SlideShare uma empresa Scribd logo

REST Service Authetication with TLS & JWTs

Transferir como PPTX, PDF
Jon Todd
Jon Todd

Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.

Software
1 de 60
Jon Todd @JonToddDotCom REST Service Auth with JWTs Wils Dawson @WilsDawson
About Okta Okta is the foundation for secure connections between people and technology
Used in 185 countries
Our stack
Goals 1. Demystify claims based auth with Json Web Tokens (JWT) 2. Learn how we solve service auth @Okta 3. Real world code example using Dropwizard
1 Background • Concepts • The service auth problem 2 Service Auth 3 User Auth
Concepts
Verifying you are who you say you are (AuthN) Authentication
What you are allowed to do (AuthZ) Authorization
Authentication & authorization Auth
Identity attributes about a user provided by a trusted issuer Examples: kerberos ticket, SAML assertion, JWT Claims
Boarding pass is a signed set of claims made by the airline about you • Issued by airline • Claims • Name (authentication) • Flight Date/Time, Number and Seating Priority (authorization) • Bar code/magnetic strip (signature) • Proves that the pass was issued by the airline and is not a forgery (authenticity). Claims example
OK, I get claims. But why use JWTs?
Service protocol shift to REST
JSON <…/> {…}
JSON Object Signing & Encryption (JOSE) Working group: https://datatracker.ietf.org/wg/jose/charter/ • JWS – JSON Web Signatures • JWT – JSON Web Token (pronounced “jot”) • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "karl@example.com", "email_verified": true } Claims
Single authentication trusted across multiple separate systems Examples: WS-Federation, SAML, OpenID Connect Federation
Federation example • At ticket counter trade credentials for ticket (authentication broker) • Passport • Driver’s license • Agent at counter verifies credentials • ID issued by trusted source (trust) • Scans barcode and verifies photo (authentication) • Verifies flight is paid for and seat assigned (authorization) • Agent issues ticket (claims) • Ticket is accepted by multiple, independent parties (federation) • Security line entry • TSA check • Gate agent
Microservices https://www.pinterest.com/pin/205828645447534387/ http://www.bennysbaker.com/poop-emoji-cupcakes/
Federation standards shift https://www.flickr.com/photos/robbies/693510178 • JWS – JSON Web Signatures • JWT – JSON Web Token • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JW-
Use cases Delegated access OAuth 2.0 Identity claims JOSE OpenID ConnectFederation
OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange (PKCE) RFC 7636 Simple Authentication and Security Layer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
The service auth problem
Monolithic auth model Security Interceptors C o n t e x t GET https://myapplication.com/home AuthN Module Mobile Web API
Monolithic auth model GET https://myapplication.com/home Security Interceptors C o n t e x tUser Module Events Module AuthN Module Homepage Module Log eventsLookup user Mobile Web API
Services auth model - context Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <token> GET https://myapplication.com/home Authorization: Bearer <token> Authorization: Bearer<token> C o n t e x t Lookup user ID with token  Mobile Web API
Services auth model - claims Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <jwt> Authorization: Bearer <jwt> Authorization: Bearer <jwt> { “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ” } Issues access jwt after authN Claims example Concepts • Claims • Authentication broker • Federation Mobile Web API
Layers of security Perimeter Service Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <claims_token> User
1 Background 2 Service Auth • TLS overview • Adding AuthZ • Demo 3 User Auth
TLS overview
What is TLS? • Secure Sockets Layer (SSL)  Transport Layer Security (TLS) • Symmetric cryptography for data encryption • Protection against failure via MAC • Identity of communicating parties via asymmetric cryptography
TLS handshake Client Server 2 Server Hello (with cert) 4 Finished 5 Finished Secured Channel Client Hello 1 3 Calculate Symmetric Key 3 • Hello • Key Exchange • Finished https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie- Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png
Who’s authenticated? Event ServiceUser Service Homepage Service Hello Hello, here’s my certificate Secured Channel User Service
TLS client authentication Client Server 2 Client Certificate Request 4 Certificate Verify 5 Calculate Key and Finish Secured Channel Hello 1 3 Client Certificate 1 5 • Client talking to authentic server • Server talking to known client • Requires client to have certificate
That’s a lot of certificates Event ServiceUser Service Homepage Service • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating User CA requires change only to User Service • Enable revocation checking Root CA (offline) User CA Event CA Homepage CA
Problem solved? Event ServiceUser Service Homepage Service User Service ISS: Root CA Event Service ISS: Root CA Homepage Service ISS: Root CA
Adding AuthZ
Hostname verification • Standard (RFC 2818) • Match hostname of client to certificate • Hard when services share hosts like in a cluster manager Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com Homepage Service
Service-name verification • Tie certificates to services rather than hosts • Better portability • Simpler deployments • No standard • Application level Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service Homepage Service
TLS client authentication for internal services http://developer.okta.com/blog/ More info?
Demo
So we’re done right? Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Mobile Web API
1 Background 2 Service Auth 3 User Auth • JOSE • In practice • Demo
JOSE
JWT format { "alg": "RS256" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "joe@example.com", "email_verified": true } Header Claims Signature
JWT encoding base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW 1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdll sYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEV qZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYz MDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxN DQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb 20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq pR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EA puY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPD LLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 Header Claims Signature
JWA - signature types HMAC (Symmetric) Digital Signature (Asymmetric)
JWS – symmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Symmetric Key
JWS – asymmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
JOSE onion claims signed claims encrypted claims • JWS – JSON Web Signatures • JWT – JSON Web • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JWT – Composes: JWA & JWK JWS JWE Reference
In practice
Iterative rollout Mobile Web API Security Interceptors C o n t e x tEvents Module AuthN Module Homepage Module User Service Security Interceptors Authorization: Bearer <JWT> Generate JWT
Iterative rollout Security Interceptors AuthN Service User Service Security Interceptors Authorization: Bearer <JWT> Event Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <JWT> Authorization: Bearer <JWT> Cookie / Token Mobile Web API
Key Rotation • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating AuthN CA requires change only AuthN service • Enable revocation checking Root CA (offline) Auth CA Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
JWT Java Libraries https://openid.net/developers/libraries/#jwt • Jose4j • Nimbus JOSE + JWT • Java JWT • Resteasy • Apache Oltu - JOSE
Demo
Final thoughts
Recap • Service auth with TLS • Transport level privacy and authentication • Service level authorization • User auth with JWTs • JWT • Stateless • Scalable • Authentication broker • Converts existing external identity attributes into internal claims • Internal claims enable federation across microservices • Code: https://github.com/wdawson/dropwizard-auth- example
How can Okta help? Universal Directory Single Sign-On Provisioning Adaptive Multi-factor Authentication Social Authentication Inbound Federation AD and LDAP Integration
Thank You Jon Todd @JonToddDotCom Wils Dawson @WilsDawson

