Abstract image of a woman sitting on books and studying on a laptop

Cloud Native App Security

D
Dominik Guhr

The document discusses cloud native application security and identity and access management (IAM) concepts. It covers OAuth2 and OpenID Connect flows like authorization code flow and PKCE. It recommends using refresh token rotation for security and discusses using a backend for frontend (BFF) pattern to avoid leaking tokens to the browser. It also covers securing Kubernetes applications using service meshes or sidecars and introduces Keycloak.X which is a faster and more cloud native version of Keycloak identity broker.

Software
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Cloud Native App Security IAM concepts for the cloud-native world
WHAT IS THE BEST SECURITY YOU CAN GET WHEN WORKING WITH DISTRIBUTED SYSTEMS? Let’s start with a short question:
Security, as every architectural decision, is always a trade-off. There is no “perfect” security. But relying on good practices can help. Just to double-check: there is no silver bullet.
@pinguwien dguhr@redhat.com linkedin.com/in/dguhr/ github.com/DGuhr Who we are Dominik Guhr Over 10 years of experience as a software engineer /consultant / agile guy / PO problem solver Current: Senior software engineer at the Keycloak Team at Red Hat Jonathan Vila Java Champion, Organiser at BarcelonaJUG, cofounder of the JBCNConf conference. Have worked as a developer since the release of The Secret of Monkey Island, about 30 years ago. PMP certified by the PMI in Project Management. Senior Software Engineer at Red Hat at Keycloak Cloud Native team. @vilojona jvilalop@redhat.com aytartana.wordpress.com github.com/jonathanvila
IAM , OAuth2 & OpenID Connect Identity and Access Management (IAM): Authentication / AuthN: Are you really you? -> proof of identity Authorization / AuthZ: Are you allowed to access that? -> proof of permission OAuth2: JWT / token-based Designed to answer the second question only OpenID Connect (OIDC): Secure AuthN Layer on top of OAuth2. Generally two types of clients: public / confidential
OIDC / OAuth2 Flows Implicit Flow Authorization Code Flow Authorization Code Flow with PKCE
Authorization code flow: Why it’s not enough? 1⃣ AuthN Request 2⃣ AuthN Request 3⃣ code 4⃣ code 5⃣ Token request 6⃣ Access Token Pixies to the rescue! 󰧝
PKCE: What is it, and why? PKCE - “Proof Key of Code Exchange” Initially for mobile / native apps, but now also recommended for SPAs by IETF security extension of the authorization code flow client verifier / client challenge dynamically generated, secure “one-time” secrets Goal: client which requests tokens is the same client who started the authentication request 󰧝
0⃣ Generate Verifier, code_challenge & method 1⃣ AuthN Request + code_challenge & method 2⃣ Record code_challenge & method used 3⃣ Return AuthZ Code 4⃣ Token Request w/o Verifier 5⃣ Check/Comparison fails. 6⃣ NOPE! 󰗫 Authorization code flow with 󰧝: How it works?
So… are we secure yet? … ... … let’s say we’re confident that this is good enough. (But have you heard of refresh tokens?)
refresh tokens & access tokens → bearer tokens Bearer = Identity trusted - Access checked before Browser = untrusted = “here be dragons” Stolen : ● Refresh Token → exchange new token pair. ● Access_token → short time access. Problem: Proof of Possession Mitigation: ● Refresh token rotation Solutions: ● mTLS ● DPoP
Current good practice(IETF): Refresh token rotation
“OK OK WE GOT IT! BROWSER = HERE BE DRAGONS! Can we just avoid leaking ALL tokens to the front channel?”
Well… “yes, we can!” Let’s take a look at the BFF pattern.
Conclusion: BFF Pro: No Tokens in the browser anymore! Yay! Secure HttpOnly SameSite Cookie: Effective protection vs CSRF/XSS. CON: Additional component = additional maintenance. (but BFF can be very simple)
Securing K8s Apps: BFF/Proxies Gateway Sidecar Service Mesh
.X Social login Single Sign On/Off 2FA Multiple adapters Open source K8s Operator Productised version Container CIAM Multisource configuration GitOps Friendly Cloud Native Observability Zero downtime upgrade Scalability and Availability Vault integration Rewritten Operator
● Usability ○ Keycloak Image Configuration: ● Wrapper around Quarkus Configuration ● environment variables ● Configuration properties ○ Rich CLI ● Specific for Keycloak ● Configure everything from CLI ● UX and troubleshooting in mind ○ New Store Capabilities ● Zero-Downtime Upgrade ● File based storage for immutable conf ● Git Keycloak.X
Keycloak.X ● Cloud Native First-Approach ○ Based on supersonic subatomic Quarkus ;) ○ Faster Startup : 7 s ○ Lower Memory Footprint : 428 Mb ○ Less distribution size ○ Stateless & Decomposed * 35% improvement vs Keycloak
… but always remember: Security is Architecture. Architecture is always a trade-off. … and there is no silver bullet. ever.
QUESTIONS? Thank you! @vilojona jvilalop@redhat.com aytartana.wordpress.com github.com/jonathanvila @pinguwien dguhr@redhat.com linkedin.com/in/dguhr/ github.com/DGuhr

