SlideShare a Scribd company logo

Authentication in microservice systems - fsto 2017

Dejan Glozic, profile picture
Dejan Glozic

This document discusses authentication in microservice systems. It begins by setting the stage and introducing relevant topics. It then builds vocabulary around OAuth2, bearer tokens, JWT, and JWK. It describes authenticating micro frontends using an identity provider, leader/follower pattern, and endpoint middleware. It covers authenticating REST API microservices using bearer token validation. Finally, it addresses authenticating asynchronous messages using client credentials grants and session IDs across message brokers and web sockets. The conclusion summarizes that securing a microservice system involves securing each micro frontend, REST API, and asynchronous flow while maintaining performance and architecture abstraction.

Software
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2015 Programming Layer Authentication in Microservice Systems Dejan Glozic, Senior Technical StaïŹ€ Member IBM Watson Data Platform
About Me IBM Canada Toronto Lab Senior Technical Staff Member IBM Watson Data Platform @dglozic http://dejanglozic.com
Part 1 Setting the stage
Broccoli of topics You know it is good for you, but you would rather eat (React) ice cream.
Securing a single-page app 1. Secure UI endpoints 2. That’s it
Securing a microservice system 1. Secure each micro frontend 2. Secure each REST API micro service 3. Secure async messaging ïŹ‚ows 4. Don’t affect performance 5. Don’t leak micro service architecture to the user
Microservice grid UI domain API domain Legacy systems Proxy Events UIAPI Message‹ Broker Backend Frontend
Disclaimer I do not intend to teach you OAuth2 or JWT or JWK. You can Google without my help.
Part 2 Building up the vocabulary
OAuth2 (RFC 6749) ‱ Industry-standard protocol for authorization ‱ Supersedes the work done on the original OAuth protocol created in 2006 ‱ Multiple ïŹ‚ows (‘grants’) ‱ Clients are issued ID and Secret
Bearer Tokens (RFC 6750) ‱ Sent to downstream REST APIs via Authorization header ‱ Can be opaque or JWT ‱ Provides for session-less APIs
JWT (RFC 7519) ‱ JSON Web Token ‱ Encoded, digitally signed, self-describing ‱ Can be validated programmatically
JWK (RF 7517) ‱ JSON Web Keys ‱ Provides for asymmetric signing of JWT ‱ Thou shalt never useth symmetric signing (promise!)
Part 3 Authentication in micro frontends
Identity provider ‱ Assists with OAuth2 authorization_code grant ‱ Challenges with user and password ‱ Optionally provides 2-factor auth ‱ Optionally federates with other systems using SAML ‱ Mints bearer tokens from authorization codes
#1 article at dejanglozic.com
UI authentication ïŹ‚ow Load balancer OAuth2‹ (Passport) Session Cache (Redis) Identity Provider Session cookie Bearer token UI API
Leader/follower patternTM OAuth2‹ (Passport) Session Cache (Redis) Identity Provider Load balancer Load balancer Load balancer Load balancer Leader Follower Follower Follower login
Synchronizing leaders OAuth2‹ (Passport) Session Cache (Redis) Identity Provider Load balancer Leader Load balancer Leader Session Cache (Redis) Login Sync Cookie
UI endpoint middleware router.use(“/mypath", authHandler.checkAuth, mypathController); ‱ Redirects to login if not authenticated ‱ Synchronizes with other leaders ‱ Refreshes bearer token if expired
XHR endpoint middleware router.use(“/api/myXHRpath”,‹ authHandler.checkXHR, myXHRpathController); ‱ Refreshes bearer token if expired ‱ If not logged in, returns 511 ‱ Client code needs to catch 511 and reload
Part 4 Authentication in REST API micro services
Bearer token validation Load balancer DB Bearer token JWKS
Worth repeating Thou shalt never useth symmetric JWT signage
Part 5 Authentication with asynchronous messages
Message broker path Message‹ Broker Queue Load balancer DB Bearer token No token!!
Help Jared calm down ‱ client_credentials grant ‱ Personal access tokens ‱ Service API keys + whitelists
Web Socket path Message Broker Queue Load balancer NoSQL DB UI Web Sockets No token!!
Help Heath
 well, something ‱ All the same stuff as with Message Brokers, plus
 ‱ Use the same session ID as Express ‱ express-socket.io-session
Conclusion Do you have any ice cream?
Securing a microservice system 1. Secure each micro frontend 2. Secure each REST API micro service 3. Secure async messaging ïŹ‚ows (MQ and web sockets) 4. Don’t affect performance 5. Don’t leak micro service architecture to the user
Q/A
Thank you! Follow me on Twitter: @dglozic Read my blog: dejanglozic.com IBM Watson Data Platform

