SlideShare ist ein Scribd-Unternehmen logo

REST Service Authetication with TLS & JWTs

Als PPTX, PDF herunterladen
Jon Todd
Jon Todd

Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.

Software
1 von 60
Jon Todd @JonToddDotCom REST Service Auth with JWTs Wils Dawson @WilsDawson
About Okta Okta is the foundation for secure connections between people and technology
Used in 185 countries
Our stack
Goals 1. Demystify claims based auth with Json Web Tokens (JWT) 2. Learn how we solve service auth @Okta 3. Real world code example using Dropwizard
1 Background • Concepts • The service auth problem 2 Service Auth 3 User Auth
Concepts
Verifying you are who you say you are (AuthN) Authentication
What you are allowed to do (AuthZ) Authorization
Authentication & authorization Auth
Identity attributes about a user provided by a trusted issuer Examples: kerberos ticket, SAML assertion, JWT Claims
Boarding pass is a signed set of claims made by the airline about you • Issued by airline • Claims • Name (authentication) • Flight Date/Time, Number and Seating Priority (authorization) • Bar code/magnetic strip (signature) • Proves that the pass was issued by the airline and is not a forgery (authenticity). Claims example
OK, I get claims. But why use JWTs?
Service protocol shift to REST
JSON <…/> {…}
JSON Object Signing & Encryption (JOSE) Working group: https://datatracker.ietf.org/wg/jose/charter/ • JWS – JSON Web Signatures • JWT – JSON Web Token (pronounced “jot”) • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "karl@example.com", "email_verified": true } Claims
Single authentication trusted across multiple separate systems Examples: WS-Federation, SAML, OpenID Connect Federation
Federation example • At ticket counter trade credentials for ticket (authentication broker) • Passport • Driver’s license • Agent at counter verifies credentials • ID issued by trusted source (trust) • Scans barcode and verifies photo (authentication) • Verifies flight is paid for and seat assigned (authorization) • Agent issues ticket (claims) • Ticket is accepted by multiple, independent parties (federation) • Security line entry • TSA check • Gate agent
Microservices https://www.pinterest.com/pin/205828645447534387/ http://www.bennysbaker.com/poop-emoji-cupcakes/
Federation standards shift https://www.flickr.com/photos/robbies/693510178 • JWS – JSON Web Signatures • JWT – JSON Web Token • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JW-
Use cases Delegated access OAuth 2.0 Identity claims JOSE OpenID ConnectFederation
OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange (PKCE) RFC 7636 Simple Authentication and Security Layer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
The service auth problem
Monolithic auth model Security Interceptors C o n t e x t GET https://myapplication.com/home AuthN Module Mobile Web API
Monolithic auth model GET https://myapplication.com/home Security Interceptors C o n t e x tUser Module Events Module AuthN Module Homepage Module Log eventsLookup user Mobile Web API
Services auth model - context Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <token> GET https://myapplication.com/home Authorization: Bearer <token> Authorization: Bearer<token> C o n t e x t Lookup user ID with token  Mobile Web API
Services auth model - claims Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <jwt> Authorization: Bearer <jwt> Authorization: Bearer <jwt> { “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ” } Issues access jwt after authN Claims example Concepts • Claims • Authentication broker • Federation Mobile Web API
Layers of security Perimeter Service Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <claims_token> User
1 Background 2 Service Auth • TLS overview • Adding AuthZ • Demo 3 User Auth
TLS overview
What is TLS? • Secure Sockets Layer (SSL)  Transport Layer Security (TLS) • Symmetric cryptography for data encryption • Protection against failure via MAC • Identity of communicating parties via asymmetric cryptography
TLS handshake Client Server 2 Server Hello (with cert) 4 Finished 5 Finished Secured Channel Client Hello 1 3 Calculate Symmetric Key 3 • Hello • Key Exchange • Finished https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie- Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png
Who’s authenticated? Event ServiceUser Service Homepage Service Hello Hello, here’s my certificate Secured Channel User Service
TLS client authentication Client Server 2 Client Certificate Request 4 Certificate Verify 5 Calculate Key and Finish Secured Channel Hello 1 3 Client Certificate 1 5 • Client talking to authentic server • Server talking to known client • Requires client to have certificate
That’s a lot of certificates Event ServiceUser Service Homepage Service • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating User CA requires change only to User Service • Enable revocation checking Root CA (offline) User CA Event CA Homepage CA
Problem solved? Event ServiceUser Service Homepage Service User Service ISS: Root CA Event Service ISS: Root CA Homepage Service ISS: Root CA
Adding AuthZ
Hostname verification • Standard (RFC 2818) • Match hostname of client to certificate • Hard when services share hosts like in a cluster manager Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com Homepage Service
Service-name verification • Tie certificates to services rather than hosts • Better portability • Simpler deployments • No standard • Application level Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service Homepage Service
TLS client authentication for internal services http://developer.okta.com/blog/ More info?
Demo
So we’re done right? Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Mobile Web API
1 Background 2 Service Auth 3 User Auth • JOSE • In practice • Demo
JOSE
JWT format { "alg": "RS256" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "joe@example.com", "email_verified": true } Header Claims Signature
JWT encoding base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW 1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdll sYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEV qZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYz MDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxN DQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb 20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq pR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EA puY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPD LLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 Header Claims Signature
JWA - signature types HMAC (Symmetric) Digital Signature (Asymmetric)
JWS – symmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Symmetric Key
JWS – asymmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
JOSE onion claims signed claims encrypted claims • JWS – JSON Web Signatures • JWT – JSON Web • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JWT – Composes: JWA & JWK JWS JWE Reference
In practice
Iterative rollout Mobile Web API Security Interceptors C o n t e x tEvents Module AuthN Module Homepage Module User Service Security Interceptors Authorization: Bearer <JWT> Generate JWT
Iterative rollout Security Interceptors AuthN Service User Service Security Interceptors Authorization: Bearer <JWT> Event Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <JWT> Authorization: Bearer <JWT> Cookie / Token Mobile Web API
Key Rotation • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating AuthN CA requires change only AuthN service • Enable revocation checking Root CA (offline) Auth CA Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
JWT Java Libraries https://openid.net/developers/libraries/#jwt • Jose4j • Nimbus JOSE + JWT • Java JWT • Resteasy • Apache Oltu - JOSE
Demo
Final thoughts
Recap • Service auth with TLS • Transport level privacy and authentication • Service level authorization • User auth with JWTs • JWT • Stateless • Scalable • Authentication broker • Converts existing external identity attributes into internal claims • Internal claims enable federation across microservices • Code: https://github.com/wdawson/dropwizard-auth- example
How can Okta help? Universal Directory Single Sign-On Provisioning Adaptive Multi-factor Authentication Social Authentication Inbound Federation AD and LDAP Integration
Thank You Jon Todd @JonToddDotCom Wils Dawson @WilsDawson

