Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile

DublinJUG
#DubJug @JLouisMonteiro @tomitribe
Stateless Microservice Security via
JWT, TomEE and MicroProﬁle
Jean-Louis Monteiro
Tomitribe

DublinJUG
Why am I here today?
Microservices architecture case
Security opDons
OAuth2 with JWT
Demo with MP-JWT and TomEE

DublinJUG
Microservices
(SOA with a sexy name)

@dblevins @tomitribe
DublinJUG
TradiDonal system
Component A
Component B
Component CComponent D
System
(Monolithic)

DublinJUG
… and its tradiDonal security

DublinJUG
Challenges with security
• Who is the caller?
• What can he do?
• How to propagate the security context?
“If you can’t build monolith correctly, why do you think putting network in the
middle will help?” - @simonbrown

DublinJUG
Microservices security opDons

DublinJUG
OpDons
• Basic Auth
• OAuth2
• OpenID Connect
• JWT - Facebook / Google way
• HTTP Signatures - Amazon way
• « In-house » soluFons
• And many more …

DublinJUG
“The nice thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum

DublinJUG
Baseline Architecture
1000 users
x 3 TPS
4 hops
3000 TPS
frontend
12000 TPS
backend

DublinJUG
Basic Auth
(and its problems)

DublinJUG
Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}

DublinJUG
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
(no auth)
3000 TPS
(LDAP)
12000 TPS
(HTTP)

DublinJUG
Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
username+password
Base64
15000 TPS
(LDAP)
Password Sent
12000 TPS
(HTTP)

DublinJUG
Basic Auth - AQacks
Valid
Password Sent
3000 TPS
(HTTP+SSL) No auth
9000 TPS
(LDAP)
12000 TPS
(HTTP)
Invalid
Password Sent
6000 TPS
(HTTP+SSL)

DublinJUG
OAuth 2.0
(and its problems)

DublinJUG
The theory behind it

DublinJUG
Based on tokens

DublinJUG
OAuth 2 - Password Grant
(LDAP)
(Token Store)
POST /oauth2/token
Host: api.superbiz.io
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
Verify
Password
Generate
Token

DublinJUG
OAuth 2.0 Message
POST /painter/color/object HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
Accept: */*
Content-Length: 45
{"color":{"r":0,"g":0,"b":255,"name":"blue"}}

DublinJUG
OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Accept: */*
Content-Length: 45
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

DublinJUG
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Accept: */*
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

DublinJUG
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

DublinJUG
OAuth 2.0 Message
POST /painter/color/stroke HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":255,"g":200,"b":255,"name":"orange"}}

DublinJUG
401

DublinJUG
OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify and
Generate
Token
POST /oauth2/token
Accept: */*
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}

DublinJUG
Old pair
• Access Token 2YotnFZFEjr1zCsicMWpAA
• Refresh Token tGzv3JOkF0XG5Qx2TlKWIA
New pair
• Access Token 6Fe4jd7TmdE5yW2q0y6W2w
• Refresh Token hyT5rw1QNh5Ttg2hdtR54e

DublinJUG
OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
Accept: */*
Content-Length: 46
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

DublinJUG
OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Accept: */*
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

DublinJUG
OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

DublinJUG
What have we achieved?
• Avoid high rate username + password transit on wire
• Replaced by a blind « token » referencing a state on the server
side
• Generate many « short live » passwords stored on devices
• Create a new …. HTTP Session architecture

DublinJUG
New terms, really?
• Password Grant?
• Logging in
• Token?
• Slightly less crappy password
• Equally crappy HTTP Session ID

DublinJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
No auth
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend

DublinJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
backend

DublinJUG
OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
0 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
0 TPS
(token checks)
0 hops
0 TPS
backend

DublinJUG
OAuth 2.0
+
JSON Web Tokens (JWT)

DublinJUG
JSON Web Token
• Pronounced “JOT” (No idea why :-) )
• SAML like but less verbose
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Possibly encrypted
• Built-in expiraFon

DublinJUG
Access Token Previously
• 6Fe4jd7TmdE5yW2q0y6W2w

DublinJUG
Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi
10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb
m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw
czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI
sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW
VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O
TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz
IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8
DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta
Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0
98ocefuv08TdzRxqYoEqYNo

DublinJUG
Access Token Now
• { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3
KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098oc
efuv08TdzRxqYoEqYNo

DublinJUG
Access Token Now
• Header (JSON > Base64 URL Encoded)
• Describes how the token signature can be checked
• Payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries (called claims) such as expiraFon
• Signature (Binary > Base64 URL Encoded
• The actual digital signature
• Made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone

DublinJUG
Subtle But High Impact
Architectural Change

DublinJUG
What we had
(quick recap)

DublinJUG
Results
Client Holds Pointer Server Holds State

DublinJUG
What we can do now
(Hello JWT!)

DublinJUG
(LDAP)
Pull User Info
From IDP

DublinJUG
(LDAP)
Format the data
as JSON

DublinJUG
(LDAP)
RSA-SHA 256
sign JSON private

DublinJUG
(LDAP)
Insert only
pointer
into DB
(for revoca@on)

DublinJUG
(LDAP)
Send Access Token (state)
to client

DublinJUG
Client Holds State Server Holds Pointer
Desired
Results

DublinJUG

DublinJUG
OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Accept: */*
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}

DublinJUG
OAuth 2.0 Message with JWT
POST /painter/color/palene HTTP/1.1 
Host: api.superbiz.io 
AuthorizaDon: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
User-Agent: curl/7.43.0 
Accept: */* 
Content-Type: applicaFon/json 
Content-Length: 46 
 
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

DublinJUG
OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
0.27 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature veriﬁcaFon)
12000 TPS
(signature veriﬁcaFon)(private key)
(public key)

DublinJUG
OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
0.27 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
12000 TPS
Invalid
Tokens Sent
6000 TPS
(HTTP+SSL)
(private key)
(public key)

DublinJUG
#RESTSecurity @dblevins @tomitribe#DubJug @JLouisMonteiro @tomitribe
Microproﬁle

DublinJUG
What is it?
• hnps://microproﬁle.io/
• Enterprise Java for Microservices
• Open Source
• Hosted at Eclipse FoundaFon
• IniFal version 1.0 focused on CDI, JAX-RS and JSON-P

DublinJUG
Where are we at?
• Currently at version 2.2
• ConﬁguraFon, Fault Tolerance, JWT, Health Checks, Metrics,
Open Tracing, Open API and REST Client
• 3 to 4 releases per year

DublinJUG
Who is involved?

DublinJUG
Why?
• Increasing number of speciﬁcaFons in Java EE
• Need for a smaller subset to build micro services
• Need for quick changes (Fme to market)

DublinJUG
What implementaDons?

DublinJUG
Microprofile JWT
• Most current version 1.1
• Role Based Access Control
• Very lightweight and interoperable way to propagate idenFFes
• Keys (JWKS)
• Standard configuraFon (Microprofile Config)

DublinJUG
Goals
• Extract and verify the token
• IdenFfy the caller
• Enforce authorizaFon policies

DublinJUG
#RESTSecurity @dblevins @tomitribe#DubJug @JLouisMonteiro @tomitribe
Demo

DublinJUG
Thank You!
https://tribestream.io/
http://tribestream.io
http://tomitribe.io
http://microproﬁle.io

Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile

More Related Content

What's hot (10)

Similar to Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile (20)

Recently uploaded (20)

Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfile