali – @asaikali Advisory Platform Architect

The Goal Secure Microservices

Microservices talk to each other

Essence of the solution https://www.google.ca/search?q=papers+please&espv=2&biw=1745&bih=940&site=we bhp&source=lnms&tbm=isch&sa=X&sqi=2&ved=0ahUKEwj4yO_q6fHMAhXJ64MKHRpLAi wQ_AUIBygC#q=id+please&tbm=isch&tbas=0&imgrc=hi6SmN0hKPjgbM%3A

Solution Every request to a microservice must include a security token that the microservice can easily authenticate and use for making authorization decisions.

What protocol does your microservice speak? HTTP (REST, SOAP) AMQP (Messaging) Apache Thrift (Remote Procedure Call Framework) gRPC (Remote Procedure Call Framework) A high performance, open source, general RPC framework that puts mobile and HTTP/2 first from Google. Custom TCP protocol

Key Idea: There is no one “best” protocol! There is no one best protocol to use Protocols will evolve over time so it’s best to make sure that any security solution can work with current and future protocols

Problems to solve What format should security token use? How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

What Format Should Security Tokens Use? Answer is to use a “standard” token format

Decision Point #1 Evaluation Criteria Is the token format standardized? Can the token be used with any protocol? Is the token easy to parse? Can the token be included in a URL parameter? Does the token support HTTP? Can the token be used with non HTTP protocols? Are there lots of libraries in lots of programming languages for working with the token? Is the token format considered “easy” to work with?

Standard Security Tokens Token Standard Format Protocol Specific Year of Standardization Kerberos Ticket Binary Yes, Kerberos 1993 SAML Token XML Yes, SAML 2002 JWT Token JSON NO 2015 To get a SAML token you need a SAML server To get a Kerberos ticket you need a Kerberos server To get a JWT you need something that can give it to you

A Toolbox of Standards RFC Name Title Date Spec 5849 OAuth1 The OAuth 1.0 Protocol Apr 2010 https://tools.ietf.org/html/rfc5849 6749 OAuth2 The OAuth 2.0 Authorization Framework Oct 2012 https://tools.ietf.org/html/rfc6749 6750 Bearer Token The OAuth 2.0 Authorization Framework: Bearer Token Usage https://tools.ietf.org/html/rfc6750 7516 JWE JSON Web Encryption May 2015 https://tools.ietf.org/html/rfc7516 7517 JWK JSON Web Key https://tools.ietf.org/html/rfc7517 7518 JWA JSON Web Algorithms https://tools.ietf.org/html/rfc7518 7519 JWT JSON Web Token https://tools.ietf.org/html/rfc7519 7520 JOSE Examples of Protecting Content Using JSON Object Signing and Encryption https://tools.ietf.org/html/rfc7520 7797 JSON Web Signature (JWS) Unencoded Payload Option Feb 2016 https://tools.ietf.org/html/rfc7797

Standards Layer Cake OpenId Connect OAuth2 JSON Web Token (JWT) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Algorithms (JWA) & JSON Web Key (JWK)

JSON Web Algorithms (JWA) This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.

What Problem Does JWA Solve? There are numerous cryptographic algorithms that are used as basic building blocks in security Systems exchanging data need to agree on which cryptographic algorithms are used in the exchange There is a need for a standard scheme to precisely identify algorithms In JWA the string HS256 means to use the hashed message authentication code (HMAC) with the secure hashing algorithm (SHA) that outputs a fixed size 256 bit hash JWA is useful to anyone needing to precisely specify which cryptographic algorithm is used in a specific situation

JSON Web Signature (JWS) “JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON- based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.” RFC 7515

What Problem does JWS solve? JWS is a data format for representing content secured with digital signatures or Message Authentication Codes Given a JWS document you can answer two questions about the JSON payload of the document Has this JSON object been changed since it was created? Who created this JSON object?

JWS Format Header { “typ” : “JWT”, “alg” : “HS256” } Payload { “sub”: “1234567890”, “name”: “John Doe”, “admin”: true } Signature TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

JWS Compact Serialization BASE64URL(Header). eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. BASE64URL(Payload) eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. Signature TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Example JWS document eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0 NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRyd WV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg Q

JWS Features A JWS document encoded in the compact serialization format can be safely included in URLs or HTTP authorization headers Anyone can decode and view the payload of the document It is easy to verify that the payload was not tampered with It is easy to determine who created the document via shared secret or a certificate Useful to anyone wanting to transmit or store JSON objects

What Problem does JWE solve? JWE is a data format for representing content that has been encrypted using JSON data structures Given a JSON you can encrypt it and represent the result as a JWE document