Empfohlen

Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
DevOps Roadmap.pptx
DevOps Roadmap.pptxDevOps Roadmap.pptx
DevOps Roadmap.pptxHARSH MANVAR
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Azure API Management
Azure API ManagementAzure API Management
Azure API ManagementDaniel Toomey
 

Empfohlen

Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
DevOps Roadmap.pptx
DevOps Roadmap.pptxDevOps Roadmap.pptx
DevOps Roadmap.pptxHARSH MANVAR
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Azure API Management
Azure API ManagementAzure API Management
Azure API ManagementDaniel Toomey
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017Docker, Inc.
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with JenkinsVietnam Open Infrastructure User Group
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Introduction to Spring Cloud
Introduction to Spring Cloud Introduction to Spring Cloud
Introduction to Spring Cloud VMware Tanzu
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service MeshAspen Mesh
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
第3讲 Tcpip协议栈
第3讲 Tcpip协议栈第3讲 Tcpip协议栈
第3讲 Tcpip协议栈F.l. Yu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationCleo
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetesrajdeep
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017Docker, Inc.
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)Gourav Varma
 
Introduction to Spring Cloud
Introduction to Spring Cloud Introduction to Spring Cloud
Introduction to Spring Cloud VMware Tanzu
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service MeshAspen Mesh
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 

Was ist angesagt? (20)

Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
 
Docker introduction (1)
Docker introduction (1)Docker introduction (1)
Docker introduction (1)
 
Introduction to Spring Cloud
Introduction to Spring Cloud Introduction to Spring Cloud
Introduction to Spring Cloud
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
The Complete Guide to Service Mesh
The Complete Guide to Service MeshThe Complete Guide to Service Mesh
The Complete Guide to Service Mesh
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 

Andere mochten auch

第3讲 Tcpip协议栈
第3讲 Tcpip协议栈第3讲 Tcpip协议栈
第3讲 Tcpip协议栈F.l. Yu
 
Linux Network Monitoring
Linux Network MonitoringLinux Network Monitoring
Linux Network MonitoringKenny (netman)
 
4 dezv-prenat-ii 2013
4 dezv-prenat-ii 20134 dezv-prenat-ii 2013
4 dezv-prenat-ii 2013jennypain
 
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...lisanl
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...heiland
 
Carrier grade ethernet presentation
Carrier grade ethernet presentationCarrier grade ethernet presentation
Carrier grade ethernet presentationTasuka Hsu
 
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자KTH, 케이티하이텔
 
Two factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorTwo factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorAllan Denot
 
High Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache DesignHigh Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache Designkeerthi thallam
 
Portafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cadPortafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cad3219082707
 
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?PriceBailey
 

Andere mochten auch (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
第3讲 Tcpip协议栈
第3讲 Tcpip协议栈第3讲 Tcpip协议栈
第3讲 Tcpip协议栈
 
Linux Network Monitoring
Linux Network MonitoringLinux Network Monitoring
Linux Network Monitoring
 
4 dezv-prenat-ii 2013
4 dezv-prenat-ii 20134 dezv-prenat-ii 2013
4 dezv-prenat-ii 2013
 
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
 
Carrier grade ethernet presentation
Carrier grade ethernet presentationCarrier grade ethernet presentation
Carrier grade ethernet presentation
 
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
[H3 2012] OAuth2 - API 인증을위한 만능 도구상자
 
Two factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorTwo factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google Authenticator
 
7hna7qe
7hna7qe7hna7qe
7hna7qe
 
United National Bank
United National BankUnited National Bank
United National Bank
 
Sekuentzia Didaktikoa
Sekuentzia DidaktikoaSekuentzia Didaktikoa
Sekuentzia Didaktikoa
 
Best cases time
Best cases timeBest cases time
Best cases time
 
SM PDF.com
SM PDF.comSM PDF.com
SM PDF.com
 
High Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache DesignHigh Endurance Last Level Hybrid Cache Design
High Endurance Last Level Hybrid Cache Design
 
Portafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cadPortafolio de objetos dibujados a mano alzada y en cad
Portafolio de objetos dibujados a mano alzada y en cad
 
Sanchaita Pal
Sanchaita PalSanchaita Pal
Sanchaita Pal
 
GERRY MC AUTOBODY
GERRY MC AUTOBODYGERRY MC AUTOBODY
GERRY MC AUTOBODY
 
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
INFOGRAPHIC: EU Referendum – What do UK business leaders feel about the EU?
 
Inglesiii
InglesiiiInglesiii
Inglesiii
 

Ähnlich wie REST Service Authetication with TLS & JWTs

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101Dasith Wijesiriwardena
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 
Military-Grade Security for APIs
Military-Grade Security for APIsMilitary-Grade Security for APIs
Military-Grade Security for APIsNordic APIs
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffDucAnhLe56
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPSJackio Kwok
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8Ashish Agrawal
 

Ähnlich wie REST Service Authetication with TLS & JWTs (20)

What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Military-Grade Security for APIs
Military-Grade Security for APIsMilitary-Grade Security for APIs
Military-Grade Security for APIs
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
 

Kürzlich hochgeladen

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Kürzlich hochgeladen (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

