SlideShare a Scribd company logo

RoadSec 2017 - Trilha AppSec - APIs Authorization

E
Erick Belluci Tedeschi

Erick Belluci Tedeschi presents on secure API authorization. He discusses basic authentication, then introduces OAuth, OpenID Connect, and JSON Web Tokens as improved standards. Keycloak is presented as an open source identity management system that can implement these standards to centrally authorize APIs. A demonstration of Keycloak's capabilities concludes the presentation.

Technology
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Secure Architecture: APIs Authorization Erick Belluci Tedeschi @ericktedeschi O MAIOR FESTIVAL HACKER DA AMÉRICA LATINA
Secure Arch: APIs Authorization $ whoami ● Web Developer since 2003Web Developer since 2003 ● Application Security since 2007Application Security since 2007 ● BikerBiker ● MakerMaker
Secure Arch: APIs Authorization Agenda ● Auth Basic (recap) ● Hypothetical case ● Oauth,OpenID Connect,JWT (what?) ● Keycloak to rule them all ● Demo
Secure Arch: APIs Authorization Auth Basic (recap) ● RFC7617 (obsolete RFC2617)RFC7617 (obsolete RFC2617) ● Easy to implement and understandEasy to implement and understand ● It’s an “Authentication” standardIt’s an “Authentication” standard ● Stateless (the credentials are sent atStateless (the credentials are sent at every request in the same context)every request in the same context)
Secure Arch: APIs Authorization Auth Basic (recap)
Secure Arch: APIs Authorization Hypothetical case Account Service GET /my/{user_id} Transfer Service POST /transfer/{src_account}/{dst_acocunt} Receipt Service GET /receipts/{user_id} Your cloud or data center environment Resource Owner Mobile Browser Basic auth Basic auth No auth Fintech API GET /my POST /transfer/{dst_account} GET /receipts Minimum needed /token /authorize
Secure Arch: APIs Authorization Account Service GET /my/{user_id} Transfer Service POST /transfer/{src_account}/{dst_acocunt} Receipt Service GET /receipts/{user_id} Your cloud or data center environment End-User Mobile Browser Basic auth Basic auth No auth Fintech API GET /my POST /transfer/{dst_account} GET /receipts ● Poor logging (audit trail) ● Poor identification/accountability on microservices (X-User-Logged ??) ● Authorization centralized on API Gateway ● Microservices have “micro user repositories” or don’t have authentication/authorization ● API Gateway have more responsibility than necessary ● Basic knowledge of patterns ● Poor logging (audit trail) ● Poor identification/accountability on microservices (X-User-Logged ??) ● Authorization centralized on API Gateway ● Microservices have “micro user repositories” or don’t have authentication/authorization ● API Gateway have more responsibility than necessary ● Basic knowledge of patterns Minimum needed /token /authorize Hypothetical case
Secure Arch: APIs Authorization Let’s improve it…
Secure Arch: APIs Authorization JOSÉ JavaScript Object Signing and EncryptionJavaScript Object Signing and Encryption JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWA JSON Web Algorithms JWS JSON Web Signature JWA JSON Web Algorithms JWE JSON Web Encryption integrityintegrity confidentialityconfidentiality
Secure Arch: APIs Authorization JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWA JSON Web Algorithms JWS JSON Web Signature JWA JSON Web Algorithms JWE JSON Web Encryption integrityintegrity confidentialityconfidentiality JOSÉ JavaScript Object Signing and EncryptionJavaScript Object Signing and Encryption ✔ URL-SafeURL-Safe ✔ Intended for space constrained environmentsIntended for space constrained environments ✔ HTTP Headers (like Authorization)HTTP Headers (like Authorization) ✔ URI Query ParametersURI Query Parameters ✔ FlexibleFlexible ✔ InteroperableInteroperable
Secure Arch: APIs Authorization eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2 lkIiA6ICJ5WmNnMzF3YzMtRGwwcGttNk5adF Q0NmdjU3ZWeGVJdWN4UkNhWVBYaDVvIn 0.eyJqdGkiOiJlMDQwNjJjOC1jY2MwLTQzN2It YTIyMC1iMzRkOWExOGQ0MTUiLCJleHAiOj E1MDQzMjc0NDcsIm5iZiI6MCwiaWF0IjoxNTA 0MzI3MTQ3LCJpc3MiOiJodHRwOi8vMTkyLjE 2OC4xMjIuMTo4MDgwL2F1dGgvcmVhbG1zL 3BocC1zdW1taXQiLCJhdWQiOiJmcm9udGVu ZGFwcCIsInN1YiI6IjFlYzUwNDg3LTg5Y2QtN GYyNS1iODRmLTVkYTU0M2U3NmYxOSIsIn R5cCI6IkJlYXJlciIsImF6cCI6ImZyb250ZW5kY XBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX 3N0YXRlIjoiN2EyNDkyOWUtZTUwYy00Yzk1L Tk1YmItNWQ3MDE2ZDQ5MWU1IiwiYWNyIjoi MSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRw Oi8vbG9jYWxob3N0Il0sInJlYWxtX2FjY2VzcyI 6eyJyb2xlcyI6WyJST0xFX0dPRCIsInVtYV9hd XRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY 2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJt YW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2N vdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fS wibmFtZSI6IkVyaWNrIEJlbGx1Y2kgVGVkZXN jaGkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOi JlcmljayIsImdpdmVuX25hbWUiOiJFcmljayIsIm ZhbWlseV9uYW1lIjoiQmVsbHVjaSBUZWRlc2 NoaSIsImVtYWlsIjoiZXJpY2tAb2VyaWNrLmNv bSJ9.KCPOmXVvkGMZxMztDbj662IK61Sma Wx9lfOYktTcVM9oWzLfl5y4IW6tGpWZTxcTDl 3AViyuV8MN0PSNy2hIpjpOR404-9pQCOfE- MRF_nIOErNbq_FUOz7d6Jfh- QceCPaBzhxsKWYBNuIOS22grdwooo1vwDj_ KKLB1d92P7MAy0hRK0... { "alg":"RS256", "typ" : "JWT", "kid" : "yZcg31wc3-Dl0pkm6NZtT46gcSvVxeIucxRCaYPXh5o" } { "jti":"e04062c8-ccc0-437b-a220-b34d9a18d415", "exp":1504327447, "nbf":0, "iat":1504327147, "iss":"http://192.168.122.1:8080/auth/realms/roadsex", "aud":"frontendapp", "sub":"1ec50487-89cd-4f25-b84f-5da543e76f19", "typ":"Bearer", "azp":"frontendapp", "auth_time":0, "session_state":"7a24929e-e50c-4c95-95bb-5d7016d491e5", "acr":"1", "allowed-origins":["http://localhost"], "realm_access":{"roles":["ROLE_GOD","uma_authorization"]}, "resource_access":{"account":{"roles":["view-profile"]}}, "name":"Erick Belluci Tedeschi", "preferred_username":"erick", "given_name":"Erick", "family_name":"Belluci Tedeschi", "email":"erick@oerick.com" } JWS Signature (signed with the private key)
Secure Arch: APIs Authorization The Oauth 2.0 Authorization Framework The Oauth 2.0 enables a third-party applicationThe Oauth 2.0 enables a third-party application to obtain limited access to an HTTP service onto obtain limited access to an HTTP service on behalf of a resource owner...behalf of a resource owner...
Secure Arch: APIs Authorization Warning! Oauth is not about authentication
Secure Arch: APIs Authorization Warning! Oauth is not about authentication
Secure Arch: APIs Authorization How an access_token (authorization) looks like? // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
Secure Arch: APIs Authorization OpenID Connect OpenID Connect 1.0 is a “simple” identity layerOpenID Connect 1.0 is a “simple” identity layer on top of OAuth 2.on top of OAuth 2.
Secure Arch: APIs Authorization How an id_token looks like? // JWT Payload// JWT Payload {{ "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
Secure Arch: APIs Authorization Hypothetical case Account Service GET /my/ Transfer Service POST /transfer/{dst_acocunt} Receipt Service GET /receipts/ Resource Owner Mobile Browser Fintech API GET /my POST /transfer/{dst_account} GET /receipts Oauth Filter Oauth Filter “offline introspection/validation” “offline introspection/validation” “introspection/validation”Oauth Filter Oauth Filter
Secure Arch: APIs Authorization Keycloak Open Source Identity and Access Management For Modern Applications and Services
Secure Arch: APIs Authorization Installing Keycloak $ curl -O https://downloads.jboss.org/keycloak/3.2.1.Final/keycloak-3.2.1.Final.tar.gz $ tar xzvf keycloak-3.2.1.Final.tar.gz $ cd keycloak-3.2.1.Final $ ./bin/add-user-keycloak.sh -u admin $ ./bin/standalone.sh -b 192.168.122.1 ● Tip to enable MySQL as RDBMSTip to enable MySQL as RDBMS – https://github.com/Codingpedia/codingmarks-api/wiki/Keycloak-MySQL-Setuphttps://github.com/Codingpedia/codingmarks-api/wiki/Keycloak-MySQL-Setup $ sudo docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -d -p 8080:8080 --name keycloak-php jboss/keycloak ● Via DockerVia Docker ● http://www.keycloak.org/downloads.htmlhttp://www.keycloak.org/downloads.html
Keycloak Realm overview
Keycloak Realm overview
Keycloak Realm overview
Keycloak Realm overview
References: OAuth 2.0 https://tools.ietf.org/html/rfc7617 - The ‘Basic’ HTTP Authentication Scheme https://tools.ietf.org/html/rfc6749 - The Oauth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage https://tools.ietf.org/html/rfc6819 - OAuth 2.0 Threat Model and Security Considerations https://tools.ietf.org/html/rfc7009 - OAuth 2.0 Token Revocation https://tools.ietf.org/html/rfc7662 - OAuth 2.0 Token Introspection https://tools.ietf.org/html/rfc8252 - OAuth 2.0 for Native Apps (Updated 6749) - Oct 2017 JOSE – JSON Object Signing and Encryption https://tools.ietf.org/html/rfc7515 - JSON Web Signature (JWS) https://tools.ietf.org/html/rfc7516 - JSON Web Encryption (JWE) https://tools.ietf.org/html/rfc7517 - JSON Web Key (JWK) https://tools.ietf.org/html/rfc7518 - JSON Web Algorithms (JWA) https://tools.ietf.org/html/rfc7519 - JSON Web Token (JWT) OpenID Connect http://openid.net/specs/openid-connect-core-1_0.html - OpenID Connect Core 1.0 http://openid.net/specs/openid-connect-discovery-1_0.html - OpenID Connect Discovery 1.0
Obrigado! #dontstophacking ● Erick Belluci Tedeschi ● erick@oerick.com ● https://twitter.com/ericktedeschi ● https://linkedin.com/in/ericktedeschi

