Anzeige
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Check these out next

An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
Amazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
OAuth 2
OAuth 2
ChrisWood262
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
1 von 81

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

9. Sep 2015
Downloaden Sie, um offline zu lesen
Software

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro. Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server. In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too. There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation. Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system. In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.

Alvaro Sanchez-Mariscal
Software Engineer um VMWare
Anzeige
Anzeige
Anzeige

Recomendados

Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy11.5K Aufrufe73 Folien
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy2.9K Aufrufe39 Folien
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki14.6K Aufrufe78 Folien
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver28.1K Aufrufe72 Folien
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.5.5K Aufrufe12 Folien
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen4.5K Aufrufe44 Folien

Más contenido relacionado

Presentaciones para ti(20)

An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy685 Aufrufe
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services3K Aufrufe
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd8K Aufrufe
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal7.4K Aufrufe
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki108K Aufrufe
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman1.4K Aufrufe
OAuth 2OAuth 2
OAuth 2
ChrisWood262271 Aufrufe
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia5.4K Aufrufe
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov11K Aufrufe
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance2.5K Aufrufe
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura18.1K Aufrufe
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin993 Aufrufe
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena2.6K Aufrufe
IdM and ACIdM and AC
IdM and AC
Fernando Lopez Aguilar2.5K Aufrufe
Building Cloud-Native Applications with HelidonBuilding Cloud-Native Applications with Helidon
Building Cloud-Native Applications with Helidon
Dmitry Kornilov939 Aufrufe
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell40.1K Aufrufe
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom773 Aufrufe
俺が考えた最強のID連携デザインパターン俺が考えた最強のID連携デザインパターン
俺が考えた最強のID連携デザインパターン
Masaru Kurahayashi9.4K Aufrufe
OAuthOAuth
OAuth
Iván Fernández Perea2.3K Aufrufe
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
FIDO Alliance1.6K Aufrufe

Similar a Stateless authentication with OAuth 2 and JWT - JavaZone 2015(20)

Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal9.5K Aufrufe
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal5K Aufrufe
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal2.9K Aufrufe
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal1.4K Aufrufe
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal61.2K Aufrufe
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal13.8K Aufrufe
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena1.8K Aufrufe
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
apidays259 Aufrufe
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
Calvin Noronha2K Aufrufe
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
Intuit Developer3.1K Aufrufe
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl a socio unico35 Aufrufe
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra1.9K Aufrufe
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti3.1K Aufrufe
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya962 Aufrufe
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
Aaron Parecki3.7K Aufrufe
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
Michał Wcisło473 Aufrufe
Id fiware upm-ditId fiware upm-dit
Id fiware upm-dit
Joaquín Salvachúa1.7K Aufrufe
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki6.5K Aufrufe
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz249 Aufrufe
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar934 Aufrufe
Anzeige

Más de Alvaro Sanchez-Mariscal(20)

Serverless functions with MicronautServerless functions with Micronaut
Serverless functions with Micronaut
Alvaro Sanchez-Mariscal1.8K Aufrufe
Asynchronous and event-driven Grails applicationsAsynchronous and event-driven Grails applications
Asynchronous and event-driven Grails applications
Alvaro Sanchez-Mariscal2.1K Aufrufe
6 things you need to know about GORM 66 things you need to know about GORM 6
6 things you need to know about GORM 6
Alvaro Sanchez-Mariscal2.5K Aufrufe
Reactive microservices with Micronaut - GR8Conf EU 2018Reactive microservices with Micronaut - GR8Conf EU 2018
Reactive microservices with Micronaut - GR8Conf EU 2018
Alvaro Sanchez-Mariscal2.4K Aufrufe
Reactive microservices with Micronaut - Greach 2018Reactive microservices with Micronaut - Greach 2018
Reactive microservices with Micronaut - Greach 2018
Alvaro Sanchez-Mariscal14.5K Aufrufe
Practical Spring CloudPractical Spring Cloud
Practical Spring Cloud
Alvaro Sanchez-Mariscal866 Aufrufe
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
Alvaro Sanchez-Mariscal1.8K Aufrufe
Mastering Grails 3 Plugins - G3 Summit 2016Mastering Grails 3 Plugins - G3 Summit 2016
Mastering Grails 3 Plugins - G3 Summit 2016
Alvaro Sanchez-Mariscal531 Aufrufe
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring SecurityDesarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
Alvaro Sanchez-Mariscal812 Aufrufe
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
Alvaro Sanchez-Mariscal1.8K Aufrufe
Mastering Grails 3 Plugins - GR8Conf US 2016Mastering Grails 3 Plugins - GR8Conf US 2016
Mastering Grails 3 Plugins - GR8Conf US 2016
Alvaro Sanchez-Mariscal896 Aufrufe
Mastering Grails 3 Plugins - GR8Conf EU 2016Mastering Grails 3 Plugins - GR8Conf EU 2016
Mastering Grails 3 Plugins - GR8Conf EU 2016
Alvaro Sanchez-Mariscal968 Aufrufe
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
Alvaro Sanchez-Mariscal1.1K Aufrufe
Mastering Grails 3 Plugins - Greach 2016Mastering Grails 3 Plugins - Greach 2016
Mastering Grails 3 Plugins - Greach 2016
Alvaro Sanchez-Mariscal2.4K Aufrufe
Creating applications with Grails, Angular JS and Spring SecurityCreating applications with Grails, Angular JS and Spring Security
Creating applications with Grails, Angular JS and Spring Security
Alvaro Sanchez-Mariscal6.4K Aufrufe
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
Alvaro Sanchez-Mariscal1K Aufrufe
Efficient HTTP applications on the JVM with Ratpack - JDD 2015Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
Alvaro Sanchez-Mariscal1.6K Aufrufe
Ratpack 101 - GR8Conf 2015Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015
Alvaro Sanchez-Mariscal2.2K Aufrufe
Ratpack 101 - GeeCON 2015Ratpack 101 - GeeCON 2015
Ratpack 101 - GeeCON 2015
Alvaro Sanchez-Mariscal1.7K Aufrufe
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Alvaro Sanchez-Mariscal2.8K Aufrufe

