This slide deck explores the challenges of securing microservices, best practices to overcome them, and how WSO2 Identity Server can be used in microservice architecture.
Watch webinar recording here: https://wso2.com/library/webinars/2018/09/the-role-of-iam-in-microservices/
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
The Role of IAM in Microservices
1. The Role of IAM in Microservices
Darshana Gunawardana
Technical Lead,
WSO2
Farasath Ahamed
Senior Software Engineer,
WSO2
2. WSO2 At-A-Glance
Colombo, London,
Mountain View, New York,
São Paulo, Sydney
Founded 2005,
Backed by Cisco and Toba
Capital
500+ Employees
(300 Engineers)
Open Source
450+ Customers,
175 New Customers in 2017
$25m Sales in 2017
53% YoY growth
3. 3
Microservices
● Microservice architecture is
○ A single application as a collection of small and independent
services
● Independent services
○ Developed independently
○ Deployed independently
○ Run independently
● Not just about an architectural pattern
○ Driven by the primary goal - speed to production
4. 4
Monolithic Applications
● All the services are deployed in the same application server
● Few entry points - intercepted and enforced security
● The application server itself provides session management
features
○ All the services can share a user’s login status
● The interactions between services are local calls
8. 8
Challenges
● Broader attack surface
● Microservices are independent to each other
○ Each service has to enforce authentication and authorization
● Scalability
○ Each service will serve thousands of requests per second
○ There can be hundreds of microservices
● Performance
● Deployment complexities
● Polyglot architecture
9. 9
Will Current IAMs Become Obsolete?
● Business requirements
○ Strong authentication
○ Merging/Acquisitions
○ Social logins
● Capabilities
○ Multi-factor and adaptive authentication
○ Identity federation
○ Authorization policies
● Access delegation becomes more prominent
12. 12
OAuth 2.0 - Self Contained Access
Tokens
IAM
(Authorization
Server)
Microservices
(Resource
Server)
Client
Get a token to access
the resource on behalf
of the resource owner
Access the resource
Resource
Owner
Grant access to the
client to access a
microservices under a
provided scope
JWT
<Trust>
13. 13
Microservices Security
● Secure development
○ Static, dynamic code analysis
○ Dependency screening
○ Should be part of CICD process
○ Should have shorter feedback cycles
● Secure deployment
○ Service-per-host
○ Container level security
● Secure endpoints
● Service to service security
21. 21
TLS Mutual Authentication
● Each microservice will have its own certificate to prove its
identity
● How do we provision certificates to each microservice?
● How do we deal with certificate revocations?
● How do we deal with trust bootstrap?
● How do we deal with key rotation?
22. 22
SPIFFE
● Secure Production Identity Framework for Everyone
● SPIFFE tries to solve the trust bootstrap problem in a platform
agnostic manner
● SPIFFE provides an identity to each workload in a
microservices deployment, which is known as the SPIFFE ID
○ E.g. spiffe://acme.com/billing/payments
● Implementations - SPIRE, Istio
23. 23
JWT (JSON Web Token)
● Defines a container to transport data between interested
parties
● There are multiple applications of JWT
○ In OpenID Connect the id_token is represented as a JWT
● Propagate one’s identity and user entitlements between
interested parties over a unsecured channel
24. 24
Self Issued Access Tokens
CA
Microservice B
Microservice A
Access the resource
JWT
<Trust>
26. 26
MicroProfile JWT (MP-JWT)
● Interoperable JWT for authentication and authorization
● Introduce 2 new claims to the MP-JWT
○ "upn": A human readable claim that uniquely identifies the subject or
user principal of the token
○ "groups": The token subject's group memberships
● Enables Role Based Access Control (RBAC)
27. 27
Policy Evaluation (Central PDP)
Single
Container
Single
Container
Single
Container
Microservice
Microservice
Microservice
Single
Container
Microservice
Single
Container
PDP
jwt
jwt
jwt
Authz req
Authz resp
28. 28
Policy Evaluation (Embedded PDP)
Single
Container
Single
Container
Single
Container
Microservice
Microservice
Microservice
Single
Container
Microservice
jwt
jwt
jwt
PDP PDP
PDP PDP
PAP
<Subscribe>
<Subscribe>
<Publish Policies>
29. 29
Open Policy Agent (OPA)
● A lightweight general-purpose policy
engine that can be co-located with
the service
● Can integrate OPA as a sidecar,
host-level daemon, or library
● Integrated with Spring, Service Mesh
implementations (Istio, Linkerd)
Service
OPA
Query Decision
DataPolicy
31. 31
Docker
● Docker is a way to package application or a service
● Abstracts technologies need to run the service to a container
● Run multiple services (container) on the same host machine
○ Different environment to each of them
○ Isolating each other
32. 32
Kubernetes
● Container orchestration system
○ Abstracts away the hardware infrastructure
○ Deployment as a code
● Allows to easily deploy and manage containerized
applications on top of it
● Introduces another level of isolation
○ Pod - A logical grouping of containers that is deployed in the same
physical host
○ Communication cost is very low for containers within the pod
○ Enables Sidecar pattern
33. 33
Kubernetes (Pods)
Container Container 1 Container 1
Container 2
Pod 1
IP: 10.1.0.1
Pod 2
IP: 10.1.0.2
Pod 3
IP: 10.1.0.3
Container Container 1 Container 1
Container 2
Pod 4
IP: 10.1.0.4
Pod 5
IP: 10.1.0.2
Pod 6
IP: 10.1.0.3
Container 2
Worker Node 1 Worker Node 2
39. 39
IAMs Role
● Provide strong access delegation capabilities
● Provide flexible token exchange capabilities
● Support for standard APIs to integrate with security sidecars
● Ability act as a lightweight STS
40. 40
Summary
● Microservices paradigm introduces new set of challenges to
enforce security
● Lots of new trends to enforce edge, channel security in
microservices
● API driven strong access delegation capabilities is a MUST for
microservices friendly IAM