More Related Content

PDF
2016 pycontw web api authentication
Micron Technology
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PDF
Json web token api authorization
Giulio De Donato
 
PPTX
API Security : Patterns and Practices
Prabath Siriwardena
 
PDF
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
2016 pycontw web api authentication
Micron Technology
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Json web token api authorization
Giulio De Donato
 
API Security : Patterns and Practices
Prabath Siriwardena
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
JWT Authentication with AngularJS
robertjd
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 

What's hot (20)

PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
JSON Web Token
Deddy Setyadi
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PDF
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
PPTX
Micro Web Service - Slim and JWT
Tuyen Vuong
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
Authorization and Authentication in Microservice Environments
LeanIX GmbH
 
PDF
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PDF
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
PDF
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
muCon 2016: Authentication in Microservice Systems By David Borsos
OpenCredo
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
JSON Web Token
Deddy Setyadi
 
Single-Page-Application & REST security
Igor Bossenko
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Micro Web Service - Slim and JWT
Tuyen Vuong
 
Building Secure User Interfaces With JWTs
robertjd
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Authorization and Authentication in Microservice Environments
LeanIX GmbH
 
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Building an API Security Ecosystem
Prabath Siriwardena
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
muCon 2016: Authentication in Microservice Systems By David Borsos
OpenCredo
 
Ad

Similar to RoadSec 2017 - Trilha AppSec - APIs Authorization (20)

PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PDF
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PDF
Going realtime with Socket.IO
Christian Joudrey
 
