SlideShare uma empresa Scribd logo
1 de 44
Baixar para ler offline
Understanding gRPC
Authentication Methods
Developer Week SF 2018
Anthony Chow
Cephas Security Solutions
Auth0 Ambassador | VMware vExpert
Feb 7, 2018
Twitter: @vCloudernBeer
Image source: https://github.com/cncf/landscape
Image source: https://github.com/cncf/landscape
Image source: https://katacontainers.io/img/kata-explained1-thumb@2x.png
What is gRPC?
 gRPC can be summarized as protocol buffers running
over HTTP/2 with multiple programming language
support.
Image source: grpc.io
Protocol Buffer
 Protocol buffer is one form of Interface Definition
Language for structured data serialization and de-
serialization between two parties and are transmitted
over a network in binary forms.
Image source: Google gRPC meetup kit
Install Protobuf 3 on
Ubuntu 16.04
• curl -OL
https://github.com/google/protobuf/releases/download/v3
.5.0/protoc-3.5.0-linux-x86_64.zip
• unzip protoc-3.5.0-linux-x86_64.zip -d protoc3
• sudo mv protoc3/bin/* /usr/local/bin/
• sudo mv protoc3/include/* /usr/local/include/
Service Definition
source: Google gRPC meetup kit
HTTP/2
 Hypertext Transfer Protocol Version 2 (HTTP/2) is
defined by RFC 7540 aimed at providing better
performance for HTTP traffics with bi-directional
streaming and flow control on a single TCP connection.
Source: Google gRPC meetup kit
Multi-language Support
Image source: Google gRPC meetup kit
gRPC Conceptssource: https://grpc.io/docs/guides/concepts.html
 Service Definition
 Using the API surface
 Synchronous vs asynchronous
 RPC life cycle
o Unary
o Client Streaming
o Server Streaming
o Bi-directional Streaming
 Deadlines/Timeouts
 RPC termination
 Cancelling RPCs
 Metadata
 Channels
Ruby Service
gRPC
server Go Service
gRPC
server
gRPC
Stub
Java Service
gRPC
Stub
Python Service
gRPC
server
gRPC
Stub
Multi-language supportsource: Google gRPC meetup kit
gRPC Request and Response
source: grpc.io
Who uses gRPCsource: Google gRPC meetup kit
Resource for gRPCsource: Google gRPC meetup kit
Documentation and Code
● http://www.grpc.io/
● https://github.com/grpc
● https://github.com/grpc-ecosystem
Help and Support
● https://gitter.im/grpc/grpc
● https://groups.google.com/forum/#!forum/grpc-io
Getting started with gRPC
 https://grpc.io/docs/quickstart/
 https://grpc.io/docs/tutorials/basic/python.html
1. Define the gRPC service and the method request and
response types using protocol buffers
2. Generate the gRPC client and server interfaces from your
.proto service definition.
3. Create the server
4. Create the client
gRPC frame format
• Wireshark demo
Authentication vs
Authorization
 Authentication – determine who you claim to be by the
credential you provide.
o Something you have – smart token device
o Something you know - password
o Something you are – fingerprint
 Authorization – based on user credential grant access
to resource
o Read-Write
o Read only
o Delete
gRPC built-in
Authentication Methods
 SSL/TLS
 Token-based authentication with Google
o JWT
o OAuth Access Token
 Credentials plugin API - allows developers to plug in their
own type of credentials
Credential Types
 Channel credential
 Call credential
Base case - No encryption
or authentication
import grpc
import helloworld_pb2
channel = grpc.insecure_channel('localhost:50051')
stub = helloworld_pb2.GreeterStub(channel)
With server
authentication SSL/TLS
import grpc
import helloworld_pb2
creds = grpc.ssl_channel_credentials(open('roots.pem').read())
channel = grpc.secure_channel('myservice.example.com:443',
creds)
stub = helloworld_pb2.GreeterStub(channel)
Authenticate with Google
using a JWT
import grpc
import helloworld_pb2
from google import auth as google_auth
from google.auth import jwt as google_auth_jwt
from google.auth.transport import grpc as google_auth_transport_grpc