More Related Content

PDF
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
PPTX
DevSecCon SG 2018 Fabian Presentation Slides
Fab L
 
PDF
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
PDF
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
PDF
Year Zero
leifdreizler
 
PDF
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Edureka!
 
PDF
SecOps Armageddon: A look into the future of security & operations
Phillip Maddux
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
DevSecCon SG 2018 Fabian Presentation Slides
Fab L
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
Year Zero
leifdreizler
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Edureka!
 
SecOps Armageddon: A look into the future of security & operations
Phillip Maddux
 

Similar to Cloud Native App Security (20)

PPTX
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Docker, Inc.
 
PDF
How to secure web applications
Mohammed A. Imran
 
PPTX
Threat Modeling All Day!
Steven Carlson
 
PPTX
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
PDF
通往測試最高殿堂的旅程 - GTAC 2016
Chloe Chen
 
PDF
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
PDF
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
PPTX
Bug Bounty - Play For Money
Shubham Gupta
 
PDF
Blockchain for Graduates | Technical Explanation
Akshansh Chaudhary
 
PPTX
From SLO to GOTY
ScyllaDB
 
PDF
100% Code Coverage in Symfony applications
Andreas Czakaj
 
PDF
Work with Developers for Fun and Progress - AppSec California
leifdreizler
 
PDF
Network+ Guide to Networks 7th Edition West Solutions Manual
tisbycoore15
 
PPTX
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
PDF
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
PDF
Disruptive Product Positioning with A/B Testing
Optimizely
 
PPTX
Docker all the way
Johan Vergeer
 
PDF
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
DevCamp Campinas
 
PPTX
iOS Provisioning : Running your app in an iOS device
Madusha Perera
 
KEY
TxJS 2011
Brian LeRoux
 
Learning the Alphabet: A/B, CD and [E-Z] in the Docker Datacenter by Brett Ti...
Docker, Inc.
 
How to secure web applications
Mohammed A. Imran
 
Threat Modeling All Day!
Steven Carlson
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
通往測試最高殿堂的旅程 - GTAC 2016
Chloe Chen
 
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CloudIDSummit
 
Bug Bounty - Play For Money
Shubham Gupta
 
Blockchain for Graduates | Technical Explanation
Akshansh Chaudhary
 
From SLO to GOTY
ScyllaDB
 
100% Code Coverage in Symfony applications
Andreas Czakaj
 
Work with Developers for Fun and Progress - AppSec California
leifdreizler
 
Network+ Guide to Networks 7th Edition West Solutions Manual
tisbycoore15
 
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
Disruptive Product Positioning with A/B Testing
Optimizely
 
Docker all the way
Johan Vergeer
 
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
DevCamp Campinas
 
iOS Provisioning : Running your app in an iOS device
Madusha Perera
 
TxJS 2011
Brian LeRoux
 
Ad

Recently uploaded (20)

PDF
AI Guide for Business Growth - Arna Softech
Arna Softech
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PDF
Microsoft Office 365 Crack Download Free
wasibhadar
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PPTX
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
PPTX
Introduction to Windows Operating System
ssuser1028f8
 
DOCX
Modern SharePoint Intranet Templates That Boost Employee Engagement in 2025.docx
Sharepoint Designs
 
PPTX
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
PPTX
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
DOCX
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
AI Guide for Business Growth - Arna Softech
Arna Softech
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
Microsoft Office 365 Crack Download Free
wasibhadar
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
Introduction to Windows Operating System
ssuser1028f8
 
Modern SharePoint Intranet Templates That Boost Employee Engagement in 2025.docx
Sharepoint Designs
 
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
The Dynamic Duo Transforming Financial Accounting Systems Through Modern Expe...
Triforce Global
 
