Jacob has a horse named Travis. The document discusses establishing trust in a microservices architecture through the use of claims instead of directly passing user attributes between services. Claims assert attributes about a user from a trusted source, rather than just providing the attributes alone. This allows services to verify the source of identity data and establish an authorization model with scopes. The document advocates using claims and centralized trust models to avoid issues that can arise from directly sharing user data between loosely coupled services without context.

1. Jacob Has a Horse, says Travis
a tale of truths in a microservice architecture

2. Who Am I?

3. Who Am I, attributes?
Name: Jacob
Age: 38
Length: 177cm
Family-role:
Father
Son: Bertil
Weather:
Sunny
Location:
Some Café

4. Me, using a service
Name: Jacob
Age: 38
Length: 177
Shirt size: 48
Location: Home Weather:
Rainy
StoreAccount:
123-XYZ
Clothing Store
/buy

5. Part 1: The API Security
Maturity Model

6. API Security Maturity Model
API Keys and Basic Authentication

7. Example
Name: Jacob
Age: 38
Length: 177
Shirt size: 48
Location: Home Weather:
Rainy
StoreAccount:
123-XYZ
Clothing Store
/buy

8. Example
Clothing Store Web
/buy
/inventory
/purchase

9. Example
Clothing Store Web
/buy
/inventory
/purchase
Authorization: Basic YWRtaW46UGFzc3dvcmQx
Authorization: Basic YWRtaW46UGFzc3dvcmQx

10. Example
Clothing Store Web
/buy
/inventory
/purchase
Authorization: Basic YWRtaW46UGFzc3dvcmQx
{ user: 123-XYZ }
Authorization: Basic YWRtaW46UGFzc3dvcmQx
{ user: 123-XYZ }

11. The problem with API Keys and Basic Auth
• Machine verification(ish)
• User isn’t bound to the requested resource
• Authentication only, no Authorization

12. API Security Maturity Model
API Keys and Basic Authentication
Token based Authentication

13. Example: The publisher

14. Example: The publisher
Inside organization
Web Content
The Internet

15. Example: The publisher
Inside organization
Web Content
The Internet
Authorization: Bearer AT
Authorization: Bearer AT
Authorization: Bearer AT

16. The problem
• Access Tokens only used for authentication
• Authorization is not performed
• Machine access to the same API
• Result: Anyone who could obtain a token can update the content API.

17. API Security Maturity Model
API Keys and Basic Authentication
Token based Authentication
Token based Authorization

18. Scopes
• Named “permissions” in a token
• Strings
• Does not contain any values
• Requested by the client
• Authorized by the user and the OAuth server

19. Scopes Example
• content_read
• content_write
• email
• address
• invoice_list Content
Invoices
Users

20. Example: The Swish app
Image Copyright Getswish AB

21. Example: The Swish app
Image Copyright Getswish AB
BankID (eID)
Swish

22. Example: The Swish app
Image Copyright Getswish AB
BankID (eID)
Swish

23. Example: The Swish app
Image Copyright Getswish AB
BankID (eID)
Swish
/payment-history/<phone-number>/ALL

24. Passing information around

25. Passing information around
PhoneNumber =
123213

26. Passing information around
PhoneNumber =
123213

27. What could go wrong?
• What can happen when an API calls another API?
• Who trust’s who?
• Information gets added along the way

28. Spaghetti
Photo by Immo Wegmann on Unsplash

29. API Security Maturity Model
API Keys and Basic Authentication
Token based Authentication
Token based Authorization
Centralized trust using Claims

30. Part 2: Claims – the missing
piece

31. Who do we trust?
• The caller?
• The API Gateway?
• The issuer of the tokens?
• The user database?

32. Trust
Trust is a subjective assessment of another’s influence in terms of the extent of
one’s perception about the quality and significance of another’s impact over
one’s outcomes in a given situation, such that one’s expectation of, openness
to, and inclination toward such influence provide a sense of control over the
potential outcomes of the situation.
Romano D.M. (2003). "The Nature of Trust: Conceptual and
Operational Clarification". Louisiana State University, PhD
Thesis.