PDF
JWT - Sécurisez vos APIs
André Tapia
 
PDF
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
PDF
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
PPTX
Web API Security
Stefaan
 
PDF
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
PPTX
How to Use Stormpath in angular js
Stormpath
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PPTX
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
VMware Tanzu
 
PPTX
Making Sense of API Access Control
CA API Management
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Implementing Authorization
Torin Sandall
 
PDF
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
PDF
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
apidays
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
Securing Web Applications with Token Authentication
Stormpath
 
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Going realtime with Socket.IO
Christian Joudrey
 
JWT - Sécurisez vos APIs
André Tapia
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
ID連携入門 (実習編) - Security Camp 2016
Nov Matake
 
Web API Security
Stefaan
 
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
How to Use Stormpath in angular js
Stormpath
 
Securing RESTful API
Muhammad Zbeedat
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
VMware Tanzu
 
Making Sense of API Access Control
CA API Management
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Hacking Client Side Insecurities
amiable_indian
 
Implementing Authorization
Torin Sandall
 
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
apidays
 
Ad

Recently uploaded (20)

PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
KodekX | Application Modernization Development
KodekX
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 

RoadSec 2017 - Trilha AppSec - APIs Authorization

  • 1. Secure Architecture: APIs Authorization Erick Belluci Tedeschi @ericktedeschi O MAIOR FESTIVAL HACKER DA AMÉRICA LATINA
  • 2. Secure Arch: APIs Authorization $ whoami ● Web Developer since 2003Web Developer since 2003 ● Application Security since 2007Application Security since 2007 ● BikerBiker ● MakerMaker
  • 3. Secure Arch: APIs Authorization Agenda ● Auth Basic (recap) ● Hypothetical case ● Oauth,OpenID Connect,JWT (what?) ● Keycloak to rule them all ● Demo
  • 4. Secure Arch: APIs Authorization Auth Basic (recap) ● RFC7617 (obsolete RFC2617)RFC7617 (obsolete RFC2617) ● Easy to implement and understandEasy to implement and understand ● It’s an “Authentication” standardIt’s an “Authentication” standard ● Stateless (the credentials are sent atStateless (the credentials are sent at every request in the same context)every request in the same context)
  • 5. Secure Arch: APIs Authorization Auth Basic (recap)
  • 6. Secure Arch: APIs Authorization Hypothetical case Account Service GET /my/{user_id} Transfer Service POST /transfer/{src_account}/{dst_acocunt} Receipt Service GET /receipts/{user_id} Your cloud or data center environment Resource Owner Mobile Browser Basic auth Basic auth No auth Fintech API GET /my POST /transfer/{dst_account} GET /receipts Minimum needed /token /authorize
  • 7. Secure Arch: APIs Authorization Account Service GET /my/{user_id} Transfer Service POST /transfer/{src_account}/{dst_acocunt} Receipt Service GET /receipts/{user_id} Your cloud or data center environment End-User Mobile Browser Basic auth Basic auth No auth Fintech API GET /my POST /transfer/{dst_account} GET /receipts ● Poor logging (audit trail) ● Poor identification/accountability on microservices (X-User-Logged ??) ● Authorization centralized on API Gateway ● Microservices have “micro user repositories” or don’t have authentication/authorization ● API Gateway have more responsibility than necessary ● Basic knowledge of patterns ● Poor logging (audit trail) ● Poor identification/accountability on microservices (X-User-Logged ??) ● Authorization centralized on API Gateway ● Microservices have “micro user repositories” or don’t have authentication/authorization ● API Gateway have more responsibility than necessary ● Basic knowledge of patterns Minimum needed /token /authorize Hypothetical case