More Related Content

PPTX
JWT SSO Inbound Authenticator
MifrazMurthaja
 
PPTX
ASP.NET Web Security
SharePointRadi
 
PDF
Microservices and Self-contained System to Scale Agile
Eberhard Wolff
 
PPTX
Secure your app with keycloak
Guy Marom
 
PDF
Microservices - not just with Java
Eberhard Wolff
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo CĂąndido da Silva
 
PPTX
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
PPTX
Building secure applications with keycloak
Abhishek Koserwal
 
JWT SSO Inbound Authenticator
MifrazMurthaja
 
ASP.NET Web Security
SharePointRadi
 
Microservices and Self-contained System to Scale Agile
Eberhard Wolff
 
Secure your app with keycloak
Guy Marom
 
Microservices - not just with Java
Eberhard Wolff
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo CĂąndido da Silva
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Building secure applications with keycloak
Abhishek Koserwal
 

What's hot (20)

PDF
Iam f42 a
SelectedPresentations
 
PPTX
K8s idm-devfest
Marc Boorshtein
 
PDF
SAML and Liferay
Mika Koivisto
 
PDF
How Small Can Java Microservices Be?
Eberhard Wolff
 
PDF
Microservices: Architecture to Support Agile
Eberhard Wolff
 
PPTX
K8s rbac-sso
Marc Boorshtein
 
PPTX
Android app security
Positive Hack Days
 
PPTX
presentation_finals
Shivashish Kumar
 
PDF
Foreman Single Sign-On Made Easy with Keycloak
Nikhil Kathole
 
PPTX
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
PPTX
IdP, SAML, OAuth
Dan Brinkmann
 
PDF
Keycloak Single Sign-On
Ravi Yasas
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
PPT
Web 20 Security - Vordel
guest2a1135
 
PPTX
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
PPT
SynapseIndia dotnet website security development
Synapseindiappsdevelopment
 
PDF
Spring Security
Sumit Gole
 
PDF
Securing java web applications
Jonas Elias Flesch
 
PDF
Access Management for Cloud and Mobile
ForgeRock
 
Iam f42 a
SelectedPresentations
 
K8s idm-devfest
Marc Boorshtein
 
SAML and Liferay
Mika Koivisto
 
How Small Can Java Microservices Be?
Eberhard Wolff
 
Microservices: Architecture to Support Agile
Eberhard Wolff
 
K8s rbac-sso
Marc Boorshtein
 
Android app security
Positive Hack Days
 
presentation_finals
Shivashish Kumar
 
Foreman Single Sign-On Made Easy with Keycloak
Nikhil Kathole
 
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
IdP, SAML, OAuth
Dan Brinkmann
 
Keycloak Single Sign-On
Ravi Yasas
 
Building an API Security Ecosystem
Prabath Siriwardena
 
Web 20 Security - Vordel
guest2a1135
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
SynapseIndia dotnet website security development
Synapseindiappsdevelopment
 
Spring Security
Sumit Gole
 
Securing java web applications
Jonas Elias Flesch
 
Access Management for Cloud and Mobile
ForgeRock
 
Ad

Similar to Authentication in microservice systems - fsto 2017 (20)

PPTX
Microservices security - jpmc tech fest 2018
MOnCloud
 
PDF
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
PPTX
Microservices Manchester: Authentication in Microservice Systems by David Borsos
OpenCredo
 
PDF
muCon 2016: Authentication in Microservice Systems By David Borsos
OpenCredo
 
PDF
Authentication in microservice systems
David Borsos
 
PDF
API Security In Cloud Native Era
WSO2
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PPTX
Micro Web Service - Slim and JWT
Tuyen Vuong
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PPTX
Securing Microservices with Spring Cloud Security
Will Tran
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PDF
Beyond API Authorization
Jared Hanson
 
PDF
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
VMware Tanzu
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PDF
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
PDF
The Role of IAM in Microservices
WSO2
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PPTX
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
Microservices security - jpmc tech fest 2018
MOnCloud
 
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
OpenCredo
 
muCon 2016: Authentication in Microservice Systems By David Borsos
OpenCredo
 
Authentication in microservice systems
David Borsos
 
API Security In Cloud Native Era
WSO2
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
Securing Web Applications with Token Authentication
Stormpath
 
Micro Web Service - Slim and JWT
Tuyen Vuong
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Securing Microservices with Spring Cloud Security
Will Tran
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Token Authentication for Java Applications
Stormpath
 
Beyond API Authorization
Jared Hanson
 
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
VMware Tanzu
 
Securing RESTful API
Muhammad Zbeedat
 
Implementing Microservices Security Patterns & Protocols with Spring
VMware Tanzu
 
The Role of IAM in Microservices
WSO2
 
Building Secure User Interfaces With JWTs
robertjd
 
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
Ad

Recently uploaded (20)

PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 

Authentication in microservice systems - fsto 2017