Initialization Vector JWE Format Header { “alg” : “RSA-OAEP”, “enc” : “A256GCM” } Encrypted Key OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9dStnImGyFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv2322ivDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je81860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi6UklfCpIMfIjf7iGdXKHzg Initialization Vector 48V1_ALb6US04U3b Cipher Text 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji SdiwkIr3ajwQzaBtQD_A Authentication Tag XFBoMYUZodetZdvTiFvSkQ

Example JWE document eyJhbGciOiJSU0ExXzUiLCJraWQiOiJmcm9kby5iYWdnaW5zQGhvYmJpdG9uLmV4YW1wb GUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.laLxI0j-nLH- _BgLOXMozKxmy9gffy2gTdvqzfTihJBuuzxg0V7yk1WClnQePFvG2K- pvSlWc9BRIazDrn50RcRai__3TDON395H3c62tIouJJ4XaRvYHFjZTZ2GXfz8YAImcc91Tfk0 WXC2F5Xbb71ClQ1DDH151tlpH77f2ff7xiSxh9oSewYrcGTSLUeeCt36r1Kt3OSj7EyBQXoZlN 7IxbyhMAfgIe7Mv1rOTOI5I8NQqeXXW8VlzNmoxaGMny3YnGir5Wf6Qt2nBq4qDaPdnaAuu GUGEecelIO1wx1BpyIfgvfjOhMBs9M8XL223Fg47xlGsMXdfuY- 4jaqVw.bbd5sTkYwhAIqfHsx8DayA.0fys_TY_na7f8dwSfXLiYdHaA2DxUjD67ieF7fcVbIR62Jh JvGZ4_FNVSiGc_raa0HnLQ6s1P2sv3Xzl1p1l_o5wR_RsSzrS8Z- wnI3Jvo0mkpEEnlDmZvDu_k8OWzJv7eZVEqiWKdyVzFhPpiyQU28GLOpRc2VbVbK4dQKP dNTjPPEmRqcaGeTWZVyeSUvf5k59yJZxRuSvWFf6KrNtmRdZ8R4mDOjHSrM_s8uwIFcqt4r 5GX8TKaI0zT5CbL5Qlw3sRc7u_hg0yKVOiRytEAEs3vZkcfLkP6nbXdC_PkMdNS- ohP78T2O6_7uInMGhFeX4ctHG7VelHGiT93JfWDEQi5_V9UN1rhXNrYu- 0fVMkZAKX3VWi7lzA6BP430m.kvKuFBXHe5mQr4lqgobAUg

JWE Features A JWE document encoded in the compact serialization format can be safely included in URLs or HTTP authorization headers Payload of of the document is secured Useful to anyone wanting to transmit or store JSON objects

Standards Layer Cake OpenId Connect OAuth2 JSON Web Token (JWT) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Algorithms (JWA) & JSON Web Key (JWK)

JSON Web Token (JWT) “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.” RFC 7519

JWT Token A JSON object that contains information that is useful for making security decisions There are standard fields / claims that are part of JWT tokens The JSON object has been signed and formatted as a JWS document or encrypted and formatted as a JWE document The JWT token can be put into a URL parameter or an HTTP header jwt.io is a good resource to learn about JWT

Standard Optional Fields of a JWT Token Description jti Unique id of the token iss Who issues the token iat Time when the token was issued nbf Time when the token is valid from exp Time when the token expires sub Unique id of the user that the token represents aud List of systems that can use the token

Using JWT with HTTP Add tokens to standard headers such as Authorization header as defined by Oauth2 with info about the end user Add app specific headers with JWT token values such as JWT token representing the service making a call on behalf of the user GET /resource HTTP/1.1 Host: server.example.com X-caller: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzO DAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW 1gFWFOEjXk Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Using with JMS / RabbitMQ Add the JWT token to a custom header in the outgoing JMS message

Key Ideas Every request to a microservice must include a security token that the microservice can easily authenticate and use for making authorization decisions. Your HTTP only microservices will likely evolve to support support other protocols such as AMQP, Thrift, or gRPC JWT is a simple and useful security token format with libraries available in most programming languages JWT is protocol agnostic

JWT vs. OAuth2 JWT tokens can be used with OAuth2 JWT != OAuth2 or even part of OAuth2 spec. OAuth2 spec published in 2012 and JWT spec published in 2015 JWT is generic and has many uses outside of OAuth2 Decision to use JWT != Decision to use OAuth2

Problems to solve What format should security token use? How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

