rest service authetication with tls & jwts
TRANSCRIPT
![Page 1: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/1.jpg)
Jon Todd@JonToddDotCom
REST Service Auth with JWTs Wils Dawson
@WilsDawson
![Page 2: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/2.jpg)
About OktaOkta is the foundation for
secure connections betweenpeople and technology
![Page 3: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/3.jpg)
Used in 185 countries
![Page 4: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/4.jpg)
Our stack
![Page 5: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/5.jpg)
Goals
1. Demystify claims based auth with Json Web Tokens (JWT)2. Learn how we solve service auth @Okta3. Real world code example using Dropwizard
![Page 6: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/6.jpg)
1 Background
• Concepts• The service auth
problem
2 Service Auth 3 User Auth
![Page 7: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/7.jpg)
Concepts
![Page 8: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/8.jpg)
Verifying you are who you say you are
(AuthN)
Authentication
![Page 9: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/9.jpg)
What you are allowed to do
(AuthZ)
Authorization
![Page 10: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/10.jpg)
Authentication & authorization
Auth
![Page 11: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/11.jpg)
Identity attributes about a user provided by a trusted issuer
Examples: kerberos ticket, SAML assertion, JWT
Claims
![Page 12: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/12.jpg)
Boarding pass is a signed set of claims made by the airline about you• Issued by airline• Claims
• Name (authentication)• Flight Date/Time, Number and
Seating Priority (authorization)• Bar code/magnetic strip (signature)
• Proves that the pass was issued by the airline and is not a forgery (authenticity).
Claims example
![Page 13: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/13.jpg)
OK, I get claims.
But why use JWTs?
![Page 14: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/14.jpg)
Service protocol shift to REST
![Page 15: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/15.jpg)
JSON
<…/> {…}
![Page 16: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/16.jpg)
JSON Object Signing & Encryption (JOSE)
Working group: https://datatracker.ietf.org/wg/jose/charter/
• JWS – JSON Web Signatures• JWT – JSON Web Token (pronounced “jot”)• JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key
{ "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true}
Claims
![Page 17: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/17.jpg)
Single authentication trusted across multiple separate systems
Examples: WS-Federation, SAML, OpenID Connect
Federation
![Page 18: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/18.jpg)
Federation example• At ticket counter trade credentials for ticket (authentication broker)
• Passport• Driver’s license
• Agent at counter verifies credentials• ID issued by trusted source (trust)• Scans barcode and verifies
photo (authentication)• Verifies flight is paid for and seat
assigned (authorization)• Agent issues ticket (claims)
• Ticket is accepted by multiple, independent parties (federation)• Security line entry • TSA check• Gate agent
![Page 19: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/19.jpg)
Microservices
https://www.pinterest.com/pin/205828645447534387/
http://www.bennysbaker.com/poop-emoji-cupcakes/
![Page 20: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/20.jpg)
Federation standards shift
https://www.flickr.com/photos/robbies/693510178
• JWS – JSON Web Signatures• JWT – JSON Web Token• JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key
JW-
![Page 21: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/21.jpg)
Use cases
Delegated access OAuth 2.0
Identity claims JOSE
OpenID ConnectFederation
![Page 22: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/22.jpg)
OAuth 2 FrameworkRFC 6749
Assertion FrameworkRFC 7521
Token IntrospectionRFC 7662
Token RevocationRFC 7009
Dynamic Client RegistrationRFC 7591
JSONRFC 7159
JSON Web Token Bearer AssertionRFC 7523
Proof Key for Code Exchange (PKCE)RFC 7636
Simple Authentication and Security Layer (SASL)RFC 7628
Token ExchangeDraft
SAML 2.0 Bearer AssertionRFC 7522
Proof of PossessionDraft
JSON Web Token (JWT)RFC 7519
JSON Web Signature (JWS)
RFC 7515
JSON Web Encryption (JWE)
RFC 7516JSON Web Key (JWK)
RFC 7517
Bearer Token RFC 6750
![Page 23: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/23.jpg)
The service auth problem
![Page 24: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/24.jpg)
Monolithic auth model
Security Interceptors
Context
GET https://myapplication.com/home
AuthNModule
Mobile Web API
![Page 25: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/25.jpg)
Monolithic auth model
GET https://myapplication.com/home
Security Interceptors
ContextUser
ModuleEventsModule
AuthNModule
HomepageModule
Log eventsLookup user
Mobile Web API
![Page 26: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/26.jpg)
Services auth model - context
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <token>
GET https://myapplication.com/home
Authorization: Bearer <token>
Authorization: Bearer<token>
ContextLookup user ID with token
Mobile Web API
![Page 27: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/27.jpg)
Services auth model - claims
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <jwt> Authorization: Bearer <jwt>
Authorization: Bearer <jwt>
{ “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ”}
Issues access jwt after authN
Claims example
Concepts• Claims• Authentication broker• Federation
Mobile Web API
![Page 28: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/28.jpg)
Layers of securityPerimeter
Service
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <claims_token>
User
![Page 29: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/29.jpg)
1 Background 2 Service Auth
• TLS overview• Adding AuthZ• Demo
3 User Auth
![Page 30: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/30.jpg)
TLS overview
![Page 31: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/31.jpg)
What is TLS?
