rest service authetication with tls & jwts

Jon Todd@JonToddDotCom

REST Service Auth with JWTs Wils Dawson

@WilsDawson

About OktaOkta is the foundation for

secure connections betweenpeople and technology

Used in 185 countries

Our stack

Goals

1. Demystify claims based auth with Json Web Tokens (JWT)2. Learn how we solve service auth @Okta3. Real world code example using Dropwizard

1 Background

• Concepts• The service auth

problem

2 Service Auth 3 User Auth

Concepts

Verifying you are who you say you are

(AuthN)

Authentication

What you are allowed to do

(AuthZ)

Authorization

Authentication & authorization

Auth

Identity attributes about a user provided by a trusted issuer

Examples: kerberos ticket, SAML assertion, JWT

Claims

Boarding pass is a signed set of claims made by the airline about you• Issued by airline• Claims

• Name (authentication)• Flight Date/Time, Number and

Seating Priority (authorization)• Bar code/magnetic strip (signature)

• Proves that the pass was issued by the airline and is not a forgery (authenticity).

Claims example

OK, I get claims.

But why use JWTs?

Service protocol shift to REST

JSON

<…/> {…}

JSON Object Signing & Encryption (JOSE)

Working group: https://datatracker.ietf.org/wg/jose/charter/

• JWS – JSON Web Signatures• JWT – JSON Web Token (pronounced “jot”)• JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key

{ "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true}

Claims

Single authentication trusted across multiple separate systems

Examples: WS-Federation, SAML, OpenID Connect

Federation

Federation example• At ticket counter trade credentials for ticket (authentication broker)

• Passport• Driver’s license

• Agent at counter verifies credentials• ID issued by trusted source (trust)• Scans barcode and verifies

photo (authentication)• Verifies flight is paid for and seat

assigned (authorization)• Agent issues ticket (claims)

• Ticket is accepted by multiple, independent parties (federation)• Security line entry • TSA check• Gate agent

Microservices

https://www.pinterest.com/pin/205828645447534387/

http://www.bennysbaker.com/poop-emoji-cupcakes/

Federation standards shift

https://www.flickr.com/photos/robbies/693510178

• JWS – JSON Web Signatures• JWT – JSON Web Token• JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key

JW-

Use cases

Delegated access OAuth 2.0

Identity claims JOSE

OpenID ConnectFederation

OAuth 2 FrameworkRFC 6749

Assertion FrameworkRFC 7521

Token IntrospectionRFC 7662

Token RevocationRFC 7009

Dynamic Client RegistrationRFC 7591

JSONRFC 7159

JSON Web Token Bearer AssertionRFC 7523

Proof Key for Code Exchange (PKCE)RFC 7636

Simple Authentication and Security Layer (SASL)RFC 7628

Token ExchangeDraft

SAML 2.0 Bearer AssertionRFC 7522

Proof of PossessionDraft

JSON Web Token (JWT)RFC 7519

JSON Web Signature (JWS)

RFC 7515

JSON Web Encryption (JWE)

RFC 7516JSON Web Key (JWK)

RFC 7517

Bearer Token RFC 6750

The service auth problem

Monolithic auth model

Security Interceptors

Context

GET https://myapplication.com/home

AuthNModule

Mobile Web API

Monolithic auth model



ContextUser

ModuleEventsModule

AuthNModule

HomepageModule

Log eventsLookup user

Mobile Web API

Services auth model - context

Event ServiceSecurity Interceptors

User ServiceSecurity Interceptors

AuthN Service


Homepage ServiceSecurity Interceptors

Authorization: Bearer <token>


Authorization: Bearer <token>

Authorization: Bearer<token>

ContextLookup user ID with token

Mobile Web API

Services auth model - claims



AuthN Service



Authorization: Bearer <jwt> Authorization: Bearer <jwt>

Authorization: Bearer <jwt>

{ “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ”}

Issues access jwt after authN

Claims example

Concepts• Claims• Authentication broker• Federation

Mobile Web API

Layers of securityPerimeter

Service



AuthN Service



Authorization: Bearer <claims_token>

User

1 Background 2 Service Auth

• TLS overview• Adding AuthZ• Demo

3 User Auth

TLS overview

What is TLS?

