Stateless Microservice Security via JWT, TomEE and MicroProfile

Transcription

1 Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

2 Why am I here today? Microservices architecture case Security opeons OAuth2 with JWT HTTP Signatures Demo with MP-JWT and TomEE

3 Microservices (SOA with a sexy name)

4 TradiEonal system Component A Component B System (Monolithic) Component D Component C

5 with tradieonal scalability

6 with tradieonal scalability

7 with tradieonal scalability

8 with tradieonal scalability

9 and its tradieonal security

10 What to expect from microservices? The technical perspec/ve The organiza/onal perspec/ve

11 Microservices - the technical perspeceve Cloud Containers Virtualiza/on Large scale

12 The organizaeonal perspeceve Agile methodology Small teams HR / organiza/onal changes free

13 But there are new challenges Scalability Cost reduc/on Resilience Monitoring Security

14 Baseline Architecture 1000 users 4 hops x 3 TPS 3000 TPS frontend TPS backend

15 Microservices security opeons

16 OpEons Basic Auth OAuth2 OpenID Connect JWT - Facebook / Google way HTTP Signatures - Amazon way «In-house» solu/ons And many more

17 The nice thing about standards is you have so many to choose from. - Andrew S. Tanenbaum

18 Basic Auth (and its problems)

19 Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3b5onbhc3m= User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}}

20 Basic Auth username+password Base64 (no auth) Password Sent 3000 TPS (HTTP+SSL) TPS (HTTP) 3000 TPS (LDAP)

21 Basic Auth username+password Base64 username+password Base64 Password Sent 3000 TPS (HTTP+SSL) Password Sent TPS (HTTP) TPS (LDAP)

22 Basic Auth - ATacks Valid Password Sent 3000 TPS (HTTP+SSL) No auth Invalid Password Sent 6000 TPS (HTTP+SSL) TPS (HTTP) 9000 TPS (LDAP)

23 OAuth 2.0 (and its problems)

24 The theory behind it

25 Based on tokens

26 Based on tokens

27 Based on tokens

28 OAuth 2 - Password Grant POST /oauth2/token Host: api.superbiz.io User-Agent: curl/ Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock (LDAP) Verify Password HTTP/ OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2yotnfzfejr1zcsicmwpaa", "expires_in":3600, "refresh_token":"tgzv3jokf0xg5qx2tlkwia", } (Token Store) Generate Token

29 OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}}

30 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}}

31 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}

32 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

33 OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}}

34 401

35 OAuth 2 - Refresh Grant POST /oauth2/token Host: api.superbiz.io User-Agent: curl/ Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tgzv3jokf0xg5qx2tlkwia (LDAP) HTTP/ OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6fe4jd7tmde5yw2q0y6w2w", "expires_in":3600, "refresh_token":"hyt5rw1qnh5ttg2hdtr54e", } (Token Store) Verify and Generate Token

36 Old pair Access Token 2YotnFZFEjr1zCsicMWpAA Refresh Token tgzv3jokf0xg5qx2tlkwia New pair Access Token 6Fe4jd7TmdE5yW2q0y6W2w Refresh Token hyt5rw1qnh5ttg2hdtr54e

37 OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}}

38 OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}

39 OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/ Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

40 What have we achieved? Avoid high rate username + password transit on wire Replaced by a blind «token» referencing a state on the server side Generate many «short live» passwords stored on devices Create a new. HTTP Session architecture

41 New terms, really? Password Grant? Logging in Token? Slightly less crappy password Equally crappy HTTP Session ID

42 OAuth 2 Password Sent 1000/daily (HTTP+SSL) (LDAP) 4 hops TPS backend OAuth 2 No auth Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks)

43 OAuth 2 Password Sent 1000/daily (HTTP+SSL) (LDAP) backend OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks) TPS (token checks)

44 OAuth 2 Password Sent 1000/daily (HTTP+SSL) (LDAP) backend OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks) TPS (token checks)

45 OAuth 2 Password Sent 1000/daily (HTTP+SSL) (LDAP) 0 hops 0 TPS backend OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 0 TPS (token checks) 0 TPS (token checks)

46 OAuth JSON Web Tokens (JWT)

47 JSON Web Token Pronounced JOT SAML like but less verbose Fancy JSON map Base64 URL Encoded Digitally Signed (RSA-SHA256, HMAC-SHA512, etc) Possibly encrypted Built-in expira/on

48 Access Token Previously 6Fe4jd7TmdE5yW2q0y6W2w

49 Access Token Now eyjhbgcioijsuzi1niisinr5cci6ikpxvcj9.eyj0b2tlbi 10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb m9vchkilcjhbmltywwioijizwfnbguilcjpc3mioijodhrw czovl2rlbw8uc3vwzxjiaxouy29tl29hdxromi90b2tlbii sinnjb3blcyi6wyj0d2l0dgvyiiwibwfucy1izxn0lwzyaw VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8 DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0 98ocefuv08TdzRxqYoEqYNo

