Plan B: Service to Service Authentication with OAuth
4 likes3,461 views
The document discusses service-to-service authentication using OAuth within Zalando, highlighting its architecture, roles, and flow of communication between services. It outlines how access tokens are managed and validated, emphasizing the use of JWTs for efficient authorization. The presentation culminates in the effectiveness of this system in production with various performance metrics and support for different OAuth grant types.
![GET /oauth2/tokeninfo?access_token=eyJraWQiOiJ0ZXN0a2VLWVzMjU2..
{
"expires_in": 28292,
"grant_type": "password",
"realm": "/services",
"scope": ["cn", "pets.read"],
"token_type": "Bearer",
"uid": "alice-service"
}
PLAN B TOKEN INFO](https://image.slidesharecdn.com/2016-05-12planb-servicetoserviceauthenticationwithoauth-160512191346/85/Plan-B-Service-to-Service-Authentication-with-OAuth-29-320.jpg)
Plan B: Service to Service Authentication with OAuth
- 1. Service to Service Authentication with OAuth Zalando Tech Meetup Dortmund, 2016-05-12 Background: Mike Mozart / CC BY 2.0
- 2. 15 countries 3 fulfillment centers 18 million active customers 3 billion € revenue 2015 135+ million visits per month 10.000+ employees in Europe ZALANDO
- 4. AUTONOMY
- 5. ONE DATA CENTER PER TEAM
- 6. Internet *.abc.example.org *.xyz.example.org Team ABC Team XYZ ISOLATED AWS ACCOUNTS EC2EC2 ELBELB EC2
- 7. ● 1000+ in Zalando Tech ● 100+ AWS Accounts ● 300+ Applications SOME NUMBERS..
- 8. Internet bob.xyz.example.org Team ABC Team XYZ SERVICE TO SERVICE bobEC2 ELB alice
- 9. ● HTTP Basic Auth ● SAML ● Kerberos ● OAuth 2.0 ● “Notariat” AUTHENTICATION CANDIDATES
- 10. ● HTTP Basic Auth ● SAML ● Kerberos ● OAuth 2.0 ● “Notariat” AUTHENTICATION CANDIDATES
- 11. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service. - oauth.net OAUTH?
- 12. ● Resource Owner ● Client ● Resource Server ● Authorization Server OAUTH ROLES
- 13. ● Resource Owner ⟺ User ● Client ⟺ Application ● Resource Server ⟺ REST API ● Authorization Server ⟺ OAuth Provider OAUTH ROLES
- 14. OAUTH REDIRECT FLOW Authz Server / OAuth Provider access protected resource Resource Owner / User Resource Server / REST API Client / Application validate token
- 16. ● One Service User per Application ● Resource Owner Password Credentials Grant Type ● Automatic credential distribution and rotation OAUTH FOR SERVICE TO SERVICE
- 17. Authorization: Bearer 123f Team ABC Team XYZ SERVICE TO SERVICE bobEC2 ELB alice S3 Authz Server / OAuth Provider validate token
- 18. OAUTH CREDENTIAL DISTRIBUTION VIA S3 BUCKETS AWS WEB UI get access token store passwords get password S3 rotate passwords Authz Server / OAuth Provider alice create app
- 19. ● Alice reads OAuth credentials from S3 ● Alice gets access token from Auth. Server ● Alice calls Bob with Bearer token ● Bob validates token against Auth. Server OAUTH SERVICE TO SERVICE FLOW
- 20. ● Install some OAuth Provider ● Set up credential distribution ● PROFIT!!! EASY ENOUGH
- 22. ● Network Latency? ● Token Storage? ● Availability? WHAT ABOUT bobalice Authz Server / OAuth Provider Token Storage create token validate
- 23. ● Robustness & resilience ● Low latency for token validation ● Horizontal scalability PLAN B: GOALS
- 24. ● JWT access token ● No write operation ● Cassandra PLAN B: APPROACH bobalice create token Token Info validateProvider credential storage
- 25. JSON WEB TOKENS (JWT)
- 26. $ curl -u alice-service:mypw -d 'grant_type=password&username=alice-service&password=123' https://planb-provider.example.org/oauth2/access_token?realm=/services { "access_token": "eyJraWQiOXN0a2V5LWVzMjU2..", "token_type": "Bearer", "expires_in": 28800, "scope": "cn", "realm": "/services" } PLAN B TOKEN ENDPOINT
- 27. Authorization: Bearer ↲ a8dfcf02-2d21-fe12-8791-822f48749018 Authorization: Bearer ↲ eyJraWQiOiJ0ZXN0a2V5LWVzMjU2IiwiYWxnIjoiRVMyNTYifQ. eyJzdWIiOiJ0ZXN0MiIsInNjb3BlIjpbImNuIl0sImlzcyI6IkIiLCJyZ WFsbSI6Ii9zZXJ2aWNlcyIsImV4cCI6MTQ1NzMxOTgxNCwiaWF0IjoxND U3MjkxMDE0fQ. KmDsVB09RAOYwT0Y6E9tdQpg0rAPd8SExYhcZ9tXEO6y9AWX4wBylnmNH VoetWu7MwoexWkaKdpKk09IodMVug 36 chars vs ~300 chars JWT AS OAUTH ACCESS TOKEN
- 28. ● JWT libs exist for every major language ● De-facto standard: HTTP call to Token Info ● New OAuth RFC defines Token Introspection Endpoint JWT: HOW TO VALIDATE?
- 29. GET /oauth2/tokeninfo?access_token=eyJraWQiOiJ0ZXN0a2VLWVzMjU2.. { "expires_in": 28292, "grant_type": "password", "realm": "/services", "scope": ["cn", "pets.read"], "token_type": "Bearer", "uid": "alice-service" } PLAN B TOKEN INFO
- 30. ● Self-contained JWT tokens ● No revocation standard REVOKING TOKENS
- 31. ● Revoke single tokens ● Revoke tokens by claims “Revoke all tokens issued before 1st of May for user John Doe” REVOCATION LISTS
- 32. REVOCATION SERVICE Token Info Revocation Service POST /revocations GET /revocations?from=...
- 33. PLAN B: COMPLETE PICTURE bobalice create token Token Info validate Provider credential storage Revocation poll public keys poll revocation listsS3 call with Bearer token
- 34. ● OAuth credentials in CREDENTIALS_DIR ● Token endpoint available at OAUTH2_ACCESS_TOKEN_URL ALICE’ PERSPECTIVE
- 35. ● Validation endpoint (Token Info) available at TOKENINFO_URL BOB’S PERSPECTIVE
- 36. ● Robustness & resilience ⇒ Cassandra, no SPOF ● Low latency for token validation ⇒ Token Info next to application ● Horizontal scalability ⇒ Cassandra, “stateless” Token Info PLAN B: GOALS?
- 37. ● >1300 active service users (last 5 days) ● 8 h JWT lifetime ● 40 rps on Token Endpoint (Provider) ● 1500 rps on Token Info (caching!) ● 0.5 ms JWT validation (99%) ● 11 ms Token Info latency (99%) PLAN B IN PRODUCTION
- 39. Created for Service2Service, but also supports: ● Authorization Code Grant Type ● Implicit Grant Type ● User Consent PLAN B PROVIDER
- 40. ● 3rd party Mobile App ● OAuth Implicit Flow PLAN B FOR CUSTOMERS
- 41. ● Consent Screen ● Consent stored in Cassandra PLAN B FOR CUSTOMERS
- 42. Questions? Plan B Docs planb.readthedocs.org STUPS Homepage stups.io tech.zalando.com @try_except_