• Secure Sockets Layer (SSL) Transport Layer Security (TLS)

• Symmetric cryptography for data encryption

• Protection against failure via MAC

• Identity of communicating parties via asymmetric

cryptography

TLS handshake

Client Server

2Server Hello (with cert)

4Finished

5Finished

Secured Channel

Client Hello1

3 Calculate Symmetric Key 3

• Hello

• Key Exchange

• Finished

https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-

Hellman_Key_Exchange.svg.png

Who’s authenticated?

Event ServiceUser Service

Homepage Service

HelloHello, here’s my certificate

Secured ChannelUser

Service

TLSclient authentication

Client Server

2Client Certificate Request

4Certificate Verify

5Calculate Key and Finish

Secured Channel

Hello1

3Client Certificate

1

5

• Client talking to authentic server

• Server talking to known client

• Requires client to have certificate

That’s a lot of certificates


Homepage Service

• Enable support for multiple acceptable public keys• Consider using a key hierarchy

• Rotating User CA requires change only to User Service• Enable revocation checking

Root CA(offline)

User CA Event CAHomepage CA

Problem solved?


Homepage Service

User Service

ISS: Root CA

Event Service

ISS: Root CA

HomepageService

ISS: Root CA

Adding AuthZ

Hostname verification

• Standard (RFC 2818)

• Match hostname of client to certificate

• Hard when services share hosts like in a cluster

manager

Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com

HomepageService

Service-name verification

• Tie certificates to services rather than hosts• Better portability• Simpler deployments

• No standard• Application level

Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service

HomepageService

TLS client authentication for internal services

http://developer.okta.com/blog/

More info?

So we’re done right?



AuthN Service



Mobile Web API

1 Background 2 Service Auth 3 User Auth

• JOSE• In practice• Demo

JWT format{ "alg": "RS256"}

{ "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true}

Header

Claims

Signature

JWT encodingbase64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)

eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7DqpR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhEQsgm8

Header Claims

Signature

JWA - signature types

HMAC(Symmetric)

Digital Signature(Asymmetric)

JWS – symmetric keys



AuthN Service



Symmetric Key

JWS – asymmetric keys



AuthN Service



Public key

Private key

JOSE onion

claims

signed claims

encrypted claims

• JWS – JSON Web Signatures• JWT – JSON Web • JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key

JWT – Composes: JWA & JWK

JWS

JWE

Reference

In practice

Iterative rollout

Mobile Web API


ContextEventsModule

AuthNModule

HomepageModule


Authorization: Bearer <JWT> Generate JWT

Iterative rollout


AuthN Service


Authorization: Bearer <JWT>





Cookie / TokenMobile Web API

Key Rotation• Enable support for multiple acceptable public keys• Consider using a key hierarchy

• Rotating AuthN CA requires change only AuthN service• Enable revocation checking

Root CA(offline)

Auth CA



AuthN Service



Public keyPrivate key

JWT Java Librarieshttps://openid.net/developers/libraries/#jwt

• Jose4j• Nimbus JOSE + JWT• Java JWT• Resteasy• Apache Oltu - JOSE

Final thoughts

Recap• Service auth with TLS

• Transport level privacy and authentication• Service level authorization

• User auth with JWTs• JWT

• Stateless• Scalable

• Authentication broker• Converts existing external identity

attributes into internal claims• Internal claims enable federation across

microservices• Code: https://github.com/wdawson/dropwizard-

auth-example

How can Okta help?Universal Directory

Single Sign-On

Provisioning

Adaptive Multi-factor Authentication

Social Authentication

Inbound Federation

AD and LDAP Integration

Thank YouJon Todd@JonToddDotCom

Wils Dawson@WilsDawson

rest service authetication with tls & jwts

Software