credentials, _ = google_auth.default()
jwt_creds = google_auth_jwt.OnDemandCredentials.from_signing_credentials(
credentials)
channel = google_auth_transport_grpc.secure_authorized_channel( jwt_creds,
None,
'greeter.googleapis.com:443')
stub = helloworld_pb2.GreeterStub(channel)
Authenticate with Google
using an OAuth2 token
import grpc
import helloworld_pb2
from google import auth as google_auth
from google.auth.transport import grpc as google_auth_transport_grpc
from google.auth.transport import requests as google_auth_transport_requests
credentials, _ = google_auth.default(scopes=(scope,))
request = google_auth_transport_requests.Request()
channel = google_auth_transport_grpc.secure_authorized_channel(
credentials,
request,
'greeter.googleapis.com:443')
stub = helloworld_pb2.GreeterStub(channel)
Authenticate with 3rd
Party
• AuthMetadataPlugin
• …/src/python/grpcio_tests/unit/_auth_test.py
SSL/TLS
 SSL – Secure Socket Layer (older standard)
o Version 2 and version 3
 TLS – Transport Layer Security (newer standard)
o Version 1.1, 1.2 and 1.3
 Asymmetric encryption
o Private Key and Public key
 Symmetric encryption
o Symmetric key
 Hashing
 Digital Certificate – e.g. X.509
SSL - Handshake
Image source: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif
SSL – X.509 Digital
Certificate
Image source: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.14/gtps7/ssldig17.gif
gRPC with TLS
• Python “helloworld” demo with TLS.
gRPC code base
• https://github.com/grpc/
• https://github.com/GoogleCloudPlatform/google-auth-
library-python
JWT- JSON Web Token
Image source: youtube.com
Resources for JSON Web
Token
• https://auth0.com/learn/json-web-tokens/
• https://jwt.io/introduction/
• https://scotch.io/tutorials/the-anatomy-of-a-json-
web-token
• https://auth0.com/e-books/jwt-handbook
OAuth-2
 “Open Authentication” (?)
 Authorization delegation
 An authorization framework
 Defined by RFC 6749 and 6750
 OAuth 1 is defined by RFC 5849
 OAuth 1 and OAuth 2 are not compatible
OAuth2 Actors
Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
OAuth2 Flows (grants)
image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
OAuth2 Authorization Grants
 Different ways of getting a token
o Authorization code,
o Implicit grant,
o Resource owner password credentials and
o Client credentials
 Which OAuth 2.0 flow should I use?
OAuth2 Tokens
• Access Token
• Refresh Token
OAuth2 simplified view
 Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
Resource for OAuth2
• RFC 6749 - https://tools.ietf.org/html/rfc6749
• RFC 6750 - https://tools.ietf.org/html/rfc6750
• https://auth0.com/docs/protocols/oauth2
• https://developers.google.com/oauthplayground/
Google Cloud Endpoints
for gRPC
 Choosing an Authentication Method
o API Keys
o Firebase authentication
o Auth0 authentication
o Google authentication
o Google authentication and Service Account
Examples show how to set up
ESP in a gRPC service
authentication:
providers:
- id: auth0_jwk
# Replace YOUR-ACCOUNT-NAME with your service account's email address.
issuer: https://DevWeekSF2018.auth0.com/
jwks_uri: "https://DevWeekSF2018.auth0.com/.well-known/jwks.json"
rules:
- selector: "*"
requirements:
- provider_id: auth0_jwk
Calling an authenticated
method from gRPC
def run(host, port, api_key, auth_token, timeout):
"""Makes a basic ListShelves call against a gRPC Bookstore server."""
channel = grpc.insecure_channel('{}:{}'.format(host, port))
stub = bookstore_pb2.BookstoreStub(channel)
metadata = []
if api_key:
metadata.append(('x-api-key', api_key))
if auth_token:
metadata.append(('authorization', 'Bearer ' + auth_token))
shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata)
print('ListShelves: {}'.format(shelves))
Setting up your Auth0
Thanks for
coming!

