rest service authetication with tls & jwts
TRANSCRIPT
Jon Todd@JonToddDotCom
REST Service Auth with JWTs Wils Dawson
@WilsDawson
About OktaOkta is the foundation for
secure connections betweenpeople and technology
Used in 185 countries
Our stack
Goals
1. Demystify claims based auth with Json Web Tokens (JWT)2. Learn how we solve service auth @Okta3. Real world code example using Dropwizard
1 Background
• Concepts• The service auth
problem
2 Service Auth 3 User Auth
Concepts
Verifying you are who you say you are
(AuthN)
Authentication
What you are allowed to do
(AuthZ)
Authorization
Authentication & authorization
Auth
Identity attributes about a user provided by a trusted issuer
Examples: kerberos ticket, SAML assertion, JWT
Claims
Boarding pass is a signed set of claims made by the airline about you• Issued by airline• Claims
• Name (authentication)• Flight Date/Time, Number and
Seating Priority (authorization)• Bar code/magnetic strip (signature)
• Proves that the pass was issued by the airline and is not a forgery (authenticity).
Claims example
OK, I get claims.
But why use JWTs?
Service protocol shift to REST
JSON
<…/> {…}
JSON Object Signing & Encryption (JOSE)
Working group: https://datatracker.ietf.org/wg/jose/charter/
• JWS – JSON Web Signatures• JWT – JSON Web Token (pronounced “jot”)• JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key
{ "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true}
Claims
Single authentication trusted across multiple separate systems
Examples: WS-Federation, SAML, OpenID Connect
Federation
Federation example• At ticket counter trade credentials for ticket (authentication broker)
• Passport• Driver’s license
• Agent at counter verifies credentials• ID issued by trusted source (trust)• Scans barcode and verifies
photo (authentication)• Verifies flight is paid for and seat
assigned (authorization)• Agent issues ticket (claims)
• Ticket is accepted by multiple, independent parties (federation)• Security line entry • TSA check• Gate agent
Microservices
https://www.pinterest.com/pin/205828645447534387/
http://www.bennysbaker.com/poop-emoji-cupcakes/
Federation standards shift
https://www.flickr.com/photos/robbies/693510178
• JWS – JSON Web Signatures• JWT – JSON Web Token• JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key
JW-
Use cases
Delegated access OAuth 2.0
Identity claims JOSE
OpenID ConnectFederation
OAuth 2 FrameworkRFC 6749
Assertion FrameworkRFC 7521
Token IntrospectionRFC 7662
Token RevocationRFC 7009
Dynamic Client RegistrationRFC 7591
JSONRFC 7159
JSON Web Token Bearer AssertionRFC 7523
Proof Key for Code Exchange (PKCE)RFC 7636
Simple Authentication and Security Layer (SASL)RFC 7628
Token ExchangeDraft
SAML 2.0 Bearer AssertionRFC 7522
Proof of PossessionDraft
JSON Web Token (JWT)RFC 7519
JSON Web Signature (JWS)
RFC 7515
JSON Web Encryption (JWE)
RFC 7516JSON Web Key (JWK)
RFC 7517
Bearer Token RFC 6750
The service auth problem
Monolithic auth model
Security Interceptors
Context
GET https://myapplication.com/home
AuthNModule
Mobile Web API
Monolithic auth model
GET https://myapplication.com/home
Security Interceptors
ContextUser
ModuleEventsModule
AuthNModule
HomepageModule
Log eventsLookup user
Mobile Web API
Services auth model - context
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <token>
GET https://myapplication.com/home
Authorization: Bearer <token>
Authorization: Bearer<token>
ContextLookup user ID with token
Mobile Web API
Services auth model - claims
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <jwt> Authorization: Bearer <jwt>
Authorization: Bearer <jwt>
{ “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ”}
Issues access jwt after authN
Claims example
Concepts• Claims• Authentication broker• Federation
Mobile Web API
Layers of securityPerimeter
Service
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <claims_token>
User
1 Background 2 Service Auth
• TLS overview• Adding AuthZ• Demo
3 User Auth
TLS overview
What is TLS?
