Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure Microservices

Published byBaldric Lyons Modified over 7 years ago

Similar presentations

Presentation on theme: "Building Secure Microservices"— Presentation transcript:

1 Building Secure Microservices
Design Patterns Adib Saikali Advisory Platform Architect

2 The Goal Secure Microservices

3 Microservices talk to each other

4 Essence of the solution
bhp&source=lnms&tbm=isch&sa=X&sqi=2&ved=0ahUKEwj4yO_q6fHMAhXJ64MKHRpLAi wQ_AUIBygC#q=id+please&tbm=isch&tbas=0&imgrc=hi6SmN0hKPjgbM%3A

5 Solution Every request to a microservice must include a security token that the microservice can easily authenticate and use for making authorization decisions.

6 What protocol does your microservice speak?
HTTP (REST, SOAP) AMQP (Messaging) Apache Thrift (Remote Procedure Call Framework) gRPC (Remote Procedure Call Framework) A high performance, open source, general RPC framework that puts mobile and HTTP/2 first from Google. Custom TCP protocol

7 Key Idea: There is no one “best” protocol!
There is no one best protocol to use Protocols will evolve over time so it’s best to make sure that any security solution can work with current and future protocols

8 Problems to solve What format should security token use?
How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

9 What Format Should Security Tokens Use?
Answer is to use a “standard” token format

10 Decision Point #1 Evaluation Criteria
Is the token format standardized? Can the token be used with any protocol? Is the token easy to parse? Can the token be included in a URL parameter? Does the token support HTTP? Can the token be used with non HTTP protocols? Are there lots of libraries in lots of programming languages for working with the token? Is the token format considered “easy” to work with?

11 Standard Security Tokens
Token Standard Format Protocol Specific Year of Standardization Kerberos Ticket Binary Yes, Kerberos 1993 SAML Token XML Yes, SAML 2002 JWT Token JSON NO 2015 To get a SAML token you need a SAML server To get a Kerberos ticket you need a Kerberos server To get a JWT you need something that can give it to you

12 A Toolbox of Standards RFC Name Title Date Spec 5849 OAuth1
The OAuth 1.0 Protocol Apr 2010 6749 OAuth2 The OAuth 2.0 Authorization Framework Oct 2012 6750 Bearer Token The OAuth 2.0 Authorization Framework: Bearer Token Usage 7516 JWE JSON Web Encryption May 2015 7517 JWK JSON Web Key 7518 JWA JSON Web Algorithms 7519 JWT JSON Web Token 7520 JOSE Examples of Protecting Content Using JSON Object Signing and Encryption 7797 JSON Web Signature (JWS) Unencoded Payload Option Feb 2016

13 Standards Layer Cake OpenId Connect OAuth2 JSON Web Token (JWT)
JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Algorithms (JWA) & JSON Web Key (JWK)

14 JSON Web Algorithms (JWA)
This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.

15 What Problem Does JWA Solve?
There are numerous cryptographic algorithms that are used as basic building blocks in security Systems exchanging data need to agree on which cryptographic algorithms are used in the exchange There is a need for a standard scheme to precisely identify algorithms In JWA the string HS256 means to use the hashed message authentication code (HMAC) with the secure hashing algorithm (SHA) that outputs a fixed size 256 bit hash JWA is useful to anyone needing to precisely specify which cryptographic algorithm is used in a specific situation

16 JSON Web Signature (JWS)
“JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON- based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.” RFC 7515

17 What Problem does JWS solve?
JWS is a data format for representing content secured with digital signatures or Message Authentication Codes Given a JWS document you can answer two questions about the JSON payload of the document Has this JSON object been changed since it was created? Who created this JSON object?

18 JWS Format Header { “typ” : “JWT”, “alg” : “HS256” } Payload {
“sub”: “ ”, “name”: “John Doe”, “admin”: true } Signature TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

19 JWS Compact Serialization
BASE64URL(Header). eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. BASE64URL(Payload) eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. Signature TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

20 Example JWS document eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0 NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRyd WV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg Q

21 JWS Features A JWS document encoded in the compact serialization format can be safely included in URLs or HTTP authorization headers Anyone can decode and view the payload of the document It is easy to verify that the payload was not tampered with It is easy to determine who created the document via shared secret or a certificate Useful to anyone wanting to transmit or store JSON objects

22 What Problem does JWE solve?
JWE is a data format for representing content that has been encrypted using JSON data structures Given a JSON you can encrypt it and represent the result as a JWE document