50 Access Token Now { "alg": RS256", "typ": JWT" } { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": " "scopes": [ twitter, "mans-best-friend" ], "exp": , "iat": , "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3 KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098oc efuv08tdzrxqyoeqyno

51 Access Token Now Header (JSON > Base64 URL Encoded) Describes how the token signature can be checked Payload (JSON > Base64 URL Encoded) Basically a map of whatever you want to put in it Some standard entries (called claims) such as expira/on Signature (Binary > Base64 URL Encoded The actual digital signature Made exclusively by the /oauth2/token endpoint If RSA, can be checked by anyone

52 Subtle But High Impact Architectural Change

53 What we had (quick recap)

54 (LDAP) Pull User Info From IDP

55 (LDAP) Generate an Access Token (pointer)

56 (LDAP) Insert both into DB

57 (LDAP) Send Access Token (pointer) to client

58 Results Client Holds Pointer Server Holds State

59 What we can do now (Hello JWT!)

60 (LDAP) Pull User Info From IDP

61 (LDAP) Format the data as JSON

62 (LDAP) RSA-SHA 256 sign JSON private

63 (LDAP) Insert only pointer into DB (for revoca9on)

64 (LDAP) Send Access Token (state) to client

65 Desired Results Client Holds State Server Holds Pointer

66

67 OAuth 2 - Password Grant POST /oauth2/token Host: api.superbiz.io User-Agent: curl/ Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock (LDAP) Verify Password HTTP/ OK Content-Type: application/json;charset=utf-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyjhbgcioijsuzi1niisinr5cci6ikpxvcj9. eyj0b2tlbi10exblijoiywnjzxnzlxrva2vuiiwidxnlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M ioijodhrwczovl2rlbw8uc3vwzxjiaxouy29tl29hdxrom i90b2tlbiisinnjb3blcyi6wyj0d2l0dgvyiiwibwfucy1izxn0 LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ 9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8 OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh VDaiqmhct098ocefuv08TdzRxqYoEqYNo", "expires_in":3600, "refresh_token":"eyjhbgctgzv3jokf0xg5qx2tlkwiakf0x. eyj0b2tlbi10exblijoiywnjzxnzlxrva2vuiiwidxnlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M ioijodhrwczovl", } (Token ID Store) Generate Signed Token

68 OAuth 2.0 Message with JWT POST /painter/color/palene HTTP/1.1 Host: api.superbiz.io AuthorizaEon: Bearer eyjhbgcioijsuzi1niisinr5cci6ikpxvcj9.eyj0b2tlbi10exblijoiywnjzxnzlxr va2vuiiwidxnlcm5hbwuioijzbm9vchkilcjhbmltywwioijizwfnbguilcjpc3mioijodhrwczovl2rlbw8uc3vwzxj iaxouy29tl29hdxromi90b2tlbiisinnjb3blcyi6wyj0d2l0dgvyiiwibwfucy1izxn0lwzyawvuzcjdlcjlehaioje0nzqy ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl 6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ vzllj_ksfxgdl_cuadhvdaiqmhct098ocefuv08tdzrxqyoeqyno User-Agent: curl/ Accept: */* Content-Type: applica/on/json Content-Length: 46 {"color":{"b":0,"g":255,"r":0,"name":"green"}}

69 OAuth 2 + JWT 4 hops Password Sent 1000/daily (HTTP+SSL) (LDAP) TPS backend OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (signature verifica/on) (public key) 0.27 TPS (refresh token checks) (private key) TPS (signature verifica/on)

70 OAuth 2 + JWT 4 hops Password Sent 1000/daily (HTTP+SSL) Valid Tokens Sent 3000 TPS (HTTP+SSL) Invalid Tokens Sent (LDAP) 9000 TPS (signature verifica/on) TPS backend 6000 TPS (HTTP+SSL) (public key) 0.27 TPS (refresh token checks) (private key) TPS (signature verifica/on)

71 Microprofile #RESTSecurity

72 What is it? hnps://microprofile.io/ Enterprise Java for Microservices Open Source Hosted at Eclipse Founda/on Ini/al version 1.0 focused on CDI, JAX-RS and JSON-P

73 Where are we at? Currently at version 1.3 Configura/on, Fault Tolerance, JWT, Health Checks, Metrics, Open Tracing, Open API and REST Client A version 2.0 is planed soon

74 Who is involved?

75 Why? Increasing number of specifica/ons in Java EE Need for a smaller subset to build micro services Need for quick changes (/me to market)

76 What implementaeons?

77 Microprofile JWT Most current version 1.0 Role Based Access Control Very lightweight and interoperable way to propagate iden//es 1.1 in progress Keys (JWKS) Standard configura/on (Microprofile Config)

78 Goals Extract and verify the token Iden/fy the caller Enforce authoriza/on policies

79 Demo #RESTSecurity

80 Thank You!