• Secure Sockets Layer (SSL) Transport Layer Security (TLS)
• Symmetric cryptography for data encryption
• Protection against failure via MAC
• Identity of communicating parties via asymmetric
cryptography
TLS handshake
Client Server
2Server Hello (with cert)
4Finished
5Finished
Secured Channel
Client Hello1
3 Calculate Symmetric Key 3
• Hello
• Key Exchange
• Finished
https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-
Hellman_Key_Exchange.svg.png
Who’s authenticated?
Event ServiceUser Service
Homepage Service
HelloHello, here’s my certificate
Secured ChannelUser
Service
TLSclient authentication
Client Server
2Client Certificate Request
4Certificate Verify
5Calculate Key and Finish
Secured Channel
Hello1
3Client Certificate
1
5
• Client talking to authentic server
• Server talking to known client
• Requires client to have certificate
That’s a lot of certificates
Event ServiceUser Service
Homepage Service
• Enable support for multiple acceptable public keys• Consider using a key hierarchy
• Rotating User CA requires change only to User Service• Enable revocation checking
Root CA(offline)
User CA Event CAHomepage CA
Problem solved?
Event ServiceUser Service
Homepage Service
User Service
ISS: Root CA
Event Service
ISS: Root CA
HomepageService
ISS: Root CA
Adding AuthZ
Hostname verification
• Standard (RFC 2818)
• Match hostname of client to certificate
• Hard when services share hosts like in a cluster
manager
Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com
HomepageService
Service-name verification
• Tie certificates to services rather than hosts• Better portability• Simpler deployments
• No standard• Application level
Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service
HomepageService
TLS client authentication for internal services
http://developer.okta.com/blog/
More info?
Demo
So we’re done right?
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Mobile Web API
1 Background 2 Service Auth 3 User Auth
• JOSE• In practice• Demo
JOSE
JWT format{ "alg": "RS256"}
{ "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true}
Header
Claims
Signature
JWT encodingbase64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7DqpR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhEQsgm8
Header Claims
Signature
JWA - signature types
HMAC(Symmetric)
Digital Signature(Asymmetric)
JWS – symmetric keys
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Symmetric Key
JWS – asymmetric keys
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Public key
Private key
JOSE onion
claims
signed claims
encrypted claims
• JWS – JSON Web Signatures• JWT – JSON Web • JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key
JWT – Composes: JWA & JWK
JWS
JWE
Reference
In practice
Iterative rollout
Mobile Web API
Security Interceptors
ContextEventsModule
AuthNModule
HomepageModule
User ServiceSecurity Interceptors
Authorization: Bearer <JWT> Generate JWT
Iterative rollout
Security Interceptors
AuthN Service
User ServiceSecurity Interceptors
Authorization: Bearer <JWT>
Event ServiceSecurity Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <JWT>
Authorization: Bearer <JWT>
Cookie / TokenMobile Web API
Key Rotation• Enable support for multiple acceptable public keys• Consider using a key hierarchy
• Rotating AuthN CA requires change only AuthN service• Enable revocation checking
Root CA(offline)
Auth CA
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Public keyPrivate key
JWT Java Librarieshttps://openid.net/developers/libraries/#jwt
• Jose4j• Nimbus JOSE + JWT• Java JWT• Resteasy• Apache Oltu - JOSE
Demo
Final thoughts
Recap• Service auth with TLS
• Transport level privacy and authentication• Service level authorization
• User auth with JWTs• JWT
• Stateless• Scalable
• Authentication broker• Converts existing external identity
attributes into internal claims• Internal claims enable federation across
microservices• Code: https://github.com/wdawson/dropwizard-
auth-example
How can Okta help?Universal Directory
Single Sign-On
Provisioning
Adaptive Multi-factor Authentication
Social Authentication
Inbound Federation
AD and LDAP Integration
Thank YouJon Todd@JonToddDotCom
Wils Dawson@WilsDawson