Recomendados

Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 

Recomendados

Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明FIDO Alliance
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway Chris Mague
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)NGINX, Inc.
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
第3讲 Tcpip协议栈
第3讲 Tcpip协议栈第3讲 Tcpip协议栈
第3讲 Tcpip协议栈F.l. Yu
 

Mais conteúdo relacionado

Mais procurados

Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明FIDO Alliance
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway Chris Mague
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)NGINX, Inc.
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 

Mais procurados (20)

Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
 
Kong API Gateway
Kong API Gateway Kong API Gateway
Kong API Gateway
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)Introducing NGINX App Protect (Japanese Webinar)
Introducing NGINX App Protect (Japanese Webinar)
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David Borsos
 

Destaque

第3讲 Tcpip协议栈
第3讲 Tcpip协议栈第3讲 Tcpip协议栈
第3讲 Tcpip协议栈F.l. Yu
 
Linux Network Monitoring
Linux Network MonitoringLinux Network Monitoring
Linux Network MonitoringKenny (netman)
 
4 dezv-prenat-ii 2013
4 dezv-prenat-ii 20134 dezv-prenat-ii 2013
4 dezv-prenat-ii 2013jennypain
 
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...lisanl
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...heiland
 
Carrier grade ethernet presentation
Carrier grade ethernet presentationCarrier grade ethernet presentation
Carrier grade ethernet presentationTasuka Hsu
 
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자KTH, 케이티하이텔
 
Two factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorTwo factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorAllan Denot
 
High Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache DesignHigh Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache Designkeerthi thallam
 
Portafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cadPortafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cad3219082707
 
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?PriceBailey
 

Destaque (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
第3讲 Tcpip协议栈
第3讲 Tcpip协议栈第3讲 Tcpip协议栈
第3讲 Tcpip协议栈
 