Ad

Cloud Native App Security

  • 1. Cloud Native App Security IAM concepts for the cloud-native world
  • 2. WHAT IS THE BEST SECURITY YOU CAN GET WHEN WORKING WITH DISTRIBUTED SYSTEMS? Let’s start with a short question:
  • 3. Security, as every architectural decision, is always a trade-off. There is no “perfect” security. But relying on good practices can help. Just to double-check: there is no silver bullet.
  • 4. @pinguwien dguhr@redhat.com linkedin.com/in/dguhr/ github.com/DGuhr Who we are Dominik Guhr Over 10 years of experience as a software engineer /consultant / agile guy / PO problem solver Current: Senior software engineer at the Keycloak Team at Red Hat Jonathan Vila Java Champion, Organiser at BarcelonaJUG, cofounder of the JBCNConf conference. Have worked as a developer since the release of The Secret of Monkey Island, about 30 years ago. PMP certified by the PMI in Project Management. Senior Software Engineer at Red Hat at Keycloak Cloud Native team. @vilojona jvilalop@redhat.com aytartana.wordpress.com github.com/jonathanvila
  • 5. IAM , OAuth2 & OpenID Connect Identity and Access Management (IAM): Authentication / AuthN: Are you really you? -> proof of identity Authorization / AuthZ: Are you allowed to access that? -> proof of permission OAuth2: JWT / token-based Designed to answer the second question only OpenID Connect (OIDC): Secure AuthN Layer on top of OAuth2. Generally two types of clients: public / confidential
  • 6. OIDC / OAuth2 Flows Implicit Flow Authorization Code Flow Authorization Code Flow with PKCE
  • 7. Authorization code flow: Why it’s not enough? 1⃣ AuthN Request 2⃣ AuthN Request 3⃣ code 4⃣ code 5⃣ Token request 6⃣ Access Token Pixies to the rescue! 󰧝
  • 8. PKCE: What is it, and why? PKCE - “Proof Key of Code Exchange” Initially for mobile / native apps, but now also recommended for SPAs by IETF security extension of the authorization code flow client verifier / client challenge dynamically generated, secure “one-time” secrets Goal: client which requests tokens is the same client who started the authentication request 󰧝
  • 9. 0⃣ Generate Verifier, code_challenge & method 1⃣ AuthN Request + code_challenge & method 2⃣ Record code_challenge & method used 3⃣ Return AuthZ Code 4⃣ Token Request w/o Verifier 5⃣ Check/Comparison fails. 6⃣ NOPE! 󰗫 Authorization code flow with 󰧝: How it works?
  • 10. So… are we secure yet? … ... … let’s say we’re confident that this is good enough. (But have you heard of refresh tokens?)
  • 11. refresh tokens & access tokens → bearer tokens Bearer = Identity trusted - Access checked before Browser = untrusted = “here be dragons” Stolen : ● Refresh Token → exchange new token pair. ● Access_token → short time access. Problem: Proof of Possession Mitigation: ● Refresh token rotation Solutions: ● mTLS ● DPoP
  • 12. Current good practice(IETF): Refresh token rotation
  • 13. “OK OK WE GOT IT! BROWSER = HERE BE DRAGONS! Can we just avoid leaking ALL tokens to the front channel?”
  • 14. Well… “yes, we can!” Let’s take a look at the BFF pattern.
  • 15. Conclusion: BFF Pro: No Tokens in the browser anymore! Yay! Secure HttpOnly SameSite Cookie: Effective protection vs CSRF/XSS. CON: Additional component = additional maintenance. (but BFF can be very simple)
  • 16. Securing K8s Apps: BFF/Proxies Gateway Sidecar Service Mesh
  • 17. .X Social login Single Sign On/Off 2FA Multiple adapters Open source K8s Operator Productised version Container CIAM Multisource configuration GitOps Friendly Cloud Native Observability Zero downtime upgrade Scalability and Availability Vault integration Rewritten Operator
  • 18. ● Usability ○ Keycloak Image Configuration: ● Wrapper around Quarkus Configuration ● environment variables ● Configuration properties ○ Rich CLI ● Specific for Keycloak ● Configure everything from CLI ● UX and troubleshooting in mind ○ New Store Capabilities ● Zero-Downtime Upgrade ● File based storage for immutable conf ● Git Keycloak.X
  • 19. Keycloak.X ● Cloud Native First-Approach ○ Based on supersonic subatomic Quarkus ;) ○ Faster Startup : 7 s ○ Lower Memory Footprint : 428 Mb ○ Less distribution size ○ Stateless & Decomposed * 35% improvement vs Keycloak
  • 20. … but always remember: Security is Architecture. Architecture is always a trade-off. … and there is no silver bullet. ever.