Mais conteúdo relacionado

Mais procurados

IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersDavid Ware
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Building out a Microservices Architecture with WebSphere Liberty Profile and ...
Building out a Microservices Architecture with WebSphere Liberty Profile and ...Building out a Microservices Architecture with WebSphere Liberty Profile and ...
Building out a Microservices Architecture with WebSphere Liberty Profile and ...David Currie
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Solace
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
Setup Kubernetes with flannel on ubuntu platform
Setup Kubernetes with flannel on ubuntu platformSetup Kubernetes with flannel on ubuntu platform
Setup Kubernetes with flannel on ubuntu platformAjeet Singh
 
Event driven microservices with axon and spring boot-excitingly boring
Event driven microservices with axon and spring boot-excitingly boringEvent driven microservices with axon and spring boot-excitingly boring
Event driven microservices with axon and spring boot-excitingly boringAllard Buijze
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview Edgar Silva
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performanceMarkTaylorIBM
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)Open Source Consulting
 
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGModes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGIdentity Days
 
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEANGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEAAine Long
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQKnoldus Inc.
 

Mais procurados (20)

IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Building out a Microservices Architecture with WebSphere Liberty Profile and ...
Building out a Microservices Architecture with WebSphere Liberty Profile and ...Building out a Microservices Architecture with WebSphere Liberty Profile and ...
Building out a Microservices Architecture with WebSphere Liberty Profile and ...
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
Setup Kubernetes with flannel on ubuntu platform
Setup Kubernetes with flannel on ubuntu platformSetup Kubernetes with flannel on ubuntu platform
Setup Kubernetes with flannel on ubuntu platform
 
Event driven microservices with axon and spring boot-excitingly boring
Event driven microservices with axon and spring boot-excitingly boringEvent driven microservices with axon and spring boot-excitingly boring
Event driven microservices with axon and spring boot-excitingly boring
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
 
Vault
VaultVault
Vault
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performance
 
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)[오픈소스컨설팅] 서비스 메쉬(Service mesh)
[오픈소스컨설팅] 서비스 메쉬(Service mesh)
 
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGModes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
 
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEANGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQ
 

Semelhante a Understanding gRPC Authentication Methods

2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Korea
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
 
Aplicações realtime com gRPC
Aplicações realtime com gRPCAplicações realtime com gRPC
Aplicações realtime com gRPCLeandro Lugaresi
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST SecurityDavid Blevins
 
Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}
Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}
Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}Md. Sadhan Sarker
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversAxilis
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 

Semelhante a Understanding gRPC Authentication Methods (20)

2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security
 
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Oracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo YooOracle Blockchain Platform_Wonjo Yoo
Oracle Blockchain Platform_Wonjo Yoo
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security2018 Denver JUG Deconstructing and Evolving REST Security
2018 Denver JUG Deconstructing and Evolving REST Security
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
 
Aplicações realtime com gRPC
Aplicações realtime com gRPCAplicações realtime com gRPC
Aplicações realtime com gRPC
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security2018 Boulder JUG Deconstructing and Evolving REST Security
2018 Boulder JUG Deconstructing and Evolving REST Security
 
Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}
Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}
Up and Running with gRPC & Cloud Career [GDG-Cloud-Dhaka-IO/2022}
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 

Mais de Anthony Chow

Build your own Blockchain with the right tool for your application
Build your own Blockchain with the right tool for your applicationBuild your own Blockchain with the right tool for your application
Build your own Blockchain with the right tool for your applicationAnthony Chow
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Api security with o auth2
Api security with o auth2Api security with o auth2
Api security with o auth2Anthony Chow
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsAnthony Chow
 
Getting over the barrier and start contributing to OpenStack
Getting over the barrier and start contributing to OpenStackGetting over the barrier and start contributing to OpenStack
Getting over the barrier and start contributing to OpenStackAnthony Chow
 
Introduction to go
Introduction to goIntroduction to go
Introduction to goAnthony Chow
 
Micro segmentation – a perfect fit for microservices
Micro segmentation – a perfect fit for microservicesMicro segmentation – a perfect fit for microservices
Micro segmentation – a perfect fit for microservicesAnthony Chow
 
An overview of OpenStack for the VMware community
An overview of OpenStack for the VMware communityAn overview of OpenStack for the VMware community
An overview of OpenStack for the VMware communityAnthony Chow
 
VXLAN in the contemporary data center
VXLAN in the contemporary data centerVXLAN in the contemporary data center
VXLAN in the contemporary data centerAnthony Chow
 
What a Beginner Should Know About OpenStack
What a Beginner Should Know About OpenStackWhat a Beginner Should Know About OpenStack
What a Beginner Should Know About OpenStackAnthony Chow
 

Mais de Anthony Chow (14)

Build your own Blockchain with the right tool for your application
Build your own Blockchain with the right tool for your applicationBuild your own Blockchain with the right tool for your application
Build your own Blockchain with the right tool for your application
 
Container security
Container securityContainer security
Container security
 
MQTT security
MQTT securityMQTT security
MQTT security
 
Api security with o auth2
Api security with o auth2Api security with o auth2
Api security with o auth2
 
Container security
Container securityContainer security
Container security
 
Container security
Container securityContainer security
Container security
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
 