23 Initialization Vector
JWE Format Header { “alg” : “RSA-OAEP”, “enc” : “A256GCM” } Encrypted Key OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9dStnImGyFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv2322ivDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je81860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi6UklfCpIMfIjf7iGdXKHzg Initialization Vector 48V1_ALb6US04U3b Cipher Text 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji SdiwkIr3ajwQzaBtQD_A Authentication Tag XFBoMYUZodetZdvTiFvSkQ

24 Example JWE document eyJhbGciOiJSU0ExXzUiLCJraWQiOiJmcm9kby5iYWdnaW5zQGhvYmJpdG9uLmV4YW1wb GUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.laLxI0j-nLH- _BgLOXMozKxmy9gffy2gTdvqzfTihJBuuzxg0V7yk1WClnQePFvG2K- pvSlWc9BRIazDrn50RcRai__3TDON395H3c62tIouJJ4XaRvYHFjZTZ2GXfz8YAImcc91Tfk0 WXC2F5Xbb71ClQ1DDH151tlpH77f2ff7xiSxh9oSewYrcGTSLUeeCt36r1Kt3OSj7EyBQXoZlN 7IxbyhMAfgIe7Mv1rOTOI5I8NQqeXXW8VlzNmoxaGMny3YnGir5Wf6Qt2nBq4qDaPdnaAuu GUGEecelIO1wx1BpyIfgvfjOhMBs9M8XL223Fg47xlGsMXdfuY- 4jaqVw.bbd5sTkYwhAIqfHsx8DayA.0fys_TY_na7f8dwSfXLiYdHaA2DxUjD67ieF7fcVbIR62Jh JvGZ4_FNVSiGc_raa0HnLQ6s1P2sv3Xzl1p1l_o5wR_RsSzrS8Z- wnI3Jvo0mkpEEnlDmZvDu_k8OWzJv7eZVEqiWKdyVzFhPpiyQU28GLOpRc2VbVbK4dQKP dNTjPPEmRqcaGeTWZVyeSUvf5k59yJZxRuSvWFf6KrNtmRdZ8R4mDOjHSrM_s8uwIFcqt4r 5GX8TKaI0zT5CbL5Qlw3sRc7u_hg0yKVOiRytEAEs3vZkcfLkP6nbXdC_PkMdNS- ohP78T2O6_7uInMGhFeX4ctHG7VelHGiT93JfWDEQi5_V9UN1rhXNrYu- 0fVMkZAKX3VWi7lzA6BP430m.kvKuFBXHe5mQr4lqgobAUg

25 JWE Features A JWE document encoded in the compact serialization format can be safely included in URLs or HTTP authorization headers Payload of of the document is secured Useful to anyone wanting to transmit or store JSON objects

26 Standards Layer Cake OpenId Connect OAuth2 JSON Web Token (JWT)
JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Algorithms (JWA) & JSON Web Key (JWK)

27 JSON Web Token (JWT) “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.” RFC 7519

28 JWT Token A JSON object that contains information that is useful for making security decisions There are standard fields / claims that are part of JWT tokens The JSON object has been signed and formatted as a JWS document or encrypted and formatted as a JWE document The JWT token can be put into a URL parameter or an HTTP header jwt.io is a good resource to learn about JWT

29 Standard Optional Fields of a JWT Token
Description jti Unique id of the token iss Who issues the token iat Time when the token was issued nbf Time when the token is valid from exp Time when the token expires sub Unique id of the user that the token represents aud List of systems that can use the token

30 Using JWT with HTTP Add tokens to standard headers such as Authorization header as defined by Oauth2 with info about the end user Add app specific headers with JWT token values such as JWT token representing the service making a call on behalf of the user GET /resource HTTP/1.1 Host: server.example.com X-caller: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzO DAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW 1gFWFOEjXk Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

31 Using with JMS / RabbitMQ
Add the JWT token to a custom header in the outgoing JMS message

32 Key Ideas Every request to a microservice must include a security token that the microservice can easily authenticate and use for making authorization decisions. Your HTTP only microservices will likely evolve to support support other protocols such as AMQP, Thrift, or gRPC JWT is a simple and useful security token format with libraries available in most programming languages JWT is protocol agnostic

33 JWT vs. OAuth2 JWT tokens can be used with OAuth2
JWT != OAuth2 or even part of OAuth2 spec. OAuth2 spec published in 2012 and JWT spec published in 2015 JWT is generic and has many uses outside of OAuth2 Decision to use JWT != Decision to use OAuth2

34 Problems to solve What format should security token use?
How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

35 How are JWT tokens obtained?
Get your JWT Tokens from an OAuth2/OpenId Connect Server

36 OAuth History Year What happened? 2006 OAuth development starts 2008
IETF takes over OAuth development 2010 OAuth 1.0 RFC released but never becomes an official IETF standard 2012 OAuth 2.0 RFC released as a standard it talks about tokens but token format is not specified in the spec 2015 JSON Web Token released as a standard great fit for use as a token format with OAuth2