  • 8. Secure Arch: APIs Authorization Let’s improve it…
  • 9. Secure Arch: APIs Authorization JOSÉ JavaScript Object Signing and EncryptionJavaScript Object Signing and Encryption JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWA JSON Web Algorithms JWS JSON Web Signature JWA JSON Web Algorithms JWE JSON Web Encryption integrityintegrity confidentialityconfidentiality
  • 10. Secure Arch: APIs Authorization JWT JSON Web Token JWA JSON Web Algorithms JWK JSON Web Key JWA JSON Web Algorithms JWS JSON Web Signature JWA JSON Web Algorithms JWE JSON Web Encryption integrityintegrity confidentialityconfidentiality JOSÉ JavaScript Object Signing and EncryptionJavaScript Object Signing and Encryption ✔ URL-SafeURL-Safe ✔ Intended for space constrained environmentsIntended for space constrained environments ✔ HTTP Headers (like Authorization)HTTP Headers (like Authorization) ✔ URI Query ParametersURI Query Parameters ✔ FlexibleFlexible ✔ InteroperableInteroperable
  • 11. Secure Arch: APIs Authorization eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2 lkIiA6ICJ5WmNnMzF3YzMtRGwwcGttNk5adF Q0NmdjU3ZWeGVJdWN4UkNhWVBYaDVvIn 0.eyJqdGkiOiJlMDQwNjJjOC1jY2MwLTQzN2It YTIyMC1iMzRkOWExOGQ0MTUiLCJleHAiOj E1MDQzMjc0NDcsIm5iZiI6MCwiaWF0IjoxNTA 0MzI3MTQ3LCJpc3MiOiJodHRwOi8vMTkyLjE 2OC4xMjIuMTo4MDgwL2F1dGgvcmVhbG1zL 3BocC1zdW1taXQiLCJhdWQiOiJmcm9udGVu ZGFwcCIsInN1YiI6IjFlYzUwNDg3LTg5Y2QtN GYyNS1iODRmLTVkYTU0M2U3NmYxOSIsIn R5cCI6IkJlYXJlciIsImF6cCI6ImZyb250ZW5kY XBwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX 3N0YXRlIjoiN2EyNDkyOWUtZTUwYy00Yzk1L Tk1YmItNWQ3MDE2ZDQ5MWU1IiwiYWNyIjoi MSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRw Oi8vbG9jYWxob3N0Il0sInJlYWxtX2FjY2VzcyI 6eyJyb2xlcyI6WyJST0xFX0dPRCIsInVtYV9hd XRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY 2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJt YW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2N vdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fS wibmFtZSI6IkVyaWNrIEJlbGx1Y2kgVGVkZXN jaGkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOi JlcmljayIsImdpdmVuX25hbWUiOiJFcmljayIsIm ZhbWlseV9uYW1lIjoiQmVsbHVjaSBUZWRlc2 NoaSIsImVtYWlsIjoiZXJpY2tAb2VyaWNrLmNv bSJ9.KCPOmXVvkGMZxMztDbj662IK61Sma Wx9lfOYktTcVM9oWzLfl5y4IW6tGpWZTxcTDl 3AViyuV8MN0PSNy2hIpjpOR404-9pQCOfE- MRF_nIOErNbq_FUOz7d6Jfh- QceCPaBzhxsKWYBNuIOS22grdwooo1vwDj_ KKLB1d92P7MAy0hRK0... { "alg":"RS256", "typ" : "JWT", "kid" : "yZcg31wc3-Dl0pkm6NZtT46gcSvVxeIucxRCaYPXh5o" } { "jti":"e04062c8-ccc0-437b-a220-b34d9a18d415", "exp":1504327447, "nbf":0, "iat":1504327147, "iss":"http://192.168.122.1:8080/auth/realms/roadsex", "aud":"frontendapp", "sub":"1ec50487-89cd-4f25-b84f-5da543e76f19", "typ":"Bearer", "azp":"frontendapp", "auth_time":0, "session_state":"7a24929e-e50c-4c95-95bb-5d7016d491e5", "acr":"1", "allowed-origins":["http://localhost"], "realm_access":{"roles":["ROLE_GOD","uma_authorization"]}, "resource_access":{"account":{"roles":["view-profile"]}}, "name":"Erick Belluci Tedeschi", "preferred_username":"erick", "given_name":"Erick", "family_name":"Belluci Tedeschi", "email":"erick@oerick.com" } JWS Signature (signed with the private key)