Getting over the barrier and start contributing to OpenStack
Getting over the barrier and start contributing to OpenStackGetting over the barrier and start contributing to OpenStack
Getting over the barrier and start contributing to OpenStack
 
Introduction to go
Introduction to goIntroduction to go
Introduction to go
 
Micro segmentation – a perfect fit for microservices
Micro segmentation – a perfect fit for microservicesMicro segmentation – a perfect fit for microservices
Micro segmentation – a perfect fit for microservices
 
An overview of OpenStack for the VMware community
An overview of OpenStack for the VMware communityAn overview of OpenStack for the VMware community
An overview of OpenStack for the VMware community
 
VXLAN in the contemporary data center
VXLAN in the contemporary data centerVXLAN in the contemporary data center
VXLAN in the contemporary data center
 
What a Beginner Should Know About OpenStack
What a Beginner Should Know About OpenStackWhat a Beginner Should Know About OpenStack
What a Beginner Should Know About OpenStack
 

Último

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Último (20)

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

Understanding gRPC Authentication Methods

  • 1. Understanding gRPC Authentication Methods Developer Week SF 2018 Anthony Chow Cephas Security Solutions Auth0 Ambassador | VMware vExpert Feb 7, 2018 Twitter: @vCloudernBeer
  • 5. What is gRPC?  gRPC can be summarized as protocol buffers running over HTTP/2 with multiple programming language support. Image source: grpc.io
  • 6. Protocol Buffer  Protocol buffer is one form of Interface Definition Language for structured data serialization and de- serialization between two parties and are transmitted over a network in binary forms. Image source: Google gRPC meetup kit
  • 7. Install Protobuf 3 on Ubuntu 16.04 • curl -OL https://github.com/google/protobuf/releases/download/v3 .5.0/protoc-3.5.0-linux-x86_64.zip • unzip protoc-3.5.0-linux-x86_64.zip -d protoc3 • sudo mv protoc3/bin/* /usr/local/bin/ • sudo mv protoc3/include/* /usr/local/include/
  • 9. HTTP/2  Hypertext Transfer Protocol Version 2 (HTTP/2) is defined by RFC 7540 aimed at providing better performance for HTTP traffics with bi-directional streaming and flow control on a single TCP connection. Source: Google gRPC meetup kit
  • 10. Multi-language Support Image source: Google gRPC meetup kit
  • 11. gRPC Conceptssource: https://grpc.io/docs/guides/concepts.html  Service Definition  Using the API surface  Synchronous vs asynchronous  RPC life cycle o Unary o Client Streaming o Server Streaming o Bi-directional Streaming  Deadlines/Timeouts  RPC termination  Cancelling RPCs  Metadata  Channels
  • 12. Ruby Service gRPC server Go Service gRPC server gRPC Stub Java Service gRPC Stub Python Service gRPC server gRPC Stub Multi-language supportsource: Google gRPC meetup kit
  • 13. gRPC Request and Response source: grpc.io
  • 14. Who uses gRPCsource: Google gRPC meetup kit
  • 15. Resource for gRPCsource: Google gRPC meetup kit Documentation and Code ● http://www.grpc.io/ ● https://github.com/grpc ● https://github.com/grpc-ecosystem Help and Support ● https://gitter.im/grpc/grpc ● https://groups.google.com/forum/#!forum/grpc-io
  • 16. Getting started with gRPC  https://grpc.io/docs/quickstart/  https://grpc.io/docs/tutorials/basic/python.html 1. Define the gRPC service and the method request and response types using protocol buffers 2. Generate the gRPC client and server interfaces from your .proto service definition. 3. Create the server 4. Create the client
  • 17. gRPC frame format • Wireshark demo
  • 18. Authentication vs Authorization  Authentication – determine who you claim to be by the credential you provide. o Something you have – smart token device o Something you know - password o Something you are – fingerprint  Authorization – based on user credential grant access to resource o Read-Write o Read only o Delete
  • 19. gRPC built-in Authentication Methods  SSL/TLS  Token-based authentication with Google o JWT o OAuth Access Token  Credentials plugin API - allows developers to plug in their own type of credentials
  • 20. Credential Types  Channel credential  Call credential
  • 21. Base case - No encryption or authentication import grpc import helloworld_pb2 channel = grpc.insecure_channel('localhost:50051') stub = helloworld_pb2.GreeterStub(channel)