REST Service Authetication with TLS & JWTs

  • 1. Jon Todd @JonToddDotCom REST Service Auth with JWTs Wils Dawson @WilsDawson
  • 2. About Okta Okta is the foundation for secure connections between people and technology
  • 3. Used in 185 countries
  • 5. Goals 1. Demystify claims based auth with Json Web Tokens (JWT) 2. Learn how we solve service auth @Okta 3. Real world code example using Dropwizard
  • 6. 1 Background • Concepts • The service auth problem 2 Service Auth 3 User Auth
  • 8. Verifying you are who you say you are (AuthN) Authentication
  • 9. What you are allowed to do (AuthZ) Authorization
  • 11. Identity attributes about a user provided by a trusted issuer Examples: kerberos ticket, SAML assertion, JWT Claims
  • 12. Boarding pass is a signed set of claims made by the airline about you • Issued by airline • Claims • Name (authentication) • Flight Date/Time, Number and Seating Priority (authorization) • Bar code/magnetic strip (signature) • Proves that the pass was issued by the airline and is not a forgery (authenticity). Claims example
  • 13. OK, I get claims. But why use JWTs?
  • 16. JSON Object Signing & Encryption (JOSE) Working group: https://datatracker.ietf.org/wg/jose/charter/ • JWS – JSON Web Signatures • JWT – JSON Web Token (pronounced “jot”) • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "karl@example.com", "email_verified": true } Claims
  • 17. Single authentication trusted across multiple separate systems Examples: WS-Federation, SAML, OpenID Connect Federation
  • 18. Federation example • At ticket counter trade credentials for ticket (authentication broker) • Passport • Driver’s license • Agent at counter verifies credentials • ID issued by trusted source (trust) • Scans barcode and verifies photo (authentication) • Verifies flight is paid for and seat assigned (authorization) • Agent issues ticket (claims) • Ticket is accepted by multiple, independent parties (federation) • Security line entry • TSA check • Gate agent
  • 20. Federation standards shift https://www.flickr.com/photos/robbies/693510178 • JWS – JSON Web Signatures • JWT – JSON Web Token • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JW-
  • 21. Use cases Delegated access OAuth 2.0 Identity claims JOSE OpenID ConnectFederation
  • 22. OAuth 2 Framework RFC 6749 Assertion Framework RFC 7521 Token Introspection RFC 7662 Token Revocation RFC 7009 Dynamic Client Registration RFC 7591 JSON RFC 7159 JSON Web Token Bearer Assertion RFC 7523 Proof Key for Code Exchange (PKCE) RFC 7636 Simple Authentication and Security Layer (SASL) RFC 7628 Token Exchange Draft SAML 2.0 Bearer Assertion RFC 7522 Proof of Possession Draft JSON Web Token (JWT) RFC 7519 JSON Web Signature (JWS) RFC 7515 JSON Web Encryption (JWE) RFC 7516 JSON Web Key (JWK) RFC 7517 Bearer Token RFC 6750
  • 23. The service auth problem
  • 24. Monolithic auth model Security Interceptors C o n t e x t GET https://myapplication.com/home AuthN Module Mobile Web API
  • 25. Monolithic auth model GET https://myapplication.com/home Security Interceptors C o n t e x tUser Module Events Module AuthN Module Homepage Module Log eventsLookup user Mobile Web API
  • 26. Services auth model - context Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <token> GET https://myapplication.com/home Authorization: Bearer <token> Authorization: Bearer<token> C o n t e x t Lookup user ID with token  Mobile Web API
  • 27. Services auth model - claims Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <jwt> Authorization: Bearer <jwt> Authorization: Bearer <jwt> { “userId”:”…”, “tenantId”:”...”, “scope”:”PROFILE_READ” } Issues access jwt after authN Claims example Concepts • Claims • Authentication broker • Federation Mobile Web API
  • 28. Layers of security Perimeter Service Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <claims_token> User
  • 29. 1 Background 2 Service Auth • TLS overview • Adding AuthZ • Demo 3 User Auth
  • 31. What is TLS? • Secure Sockets Layer (SSL)  Transport Layer Security (TLS) • Symmetric cryptography for data encryption • Protection against failure via MAC • Identity of communicating parties via asymmetric cryptography
  • 32. TLS handshake Client Server 2 Server Hello (with cert) 4 Finished 5 Finished Secured Channel Client Hello 1 3 Calculate Symmetric Key 3 • Hello • Key Exchange • Finished https://upload.wikimedia.org/wikipedia/commons/thumb/4/46/Diffie- Hellman_Key_Exchange.svg/2000px-Diffie-Hellman_Key_Exchange.svg.png