33. Trust, in other words
• Trust is subjective
• It does not guarantee absolute truth
• It helps us predict the correctness of a decision

34. Participants in Trust
The issuer / authority
The relying partyThe requesting party

35. Who Am I, attributes?
Name: Jacob
Age: 38
Length: 177cm
Family-role:
Father
Son: Bertil
Weather:
Sunny
Location:
Some Café

36. Who Am I, Context attributes?Weather:
Sunny
Location:
Some Café
CONTEXT ATTRIBUTES

37. Who am I, subject attributes
Name: Jacob
Age: 38
Length: 177cm
Family-role:
Father
Son: Bertil
SUBJECT ATTRIBUTES

38. Asserting parties

39. Attribute:
firstName = Jacob
age = 38
Trust Claims, not attributes

40. Claim:
Skatteverket says:
the firstName of this person is Jacob
Jacob is 38, says Polisen
Jacob has a son, says Skatteverket
Trust Claims, not attributes

41. The anatomy of a claim
Jacob is 177cm tall, says Polisen
Subject Attribute Asserting party

42. How can we trust the data
• Always verify all incoming data against the original source
• Trust an common party to provide the data

43. Using claims
The issuer / authority
The relying partyThe requesting party

44. Using claims
The issuer / authority
The relying partyThe requesting party

45. Verifying claims
The issuer / authority
The relying partyThe requesting party
OK

46. Verifying claims
The issuer / authority
The relying partyThe requesting party
Verify signature

47. Hey, I can use a JWT
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqY
W5lZG9lQGV4YW1wbGUuY29tIiwibmFtZSI6IkphbmUgR
G9lIiwiaWF0IjoxNTQ2MzAwODAwLCJleHAiOjE4OTM0N
TYwMDB9.XcNkubx0GNwbOohJGVAUVxl187oYSR0ecFz
0wvHvksOsOW9m6z3WyW4-
Q_yZUMuJaq_WZCX0y8EIUj9bur7aVfSONKv2uS_m7Cn
h_GlAAXFRkLZk9cBg3Xrv8mF2rcmZMy_0l5RdRDzF48H
35agZoImUR8sfPU-
S7ypgSmNX0j3nlLJLZNqjjF2XkFr54rNsXYFBQZUunzBgV
moeqfWRKcSB-
HJOrSWEiKL8JLMp8qgS0x4h5YRVtNiJ5o7I3KDYVGG4bw
ExFFPwHakseTdjkRJOGcUu1P5-
8DoLnsp1JLYbpfGLC3ebO1rRLQYuDDkqEmqzrMXTyXXT
8Lg8I2IkBw
{
sub: janedoe@example.com
name: Jane Doe
iat: 1546300800
exp: 1893456000
iss: https://login.curity.io
subscriber_id: ABC_123
}

48. A JWT has Claims
{
sub: janedoe@example.com
name: Jane Doe
iat: 1546300800
exp: 1893456000
iss: https://login.curity.io
subscriber_id: ABC_123
}
These are claims!

49. A JWT has Claims
{
sub: janedoe@example.com
name: Jane Doe
iat: 1546300800
exp: 1893456000
iss: https://login.curity.io
subscriber_id: ABC_123
}
There’s a subject

50. A JWT has Claims
{
sub: janedoe@example.com
name: Jane Doe
iat: 1546300800
exp: 1893456000
iss: https://login.curity.io
subscriber_id: ABC_123
}
Issued by

51. Using the JWT
The issuer / authority
The relying partyThe requesting party
Verify signature
JWT

52. A JWT is not a protocol!

53. Traffic
Photo by Denys Nevozhai on Unsplash

55. Using Claims

56. Using Claims

57. Using Claims
{
sub: janedoe@example.com
name: Jane Doe
iat: 1546300800
exp: 1893456000
iss: https://login.curity.io
subscriber_id: ABC_123
phone_number: +46 123 123 123
}

58. Using Claims

59. Attribute sources

60. Claim data
• Organize sensitive data to be reachable only by the OIDC server
• Include identity specific data in the token
• Use Opaque tokens on the internet and JWTs internally
• Only add data when the client needs it!

61. How to identify data to put in the token
• It should be relevant to a large set of your APIs
• It should not be application specific
• It should be attributes of the user
• It should not be contextual for the session

62. Summary: Trust few sources

63. Summary: No spaghetti
Photo by Eiliv-Sonas Aceron on Unsplash

64. Summary: Attributes are not claims
age: 34
firstName: Jane
lastName: Doe
email: jane@example.com
carVIN: 123123123123

65. Summary: Claims are easy
• The car is yellow, Jacob says.
• Travis phone number is 123 123 123, says his wife

66. Jacob has a horse, says
Travis

67. Thank you
https://curity.io
https://developer.curity.io
info@curity.io
@curity.io