Linux Network Monitoring
Linux Network MonitoringLinux Network Monitoring
Linux Network Monitoring
 
4 dezv-prenat-ii 2013
4 dezv-prenat-ii 20134 dezv-prenat-ii 2013
4 dezv-prenat-ii 2013
 
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
 
Carrier grade ethernet presentation
Carrier grade ethernet presentationCarrier grade ethernet presentation
Carrier grade ethernet presentation
 
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
 
Two factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorTwo factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google Authenticator
 
7hna7qe
7hna7qe7hna7qe
7hna7qe
 
United National Bank
United National BankUnited National Bank
United National Bank
 
Sekuentzia Didaktikoa
Sekuentzia DidaktikoaSekuentzia Didaktikoa
Sekuentzia Didaktikoa
 
Best cases time
Best cases timeBest cases time
Best cases time
 
SM PDF.com
SM PDF.comSM PDF.com
SM PDF.com
 
High Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache DesignHigh Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache Design
 
Portafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cadPortafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cad
 
Sanchaita Pal
Sanchaita PalSanchaita Pal
Sanchaita Pal
 
GERRY MC AUTOBODY
GERRY MC AUTOBODYGERRY MC AUTOBODY
GERRY MC AUTOBODY
 
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
 
Inglesiii
InglesiiiInglesiii
Inglesiii
 

Semelhante a REST Service Authetication with TLS & JWTs

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101Dasith Wijesiriwardena
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
Military-Grade Security for APIs
Military-Grade Security for APIsMilitary-Grade Security for APIs
Military-Grade Security for APIsNordic APIs
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffDucAnhLe56
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPSJackio Kwok
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8Ashish Agrawal
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 

Semelhante a REST Service Authetication with TLS & JWTs (20)

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 
Military-Grade Security for APIs
Military-Grade Security for APIsMilitary-Grade Security for APIs
Military-Grade Security for APIs
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 

Último

Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 

Último (20)

Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 

REST Service Authetication with TLS & JWTs

  • 1. Jon Todd @JonToddDotCom REST Service Auth with JWTs Wils Dawson @WilsDawson
  • 2. About Okta Okta is the foundation for secure connections between people and technology
  • 3. Used in 185 countries
  • 5. Goals 1. Demystify claims based auth with Json Web Tokens (JWT) 2. Learn how we solve service auth @Okta 3. Real world code example using Dropwizard
  • 6. 1 Background • Concepts • The service auth problem 2 Service Auth 3 User Auth
  • 8. Verifying you are who you say you are (AuthN) Authentication
  • 9. What you are allowed to do (AuthZ) Authorization
  • 11. Identity attributes about a user provided by a trusted issuer Examples: kerberos ticket, SAML assertion, JWT Claims
  • 12. Boarding pass is a signed set of claims made by the airline about you • Issued by airline • Claims • Name (authentication) • Flight Date/Time, Number and Seating Priority (authorization) • Bar code/magnetic strip (signature) • Proves that the pass was issued by the airline and is not a forgery (authenticity). Claims example
  • 13. OK, I get claims. But why use JWTs?
  • 16. JSON Object Signing & Encryption (JOSE) Working group: https://datatracker.ietf.org/wg/jose/charter/ • JWS – JSON Web Signatures • JWT – JSON Web Token (pronounced “jot”) • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "karl@example.com", "email_verified": true } Claims
  • 17. Single authentication trusted across multiple separate systems Examples: WS-Federation, SAML, OpenID Connect Federation
  • 18. Federation example • At ticket counter trade credentials for ticket (authentication broker) • Passport • Driver’s license • Agent at counter verifies credentials • ID issued by trusted source (trust) • Scans barcode and verifies photo (authentication) • Verifies flight is paid for and seat assigned (authorization) • Agent issues ticket (claims) • Ticket is accepted by multiple, independent parties (federation) • Security line entry • TSA check • Gate agent
  • 20. Federation standards shift https://www.flickr.com/photos/robbies/693510178 • JWS – JSON Web Signatures • JWT – JSON Web Token • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JW-
  • 21. Use cases Delegated access OAuth 2.0 Identity claims JOSE OpenID ConnectFederation
  • 22. OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange (PKCE) RFC 7636 Simple Authentication and Security Layer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
  • 23. The service auth problem
  • 24. Monolithic auth model Security Interceptors C o n t e x t GET https://myapplication.com/home AuthN Module Mobile Web API
  • 25. Monolithic auth model GET https://myapplication.com/home Security Interceptors C o n t e x tUser Module Events Module AuthN Module Homepage Module Log eventsLookup user Mobile Web API
  • 26. Services auth model - context Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <token> GET https://myapplication.com/home Authorization: Bearer <token> Authorization: Bearer<token> C o n t e x t Lookup user ID with token  Mobile Web API
  • 27. Services auth model - claims Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <jwt> Authorization: Bearer <jwt> Authorization: Bearer <jwt> { “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ” } Issues access jwt after authN Claims example Concepts • Claims • Authentication broker • Federation Mobile Web API
  • 28. Layers of security Perimeter Service Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <claims_token> User
  • 29. 1 Background 2 Service Auth • TLS overview • Adding AuthZ • Demo 3 User Auth
  • 31. What is TLS? • Secure Sockets Layer (SSL)  Transport Layer Security (TLS) • Symmetric cryptography for data encryption • Protection against failure via MAC • Identity of communicating parties via asymmetric cryptography
  • 32. TLS handshake Client Server 2 Server Hello (with cert) 4 Finished 5 Finished Secured Channel Client Hello 1 3 Calculate Symmetric Key 3 • Hello • Key Exchange • Finished https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie- Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png
  • 33. Who’s authenticated? Event ServiceUser Service Homepage Service Hello Hello, here’s my certificate Secured Channel User Service
  • 34. TLS client authentication Client Server 2 Client Certificate Request 4 Certificate Verify 5 Calculate Key and Finish Secured Channel Hello 1 3 Client Certificate 1 5 • Client talking to authentic server • Server talking to known client • Requires client to have certificate
  • 35. That’s a lot of certificates Event ServiceUser Service Homepage Service • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating User CA requires change only to User Service • Enable revocation checking Root CA (offline) User CA Event CA Homepage CA
  • 36. Problem solved? Event ServiceUser Service Homepage Service User Service ISS: Root CA Event Service ISS: Root CA Homepage Service ISS: Root CA
  • 38. Hostname verification • Standard (RFC 2818) • Match hostname of client to certificate • Hard when services share hosts like in a cluster manager Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com Homepage Service
  • 39. Service-name verification • Tie certificates to services rather than hosts • Better portability • Simpler deployments • No standard • Application level Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service Homepage Service
  • 40. TLS client authentication for internal services http://developer.okta.com/blog/ More info?
  • 41. Demo
  • 42. So we’re done right? Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Mobile Web API
  • 43. 1 Background 2 Service Auth 3 User Auth • JOSE • In practice • Demo
  • 44. JOSE
  • 45. JWT format { "alg": "RS256" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "joe@example.com", "email_verified": true } Header Claims Signature
  • 46. JWT encoding base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW 1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdll sYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEV qZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYz MDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxN DQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb 20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq pR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EA puY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPD LLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 Header Claims Signature
  • 47. JWA - signature types HMAC (Symmetric) Digital Signature (Asymmetric)
  • 48. JWS – symmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Symmetric Key
  • 49. JWS – asymmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
  • 50. JOSE onion claims signed claims encrypted claims • JWS – JSON Web Signatures • JWT – JSON Web • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JWT – Composes: JWA & JWK JWS JWE Reference
  • 52. Iterative rollout Mobile Web API Security Interceptors C o n t e x tEvents Module AuthN Module Homepage Module User Service Security Interceptors Authorization: Bearer <JWT> Generate JWT
  • 53. Iterative rollout Security Interceptors AuthN Service User Service Security Interceptors Authorization: Bearer <JWT> Event Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <JWT> Authorization: Bearer <JWT> Cookie / Token Mobile Web API
  • 54. Key Rotation • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating AuthN CA requires change only AuthN service • Enable revocation checking Root CA (offline) Auth CA Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
  • 55. JWT Java Libraries https://openid.net/developers/libraries/#jwt • Jose4j • Nimbus JOSE + JWT • Java JWT • Resteasy • Apache Oltu - JOSE
  • 56. Demo
  • 58. Recap • Service auth with TLS • Transport level privacy and authentication • Service level authorization • User auth with JWTs • JWT • Stateless • Scalable • Authentication broker • Converts existing external identity attributes into internal claims • Internal claims enable federation across microservices • Code: https://github.com/wdawson/dropwizard-auth- example
  • 59. How can Okta help? Universal Directory Single Sign-On Provisioning Adaptive Multi-factor Authentication Social Authentication Inbound Federation AD and LDAP Integration