Último(20)

DETECTION OF QR CODE.pptx DETECTION OF QR CODE.pptx
DETECTION OF QR CODE.pptx
ELECTRONICSCOMMUNICA63 Aufrufe
Are you ready for AI? Is AI ready for you?Are you ready for AI? Is AI ready for you?
Are you ready for AI? Is AI ready for you?
KonfHubTechConferenc47 Aufrufe
Fansportiz - Fantasy Sports app development companyFansportiz - Fantasy Sports app development company
Fansportiz - Fantasy Sports app development company
Fansportiz - Fantasy Sports app development company2 Aufrufe
Formal Specification through ModelingFormal Specification through Modeling
Formal Specification through Modeling
Mohammed Assiri0 Aufrufe
Hotel APIHotel API
Hotel API
ChetnaPatil340 Aufrufe
MANUAL 1.pdfMANUAL 1.pdf
MANUAL 1.pdf
RAMIREZHERNANDEZNOEM3 Aufrufe
reverse engineering.pptxreverse engineering.pptx
reverse engineering.pptx
alishahid2449861 Aufruf
rkp_bio_June_2023.docxrkp_bio_June_2023.docx
rkp_bio_June_2023.docx
DR. Ram Kumar Pathak2 Aufrufe
PPT-UEU-Basis-Data-Pertemuan-1.pptxPPT-UEU-Basis-Data-Pertemuan-1.pptx
PPT-UEU-Basis-Data-Pertemuan-1.pptx
UbaidURRahman781 Aufruf
Software Architecture.pptSoftware Architecture.ppt
Software Architecture.ppt
MuhammadTalha4162212 Aufrufe
Production-ready GraphQL with CalibanProduction-ready GraphQL with Caliban
Production-ready GraphQL with Caliban
Pierre Ricadat4 Aufrufe
seminarppt (2).pptxseminarppt (2).pptx
seminarppt (2).pptx
VrushankChops10 Aufrufe
Exploring Generating AI with Diffusion ModelsExploring Generating AI with Diffusion Models
Exploring Generating AI with Diffusion Models
KonfHubTechConferenc142 Aufrufe
codex (1).pptcodex (1).ppt
codex (1).ppt
ssuserdf52ca0 Aufrufe
How to export EML files into Outlook PST formats?How to export EML files into Outlook PST formats?
How to export EML files into Outlook PST formats?
MailsDaddy0 Aufrufe
wordpress pluginswordpress plugins
wordpress plugins
sanjanaavivintern0 Aufrufe
operator ppt.pptoperator ppt.ppt
operator ppt.ppt
MrSharadtechnical0 Aufrufe
06_08_emea_how_to_evaluate_rollout_and_operationalize_your_sdwan_projects_web...06_08_emea_how_to_evaluate_rollout_and_operationalize_your_sdwan_projects_web...
06_08_emea_how_to_evaluate_rollout_and_operationalize_your_sdwan_projects_web...
ThousandEyes2 Aufrufe
Data Conversion.pptData Conversion.ppt
Data Conversion.ppt
Amit Sharma2 Aufrufe
Zethic’s Basics of App Development - Step-by-Step Guide.pdfZethic’s Basics of App Development - Step-by-Step Guide.pdf
Zethic’s Basics of App Development - Step-by-Step Guide.pdf
Zethic 5 Aufrufe
Anzeige

