Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2 with JWT HTTP Signatures Demo with MP-JWT and TomEE #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Microservices QCON SP (SOA with a sexy name) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
TradiEonal system Component A Component B QCON SP System (Monolithic) Component D Component C #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiEonal scalability QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… and its tradiEonal security QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
What to expect from microservices? • The technical perspec/ve QCON SP • The organiza/onal perspec/ve #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Microservices - the technical perspecEve • Cloud QCON SP • Containers • Virtualiza/on • Large scale #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
The organizaEonal perspecEve • Agile methodology QCON SP • Small teams • HR / organiza/onal changes free #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
But there are new challenges • Scalability QCON SP • Cost reduc/on • Resilience • Monitoring • Security #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Baseline Architecture QCON SP 1000 users 4 hops x 3 TPS 3000 TPS 12000 TPS frontend backend #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Microservices security opEons QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
OpEons • Basic Auth QCON SP • OAuth2 • OpenID Connect • JWT - Facebook / Google way • HTTP Signatures - Amazon way • « In-house » solu/ons • And many more … #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
“The nice thing about standards is you have so many to choose from .” QCON SP - Andrew S. Tanenbaum #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth QCON SP (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 QCON SP Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Basic Auth QCON SP username+password (no auth) Base64 Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 3000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth QCON SP username+password username+password Base64 Base64 Password Sent Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 15000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth - ATacks Valid QCON SP Password Sent 3000 TPS (HTTP+SSL) No auth Invalid 12000 TPS Password Sent 6000 TPS (HTTP) (HTTP+SSL) 9000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
OAuth 2.0 QCON SP (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
The theory behind it QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Based on tokens QCON SP #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2 - Password Grant (LDAP) POST /oauth2/token Verify Host: api.superbiz.io User-Agent: curl/7.43.0 Password QCON SP Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Generate Cache-Control: no-store Token Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, (Token Store) "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
QCON SP 401 #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2 - Refresh Grant (LDAP) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 QCON SP Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Verify and Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Generate Pragma: no-cache Token { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, (Token Store) "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA QCON SP • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io QCON SP Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Recommend
More recommend