  • 33. Who’s authenticated? Event ServiceUser Service Homepage Service Hello Hello, here’s my certificate Secured Channel User Service
  • 34. TLS client authentication Client Server 2 Client Certificate Request 4 Certificate Verify 5 Calculate Key and Finish Secured Channel Hello 1 3 Client Certificate 1 5 • Client talking to authentic server • Server talking to known client • Requires client to have certificate
  • 35. That’s a lot of certificates Event ServiceUser Service Homepage Service • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating User CA requires change only to User Service • Enable revocation checking Root CA (offline) User CA Event CA Homepage CA
  • 36. Problem solved? Event ServiceUser Service Homepage Service User Service ISS: Root CA Event Service ISS: Root CA Homepage Service ISS: Root CA
  • 38. Hostname verification • Standard (RFC 2818) • Match hostname of client to certificate • Hard when services share hosts like in a cluster manager Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=homepage03.internal.acme.com Homepage Service
  • 39. Service-name verification • Tie certificates to services rather than hosts • Better portability • Simpler deployments • No standard • Application level Subject: C=US, ST=California, L=San Francisco, O=Acme Inc, OU=Engineering, CN=dev.homepage-service Homepage Service
  • 40. TLS client authentication for internal services http://developer.okta.com/blog/ More info?
  • 41. Demo
  • 42. So we’re done right? Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Mobile Web API
  • 43. 1 Background 2 Service Auth 3 User Auth • JOSE • In practice • Demo
  • 44. JOSE
  • 45. JWT format { "alg": "RS256" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "joe@example.com", "email_verified": true } Header Claims Signature
  • 46. JWT encoding base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW 1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxdll sYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeEV qZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDYz MDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjoxN DQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb 20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq pR22LLti777AMMVCxM7FjEPKZQndAS_Cc6R54wuQ5EA puY6GVFCkIlnfbNmYSbHMkO4HL3uoeXVOPQmcqhNPD LLEChj00jQwZDjhPD9uBoNwGyiZ9_YKwsRpzbg9NEeY8 xEwXJFIdk6SRktTFrVNHAOIhEQsgm8 Header Claims Signature
  • 47. JWA - signature types HMAC (Symmetric) Digital Signature (Asymmetric)
  • 48. JWS – symmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Symmetric Key
  • 49. JWS – asymmetric keys Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
  • 50. JOSE onion claims signed claims encrypted claims • JWS – JSON Web Signatures • JWT – JSON Web • JWE – JSON Web Encryption • JWA – JSON Web Algorithms • JWK – JSON Web Key JWT – Composes: JWA & JWK JWS JWE Reference
  • 52. Iterative rollout Mobile Web API Security Interceptors C o n t e x tEvents Module AuthN Module Homepage Module User Service Security Interceptors Authorization: Bearer <JWT> Generate JWT
  • 53. Iterative rollout Security Interceptors AuthN Service User Service Security Interceptors Authorization: Bearer <JWT> Event Service Security Interceptors Homepage Service Security Interceptors Authorization: Bearer <JWT> Authorization: Bearer <JWT> Cookie / Token Mobile Web API
  • 54. Key Rotation • Enable support for multiple acceptable public keys • Consider using a key hierarchy • Rotating AuthN CA requires change only AuthN service • Enable revocation checking Root CA (offline) Auth CA Event Service Security Interceptors User Service Security Interceptors AuthN Service Security Interceptors Homepage Service Security Interceptors Public key Private key
  • 55. JWT Java Libraries https://openid.net/developers/libraries/#jwt • Jose4j • Nimbus JOSE + JWT • Java JWT • Resteasy • Apache Oltu - JOSE
  • 56. Demo
  • 58. Recap • Service auth with TLS • Transport level privacy and authentication • Service level authorization • User auth with JWTs • JWT • Stateless • Scalable • Authentication broker • Converts existing external identity attributes into internal claims • Internal claims enable federation across microservices • Code: https://github.com/wdawson/dropwizard-auth- example
  • 59. How can Okta help? Universal Directory Single Sign-On Provisioning Adaptive Multi-factor Authentication Social Authentication Inbound Federation AD and LDAP Integration