  • 12. Secure Arch: APIs Authorization The Oauth 2.0 Authorization Framework The Oauth 2.0 enables a third-party applicationThe Oauth 2.0 enables a third-party application to obtain limited access to an HTTP service onto obtain limited access to an HTTP service on behalf of a resource owner...behalf of a resource owner...
  • 13. Secure Arch: APIs Authorization Warning! Oauth is not about authentication
  • 14. Secure Arch: APIs Authorization Warning! Oauth is not about authentication
  • 15. Secure Arch: APIs Authorization How an access_token (authorization) looks like? // JWT Payload { "sub": "alice", // user id "cid": "000123", // client id "iss": "https://as.domain.com", // who issued "aud": "https://rs.domain.com", "exp": 1460345736, // expiration date "scp": ["openid","email","profile"] // scopes }
  • 16. Secure Arch: APIs Authorization OpenID Connect OpenID Connect 1.0 is a “simple” identity layerOpenID Connect 1.0 is a “simple” identity layer on top of OAuth 2.on top of OAuth 2.
  • 17. Secure Arch: APIs Authorization How an id_token looks like? // JWT Payload// JWT Payload {{ "iss": ”InstIdentRicardoGumbletonDaunt", // who issued "sub": ”4.444.444", // user identification "aud": ["cops","bank"], // where it’s used "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, // 10 years "iat": 1311280970, "auth_time": 1311280969, "amr": "sign+fingerprint” //auth-methods-ref }
  • 18. Secure Arch: APIs Authorization Hypothetical case Account Service GET /my/ Transfer Service POST /transfer/{dst_acocunt} Receipt Service GET /receipts/ Resource Owner Mobile Browser Fintech API GET /my POST /transfer/{dst_account} GET /receipts Oauth Filter Oauth Filter “offline introspection/validation” “offline introspection/validation” “introspection/validation”Oauth Filter Oauth Filter
  • 19. Secure Arch: APIs Authorization Keycloak Open Source Identity and Access Management For Modern Applications and Services
  • 20. Secure Arch: APIs Authorization Installing Keycloak $ curl -O https://downloads.jboss.org/keycloak/3.2.1.Final/keycloak-3.2.1.Final.tar.gz $ tar xzvf keycloak-3.2.1.Final.tar.gz $ cd keycloak-3.2.1.Final $ ./bin/add-user-keycloak.sh -u admin $ ./bin/standalone.sh -b 192.168.122.1 ● Tip to enable MySQL as RDBMSTip to enable MySQL as RDBMS – https://github.com/Codingpedia/codingmarks-api/wiki/Keycloak-MySQL-Setuphttps://github.com/Codingpedia/codingmarks-api/wiki/Keycloak-MySQL-Setup $ sudo docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -d -p 8080:8080 --name keycloak-php jboss/keycloak ● Via DockerVia Docker ● http://www.keycloak.org/downloads.htmlhttp://www.keycloak.org/downloads.html
  • 25. References: OAuth 2.0 https://tools.ietf.org/html/rfc7617 - The ‘Basic’ HTTP Authentication Scheme https://tools.ietf.org/html/rfc6749 - The Oauth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage https://tools.ietf.org/html/rfc6819 - OAuth 2.0 Threat Model and Security Considerations https://tools.ietf.org/html/rfc7009 - OAuth 2.0 Token Revocation https://tools.ietf.org/html/rfc7662 - OAuth 2.0 Token Introspection https://tools.ietf.org/html/rfc8252 - OAuth 2.0 for Native Apps (Updated 6749) - Oct 2017 JOSE – JSON Object Signing and Encryption https://tools.ietf.org/html/rfc7515 - JSON Web Signature (JWS) https://tools.ietf.org/html/rfc7516 - JSON Web Encryption (JWE) https://tools.ietf.org/html/rfc7517 - JSON Web Key (JWK) https://tools.ietf.org/html/rfc7518 - JSON Web Algorithms (JWA) https://tools.ietf.org/html/rfc7519 - JSON Web Token (JWT) OpenID Connect http://openid.net/specs/openid-connect-core-1_0.html - OpenID Connect Core 1.0 http://openid.net/specs/openid-connect-discovery-1_0.html - OpenID Connect Discovery 1.0
  • 26. Obrigado! #dontstophacking ● Erick Belluci Tedeschi ● erick@oerick.com ● https://twitter.com/ericktedeschi ● https://linkedin.com/in/ericktedeschi