• Secure Sockets Layer (SSL) Transport Layer Security (TLS)
• Symmetric cryptography for data encryption
• Protection against failure via MAC
• Identity of communicating parties via asymmetric
cryptography
![Page 32: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/32.jpg)
TLS handshake
Client Server
2Server Hello (with cert)
4Finished
5Finished
Secured Channel
Client Hello1
3 Calculate Symmetric Key 3
• Hello
• Key Exchange
• Finished
https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie-Hellman_Key_Exchange.svg/2000px-Diffie-
Hellman_Key_Exchange.svg.png
![Page 33: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/33.jpg)
Who’s authenticated?
Event ServiceUser Service
Homepage Service
HelloHello, here’s my certificate
Secured ChannelUser
Service
![Page 34: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/34.jpg)
TLSclient authentication
Client Server
2Client Certificate Request
4Certificate Verify
5Calculate Key and Finish
Secured Channel
Hello1
3Client Certificate
1
5
• Client talking to authentic server
• Server talking to known client
• Requires client to have certificate
![Page 35: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/35.jpg)
That’s a lot of certificates
Event ServiceUser Service
Homepage Service
• Enable support for multiple acceptable public keys• Consider using a key hierarchy
• Rotating User CA requires change only to User Service• Enable revocation checking
Root CA(offline)
User CA Event CAHomepage CA
![Page 36: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/36.jpg)
Problem solved?
Event ServiceUser Service
Homepage Service
User Service
ISS: Root CA
Event Service
ISS: Root CA
HomepageService
ISS: Root CA
![Page 37: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/37.jpg)
Adding AuthZ
![Page 38: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/38.jpg)
Hostname verification
• Standard (RFC 2818)
• Match hostname of client to certificate
• Hard when services share hosts like in a cluster
manager
Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com
HomepageService
![Page 39: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/39.jpg)
Service-name verification
• Tie certificates to services rather than hosts• Better portability• Simpler deployments
• No standard• Application level
Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service
HomepageService
![Page 40: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/40.jpg)
TLS client authentication for internal services
http://developer.okta.com/blog/
More info?
![Page 41: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/41.jpg)
Demo
![Page 42: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/42.jpg)
So we’re done right?
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Mobile Web API
![Page 43: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/43.jpg)
1 Background 2 Service Auth 3 User Auth
• JOSE• In practice• Demo
![Page 44: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/44.jpg)
JOSE
![Page 45: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/45.jpg)
JWT format{ "alg": "RS256"}
{ "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true}
Header
Claims
Signature
![Page 46: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/46.jpg)
JWT encodingbase64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7DqpR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhEQsgm8
Header Claims
Signature
![Page 47: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/47.jpg)
JWA - signature types
HMAC(Symmetric)
Digital Signature(Asymmetric)
![Page 48: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/48.jpg)
JWS – symmetric keys
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Symmetric Key
![Page 49: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/49.jpg)
JWS – asymmetric keys
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Public key
Private key
![Page 50: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/50.jpg)
JOSE onion
claims
signed claims
encrypted claims
• JWS – JSON Web Signatures• JWT – JSON Web • JWE – JSON Web Encryption• JWA – JSON Web Algorithms• JWK – JSON Web Key
JWT – Composes: JWA & JWK
JWS
JWE
Reference
![Page 51: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/51.jpg)
In practice
![Page 52: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/52.jpg)
Iterative rollout
Mobile Web API
Security Interceptors
ContextEventsModule
AuthNModule
HomepageModule
User ServiceSecurity Interceptors
Authorization: Bearer <JWT> Generate JWT
![Page 53: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/53.jpg)
Iterative rollout
Security Interceptors
AuthN Service
User ServiceSecurity Interceptors
Authorization: Bearer <JWT>
Event ServiceSecurity Interceptors
Homepage ServiceSecurity Interceptors
Authorization: Bearer <JWT>
Authorization: Bearer <JWT>
Cookie / TokenMobile Web API
![Page 54: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/54.jpg)
Key Rotation• Enable support for multiple acceptable public keys• Consider using a key hierarchy
• Rotating AuthN CA requires change only AuthN service• Enable revocation checking
Root CA(offline)
Auth CA
Event ServiceSecurity Interceptors
User ServiceSecurity Interceptors
AuthN Service
Security Interceptors
Homepage ServiceSecurity Interceptors
Public keyPrivate key
![Page 55: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/55.jpg)
JWT Java Librarieshttps://openid.net/developers/libraries/#jwt
• Jose4j• Nimbus JOSE + JWT• Java JWT• Resteasy• Apache Oltu - JOSE
![Page 56: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/56.jpg)
Demo
![Page 57: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/57.jpg)
Final thoughts
![Page 58: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/58.jpg)
Recap• Service auth with TLS
• Transport level privacy and authentication• Service level authorization
• User auth with JWTs• JWT
• Stateless• Scalable
• Authentication broker• Converts existing external identity
attributes into internal claims• Internal claims enable federation across
microservices• Code: https://github.com/wdawson/dropwizard-
auth-example
![Page 59: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/59.jpg)
How can Okta help?Universal Directory
Single Sign-On
Provisioning
Adaptive Multi-factor Authentication
Social Authentication
Inbound Federation
AD and LDAP Integration
![Page 60: REST Service Authetication with TLS & JWTs](https://reader034.vdocument.in/reader034/viewer/2022042907/587a2e7b1a28abbd388b6b3d/html5/thumbnails/60.jpg)
Thank YouJon Todd@JonToddDotCom
Wils Dawson@WilsDawson