How are JWT tokens obtained? Get your JWT Tokens from an OAuth2/OpenId Connect Server

OAuth History Year What happened? 2006 OAuth development starts 2008 IETF takes over OAuth development 2010 OAuth 1.0 RFC released but never becomes an official IETF standard 2012 OAuth 2.0 RFC released as a standard it talks about tokens but token format is not specified in the spec 2015 JSON Web Token released as a standard great fit for use as a token format with OAuth2

OAuth2 Specifications RFC Title Purpose 6749 The OAuth 2.0 Authorization Framework Answer the question of how a token can be obtained 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage Answer the question of how to make HTTP requests with the token once it is obtained

The OAuth 2.0 Authorization Framework: Bearer Token Usage Add the token to the Authorization header of HTTP requests tokens don’t have to be JWT tokens any token allowed by the server and the HTTP protocol is okay GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Authorization: Bearer mF_9.B5f-4.1JqM

Four ways to get a token with OAuth2 Authorization code Implicit Resource owner password credentials Client credentials Why do we need 4 ways to get a token?

Client Credentials

Standards Layer Cake OpenId Connect OAuth2 JSON Web Token (JWT) JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Algorithms (JWA) & JSON Web Key (JWK)

OpenId Connect Authentication protocol built on top of OAuth2, JWT and TLS Defines a standardized user identity token and rules for obtaining such tokes (Profile of OAuth2 & JWT) Version 3.0 of the OpenId protocol which is incompatible with previous versions Most OAuth2 servers also implement OpenId Connect OpenId Connect 1.0 final spec released in April 2014 Large scale implementations exist on the internet

Some OpenId Connect Required Fields Description jti Unique id of the token iss Who issues the token iat Time when the token was issued nbf Time when the token is valid from exp Time when the token expires sub Unique id of the user that the token represents aud List of systems that can use the token scope List of permissions to carry in the tokens

Problems to solve What format should security token use? How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

Freddy BBQ

Problems to solve What format should security token use? How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

Microservice Security Patterns

Microservices Design Issue: The User Interface Where should the UI code live? How is it composed into a single UI each microservice? Browser What about CORS? What about a Native Mobile Clients? What about Server Side Rendering for a Web UI?

Monolithic Edge UI Gateway Make a UI Microservice that is exposed to end users and have it serve up the UI? Browser Native Mobile UI A B C

Backend For Frontend (BFF) Extend each UI experience with a dedicated backend component for UI http://samnewman.io/patterns/architectural/bff/ Browser Android Mobile WEB BFF Android BFF A B C

Internal Microservices Big Picture Native Mobile Client Web Client Desktop / Other client Clients Layer Microservice Microservice Microservice Edge Microservices Internal Microservices

How to protect access to a microservice? Microservice A Microservice B

Security Visualized Microservice A Microservice B JWT

Microservice Security Programming Model A microservice gets a request that includes a JWT token Microservices checks that the JWT token is valid Token contains the scopes that the user is authorized to do Microservice uses info in the token to make an access control decision Keep the model simple it needs to scale! No exceptions! Easy to implement with spring based frameworks

Utility vs. non Utility uServices Money Transfer Microservice Currency Exchange Rates JWT Currency exchange rates Microservice has lots of clients, it does not care about user identity Money transfer Microservice cares about the identity of the user executing the service

Utility vs. non-Utility Microservices Template Editing Single-Page Application Money Transfer Currency Exchange Email Templates

Money Transfer makes utility calls Money Transfer calls Currency Exchange service Provide client credentials to the OAuth2 server and get an access token with the scope to lookup exchange rates Make call with the access token that is returned OAuth2 client credentials flow Money Transfer calls Email Templates service Provide client credentials to the OAuth2 server and get an access token with the scope to merge email templates Make a call with the access token that is returned

Employee edits an email template Employee is using the editor in the Email Templates microservice to create a new email template for “we have transferred your money” Template Editing Single-Page Application obtains an OpenID token from the OAuth2 Server using the authorization code flow requesting the scope for template.edit Sends requests to Email Templates microservice using obtained token

Email Template Microservice Point of View From the point of view of the Email Templates microservice it can not tell if it is being invoked as a utility microservice or not It just gets a JWT token which can have one of two scopes template.edit template.execute Makes decisions based on the scopes in the JWT token

Scopes are Microservice Specific BFF UI microservice define its own scopes for the operations it supports Clients of BFF get JWT OpenId tokens and send them with requests BFF makes utility calls to backing microservices BFF exchanges OpenID token for microservice-specific tokens

Problems to solve What format should security token use? How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?