37 OAuth2 Specifications RFC Title Purpose 6749
The OAuth 2.0 Authorization Framework Answer the question of how a token can be obtained 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage Answer the question of how to make HTTP requests with the token once it is obtained

38 The OAuth 2.0 Authorization Framework: Bearer Token Usage
Add the token to the Authorization header of HTTP requests tokens don’t have to be JWT tokens any token allowed by the server and the HTTP protocol is okay GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ Authorization: Bearer mF_9.B5f-4.1JqM

39 Four ways to get a token with OAuth2
Authorization code Implicit Resource owner password credentials Client credentials Why do we need 4 ways to get a token?

40 Client Credentials

41 Standards Layer Cake OpenId Connect OAuth2 JSON Web Token (JWT)
JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Algorithms (JWA) & JSON Web Key (JWK)

42 OpenId Connect Authentication protocol built on top of OAuth2, JWT and TLS Defines a standardized user identity token and rules for obtaining such tokes (Profile of OAuth2 & JWT) Version 3.0 of the OpenId protocol which is incompatible with previous versions Most OAuth2 servers also implement OpenId Connect OpenId Connect 1.0 final spec released in April 2014 Large scale implementations exist on the internet

43 Some OpenId Connect Required Fields
Description jti Unique id of the token iss Who issues the token iat Time when the token was issued nbf Time when the token is valid from exp Time when the token expires sub Unique id of the user that the token represents aud List of systems that can use the token scope List of permissions to carry in the tokens

44 Problems to solve What format should security token use?
How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

45 Freddy BBQ

46

47 Problems to solve What format should security token use?
How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

48 Microservice Security Patterns

49 Microservices Design Issue: The User Interface
Where should the UI code live? How is it composed into a single UI each microservice? Browser What about CORS? What about a Native Mobile Clients? What about Server Side Rendering for a Web UI?

50 Monolithic Edge UI Gateway
Make a UI Microservice that is exposed to end users and have it serve up the UI? Browser Native Mobile UI A B C

51 Backend For Frontend (BFF)
Extend each UI experience with a dedicated backend component for UI Browser Android Mobile WEB BFF Android BFF A B C

52 Internal Microservices
Big Picture Native Mobile Client Web Client Desktop / Other client Clients Layer Microservice Microservice Microservice Edge Microservices Internal Microservices

53 How to protect access to a microservice?
Microservice A Microservice B

54 Security Visualized Microservice A Microservice B JWT

55 Microservice Security Programming Model
A microservice gets a request that includes a JWT token Microservices checks that the JWT token is valid Token contains the scopes that the user is authorized to do Microservice uses info in the token to make an access control decision Keep the model simple it needs to scale! No exceptions! Easy to implement with spring based frameworks

56 Utility vs. non Utility uServices
Money Transfer Microservice Currency Exchange Rates JWT Currency exchange rates Microservice has lots of clients, it does not care about user identity Money transfer Microservice cares about the identity of the user executing the service

57 Utility vs. non-Utility Microservices
Template Editing Single-Page Application Money Transfer Currency Exchange Templates

58 Money Transfer makes utility calls
Money Transfer calls Currency Exchange service Provide client credentials to the OAuth2 server and get an access token with the scope to lookup exchange rates Make call with the access token that is returned OAuth2 client credentials flow Money Transfer calls Templates service Provide client credentials to the OAuth2 server and get an access token with the scope to merge templates Make a call with the access token that is returned

59 Employee edits an email template
Employee is using the editor in the Templates microservice to create a new template for “we have transferred your money” Template Editing Single-Page Application obtains an OpenID token from the OAuth2 Server using the authorization code flow requesting the scope for template.edit Sends requests to Templates microservice using obtained token

60 Email Template Microservice Point of View
From the point of view of the Templates microservice it can not tell if it is being invoked as a utility microservice or not It just gets a JWT token which can have one of two scopes template.edit template.execute Makes decisions based on the scopes in the JWT token

61 Scopes are Microservice Specific
BFF UI microservice define its own scopes for the operations it supports Clients of BFF get JWT OpenId tokens and send them with requests BFF makes utility calls to backing microservices BFF exchanges OpenID token for microservice-specific tokens

62 Problems to solve What format should security token use?
How are tokens supposed to be obtained? What libraries should be used for authentication and authorization when implementing microservices? What information should be in the token?

63

Download ppt "Building Secure Microservices"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
SOAP.

SOAP.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –

Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –
Chapter 8 Web Security.

Chapter 8 Web Security.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Similar presentations

Ads by Google