Hinweis der Redaktion

  1. Use the right tool for the job Backend server stack is almost entirely Java with use of Jetty and Dropwizard to get a flavor of some of the tools
  2. Transition: OK, I get claims. So if claims have been around in for such a long time why do people care about JWTs?
  3. Clean
  4. The concept of federation is very broad As it relates to microservices/SOA, the idea is that as you break a system up, federation provides a model for services to
  5. Just as we’ve traded in angle brackets for curlies the industry has moving from WS-* to OIDC It’s starting to look like the Deathstar isn’t it? The OpenID space isn’t without it’s own comical abbreviations: But they certainly are more appetizing
  6. Security interceptors Validates AuthN is still valid Validates user in context has correct permissions to access resource (AuthZ) Context supplies authenticated user in context and permissions to all the other code in the monolith AuthN module – code which knows how to authenticate a user. If interceptor determines user’s needs authentication AuthN module Notice how AuthN is typically centralize but AuthZ decisions are distributed across the codebase
  7. REST is stateless, we have no more shared context so how are we going to pass User info along to each service? Naive approach is with the same random token we’ve been using
  8. We can solve the context problem with baking important attributes into the claims token to prevent lookups Now that we have a centralized AuthN service, we can extend the federation with claims
  9. For the remainder of the talk we’re going focus on applying this federated claims based approach to auth. In particular, we’re going to focus on backend service auth and we’re going to make the assumption that your services are talking HTTP Important to note that while we are addressing client auth scenarios in this talk, the model we’ll be putting place naturally extends to the client following the OAuth model Layers: Perimeter – outside the scope of this presentation Host – host level authentication and transport level security with TLS User -
  10. SSL predecessor Secure key exchange = symmetric  data exchange use symmetric Message Authentication Code Public key crypto for authentication
  11. Hello = what do we support? Key exchange = Where the magic happens, cipher dependent. “Master secret” & paint Finished = encrypted test
  12. Back to our services… What just happened? Cert offering = authentication Could be anyone: Another service An attacker So what can we do?
  13. Client extra step = verify can access private key Trust root is better than client, rotation  opens attack vector
  14. Quick word about certificates… How do we manage those certificates? A few things to consider, eveyone is different. Multiple acceptable keys means rotation is easier Key hierarchy means rotation is easier Multiple ways to do this For this talk, we’ll assume offline root, services underneath that Revocation checking = easier rotation & required for rotation Ok so, we’ve given our services each their own certificate that has a trust chain up to our root. Let’s go back to the TLS client authentication
  15. Not quite. Since they are all signed by the root, and that’s what we’re trusting, Event Service can still talk. Ways around this, like not trusting root, but then we have rotation issues like I just talked about. What are my options if I want to trust the root, but don’t want the event service to talk? AuthZ: We’ve estabilished “Who you are” now we want to know “What can you do?”
  16. ”HTTP over TLS” standard RFC Client  Server && Server  Client If your services share hosts = harder Wildcard or subjectAltName extension Depending on environment, don’t solve the problem
  17. Portability  any host works Deployments  no special config per host No standard .. sadface Application level Regex Authoritative, omnipotent service
  18. We can solve the context problem with baking important attributes into the claims token to prevent lookups Now that we have a centralized AuthN service, we can extend the federation with claims
  19. Audience question: What’s a security drawback of the symmetric key approach?
  20. Walk the flow Clients continue to use existing auth mechanism AuthN Module converts external session / token representations into internal JWT Potential future updates Consider OpenID Connect at the client level Remove homepage service entirely Generate service specific access tokens up in the client (Oauth 2.0)
  21. There are a number of great options We use Nimbus JWT Add our own policy on certificate revocation checking
  22. JWT Stateless no need for a DB user info Scalable No need to query a DB to check if the token is valid No need to call other services for data already computed in the token
  23. At the core we make it easier to adopt cloud 3000 customers using Okta to connect with cloud apps Adobe developer built the creative cloud auth on top of Okta for federated enterprise authentication Companies already have their own AD or LDAP. Okta makes getting on to using CC faster and easier Advent Universal directory per customer