  • 22. With server authentication SSL/TLS import grpc import helloworld_pb2 creds = grpc.ssl_channel_credentials(open('roots.pem').read()) channel = grpc.secure_channel('myservice.example.com:443', creds) stub = helloworld_pb2.GreeterStub(channel)
  • 23. Authenticate with Google using a JWT import grpc import helloworld_pb2 from google import auth as google_auth from google.auth import jwt as google_auth_jwt from google.auth.transport import grpc as google_auth_transport_grpc credentials, _ = google_auth.default() jwt_creds = google_auth_jwt.OnDemandCredentials.from_signing_credentials( credentials) channel = google_auth_transport_grpc.secure_authorized_channel( jwt_creds, None, 'greeter.googleapis.com:443') stub = helloworld_pb2.GreeterStub(channel)
  • 24. Authenticate with Google using an OAuth2 token import grpc import helloworld_pb2 from google import auth as google_auth from google.auth.transport import grpc as google_auth_transport_grpc from google.auth.transport import requests as google_auth_transport_requests credentials, _ = google_auth.default(scopes=(scope,)) request = google_auth_transport_requests.Request() channel = google_auth_transport_grpc.secure_authorized_channel( credentials, request, 'greeter.googleapis.com:443') stub = helloworld_pb2.GreeterStub(channel)
  • 25. Authenticate with 3rd Party • AuthMetadataPlugin • …/src/python/grpcio_tests/unit/_auth_test.py
  • 26. SSL/TLS  SSL – Secure Socket Layer (older standard) o Version 2 and version 3  TLS – Transport Layer Security (newer standard) o Version 1.1, 1.2 and 1.3  Asymmetric encryption o Private Key and Public key  Symmetric encryption o Symmetric key  Hashing  Digital Certificate – e.g. X.509
  • 27. SSL - Handshake Image source: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660a.gif
  • 28. SSL – X.509 Digital Certificate Image source: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.14/gtps7/ssldig17.gif
  • 29. gRPC with TLS • Python “helloworld” demo with TLS.
  • 30. gRPC code base • https://github.com/grpc/ • https://github.com/GoogleCloudPlatform/google-auth- library-python
  • 31. JWT- JSON Web Token Image source: youtube.com
  • 32. Resources for JSON Web Token • https://auth0.com/learn/json-web-tokens/ • https://jwt.io/introduction/ • https://scotch.io/tutorials/the-anatomy-of-a-json- web-token • https://auth0.com/e-books/jwt-handbook
  • 33. OAuth-2  “Open Authentication” (?)  Authorization delegation  An authorization framework  Defined by RFC 6749 and 6750  OAuth 1 is defined by RFC 5849  OAuth 1 and OAuth 2 are not compatible
  • 34. OAuth2 Actors Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
  • 35. OAuth2 Flows (grants) image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
  • 36. OAuth2 Authorization Grants  Different ways of getting a token o Authorization code, o Implicit grant, o Resource owner password credentials and o Client credentials  Which OAuth 2.0 flow should I use?
  • 37. OAuth2 Tokens • Access Token • Refresh Token
  • 38. OAuth2 simplified view  Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
  • 39. Resource for OAuth2 • RFC 6749 - https://tools.ietf.org/html/rfc6749 • RFC 6750 - https://tools.ietf.org/html/rfc6750 • https://auth0.com/docs/protocols/oauth2 • https://developers.google.com/oauthplayground/
  • 40. Google Cloud Endpoints for gRPC  Choosing an Authentication Method o API Keys o Firebase authentication o Auth0 authentication o Google authentication o Google authentication and Service Account
  • 41. Examples show how to set up ESP in a gRPC service authentication: providers: - id: auth0_jwk # Replace YOUR-ACCOUNT-NAME with your service account's email address. issuer: https://DevWeekSF2018.auth0.com/ jwks_uri: "https://DevWeekSF2018.auth0.com/.well-known/jwks.json" rules: - selector: "*" requirements: - provider_id: auth0_jwk
  • 42. Calling an authenticated method from gRPC def run(host, port, api_key, auth_token, timeout): """Makes a basic ListShelves call against a gRPC Bookstore server.""" channel = grpc.insecure_channel('{}:{}'.format(host, port)) stub = bookstore_pb2.BookstoreStub(channel) metadata = [] if api_key: metadata.append(('x-api-key', api_key)) if auth_token: metadata.append(('authorization', 'Bearer ' + auth_token)) shelves = stub.ListShelves(empty_pb2.Empty(), timeout, metadata=metadata) print('ListShelves: {}'.format(shelves))