Notas do Editor

  1. Use the right tool for the job Backend server stack is almost entirely Java with use of Jetty and Dropwizard to get a flavor of some of the tools
  2. Transition: OK, I get claims. So if claims have been around in for such a long time why do people care about JWTs?
  3. Clean
  4. The concept of federation is very broad As it relates to microservices/SOA, the idea is that as you break a system up, federation provides a model for services to
  5. Just as we’ve traded in angle brackets for curlies the industry has moving from WS-* to OIDC It’s starting to look like the Deathstar isn’t it? The OpenID space isn’t without it’s own comical abbreviations: But they certainly are more appetizing
  6. Security interceptors Validates AuthN is still valid Validates user in context has correct permissions to access resource (AuthZ) Context supplies authenticated user in context and permissions to all the other code in the monolith AuthN module – code which knows how to authenticate a user. If interceptor determines user’s needs authentication AuthN module Notice how AuthN is typically centralize but AuthZ decisions are distributed across the codebase
  7. REST is stateless, we have no more shared context so how are we going to pass User info along to each service? Naive approach is with the same random token we’ve been using
  8. We can solve the context problem with baking important attributes into the claims token to prevent lookups Now that we have a centralized AuthN service, we can extend the federation with claims
  9. For the remainder of the talk we’re going focus on applying this federated claims based approach to auth. In particular, we’re going to focus on backend service auth and we’re going to make the assumption that your services are talking HTTP Important to note that while we are addressing client auth scenarios in this talk, the model we’ll be putting place naturally extends to the client following the OAuth model Layers: Perimeter – outside the scope of this presentation Host – host level authentication and transport level security with TLS User -
  10. SSL predecessor Secure key exchange = symmetric  data exchange use symmetric Message Authentication Code Public key crypto for authentication
  11. Hello = what do we support? Key exchange = Where the magic happens, cipher dependent. “Master secret” & paint Finished = encrypted test
  12. Back to our services… What just happened? Cert offering = authentication Could be anyone: Another service An attacker So what can we do?
  13. Client extra step = verify can access private key Trust root is better than client, rotation  opens attack vector
  14. Quick word about certificates… How do we manage those certificates? A few things to consider, eveyone is different. Multiple acceptable keys means rotation is easier Key hierarchy means rotation is easier Multiple ways to do this For this talk, we’ll assume offline root, services underneath that Revocation checking = easier rotation & required for rotation Ok so, we’ve given our services each their own certificate that has a trust chain up to our root. Let’s go back to the TLS client authentication
  15. Not quite. Since they are all signed by the root, and that’s what we’re trusting, Event Service can still talk. Ways around this, like not trusting root, but then we have rotation issues like I just talked about. What are my options if I want to trust the root, but don’t want the event service to talk? AuthZ: We’ve estabilished “Who you are” now we want to know “What can you do?”
  16. ”HTTP over TLS” standard RFC Client  Server && Server  Client If your services share hosts = harder Wildcard or subjectAltName extension Depending on environment, don’t solve the problem
  17. Portability  any host works Deployments  no special config per host No standard .. sadface Application level Regex Authoritative, omnipotent service
  18. We can solve the context problem with baking important attributes into the claims token to prevent lookups Now that we have a centralized AuthN service, we can extend the federation with claims
  19. Audience question: What’s a security drawback of the symmetric key approach?
  20. Walk the flow Clients continue to use existing auth mechanism AuthN Module converts external session / token representations into internal JWT Potential future updates Consider OpenID Connect at the client level Remove homepage service entirely Generate service specific access tokens up in the client (Oauth 2.0)
  21. There are a number of great options We use Nimbus JWT Add our own policy on certificate revocation checking
  22. JWT Stateless no need for a DB user info Scalable No need to query a DB to check if the token is valid No need to call other services for data already computed in the token
  23. At the core we make it easier to adopt cloud 3000 customers using Okta to connect with cloud apps Adobe developer built the creative cloud auth on top of Okta for federated enterprise authentication Companies already have their own AD or LDAP. Okta makes getting on to using CC faster and easier Advent Universal directory per customer