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

  1. @alvaro_sanchez Stateless authentication with OAuth 2 and JWT Álvaro Sánchez-Mariscal Application Architect - 4finance IT
  2. @alvaro_sanchez About me ● Passionate Software Developer. ○ Living in Madrid, Spain. ● Working in Java since 2001. ○ Groovy fanboy since 2007. ● Speaker at GeeCON, JavaLand, Codemotion...
  3. @alvaro_sanchez About ● We build: ○ Consumer loan systems. ○ Lending platform. ○ Payment systems. ○ Personal budgeting. ○ Anti-fraud and risk system. ● We use: ○ Spring Boot. ○ Gradle. ○ Java 8. ○ Groovy. ○ Jenkins, Ansible, ... ● We hire the best talent: ○ In Warsaw, Prague, Riga, Vilnius and London. ○ At http://www.4financeit.com.
  4. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  5. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  6. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  7. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  8. @alvaro_sanchez Authentication in monolithic apps ● Historically, authentication has always been a stateful service. ● When moving to Single-Page Applications, and/or having mobile clients, it becomes an issue. ● If you are build a REST and stateless API, your authentication should be that way too.
  9. @alvaro_sanchez Microservices by http://martinfowler.com/articles/microservices. html
  10. @alvaro_sanchez Microservices by http://martinfowler.com/articles/microservices. html
  11. @alvaro_sanchez Monolithic vs Microservices Monolithic Microservices
  12. @alvaro_sanchez The world-famous infographic
  13. @alvaro_sanchez Authentication and microservices ● Authentication: to verify the identity of the user given the credentials received. ● Authorization: to determine if the user should be granted access to a particular resource. ● In a microservices context: ○ Authentication can be a microservice itself. ○ Authorization is a common functionality in all of them.
  14. @alvaro_sanchez Authentication and microservices Javascript front- end UI Mobile app Shopping cart Service Catalog Service Authentication Service Orders Service Shipping Service User repository Shipping partners Catalog DB Invoicing DB Web Backend Mobile Backend
  15. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  16. @alvaro_sanchez Introducing OAuth 2.0 An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
  17. @alvaro_sanchez OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO.
  18. @alvaro_sanchez OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO.
  19. @alvaro_sanchez OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO.
  20. @alvaro_sanchez OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO.
  21. @alvaro_sanchez OAuth 2.0: protocol flow I want to see a list of games
  22. @alvaro_sanchez OAuth 2.0: protocol flow Hey, backend, could you please give me a list of games?
  23. @alvaro_sanchez OAuth 2.0: protocol flow Sorry mate, this is a protected resource. You will need to present me an access token
  24. @alvaro_sanchez OAuth 2.0: protocol flow Hi Google, can I get an access token please? Backend is asking
  25. @alvaro_sanchez OAuth 2.0: protocol flow Sure thing sir. I just need to ask a few details to the user first
  26. @alvaro_sanchez OAuth 2.0: protocol flow Hi, could you please provide me your credentials? I need to verify your identity
  27. @alvaro_sanchez OAuth 2.0: protocol flow That’s no problem at all. I am bob@gmail.com and my password is secret.
  28. @alvaro_sanchez OAuth 2.0: protocol flow The user is who claims to be. Here is your access token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa
  29. @alvaro_sanchez OAuth 2.0: protocol flow Hi Backend, this is my token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa
  30. @alvaro_sanchez OAuth 2.0: protocol flow Hi, I’ve been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa. Could you please tell me who it belongs to?
  31. @alvaro_sanchez OAuth 2.0: protocol flow Of course. That token is still valid and it belongs to bob@gmail.com.
  32. @alvaro_sanchez OAuth 2.0: protocol flow Everything is allright. This is the list of games. Enjoy!
  33. @alvaro_sanchez OAuth 2.0: protocol flow Here you are the list of games.Thank you for your business and have a good day!
  34. @alvaro_sanchez OAuth 2.0: protocol flow OAuth 2.0 is a delegation protocol, as this guy has no idea about the credentials of this guy
  35. @alvaro_sanchez OAuth 2.0: grant types ● Authorization code: for web server applications. ● Implicit: for JS front-ends and mobile apps. ● Resource Owner Password Credentials: for trusted clients. ● Client credentials: for service authentication.
  36. @alvaro_sanchez Authorization code grant ● For server-based applications, where the client ID and secret are securely stored. ● It’s a redirect flow, so it’s for web server apps. ● The client (web server app) redirects the user to the authorization server to get a code. ● Then, using the code and its client credentials asks for an access token.
  37. @alvaro_sanchez Authorization code grant http://myServerApp.com
  38. @alvaro_sanchez Authorization code grant https://facebook.com/dialog/oauth ?response_type=code &client_id=YOUR_CLIENT_ID &redirect_uri= http://myServerApp.com/oauth &scope=email,public_profile
  39. @alvaro_sanchez Authorization code grant http://myServerApp.comhttp://facebook.com
  40. @alvaro_sanchez Authorization code grant http://myServerApp.comhttps://facebook.com
  41. @alvaro_sanchez Authorization code grant https://myServerApp.com/oauth?code=CODE Finishing authentication...
  42. @alvaro_sanchez Authorization code grant Server-side POST request to: https://graph. facebook.com/oauth/access_token With this body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=http://myServerApp.com &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET
  43. @alvaro_sanchez Authorization code grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" }
  44. @alvaro_sanchez Implicit grant ● For web applications running on the browser (eg: AngularJS, etc) or mobile apps. ● Client credentials confidentiality cannot be guaranteed. ● Similar to the code grant, but in this case, the client gets an access token directly.
  45. @alvaro_sanchez Implicit grant http://myFrontendApp.com/#/home
  46. @alvaro_sanchez Implicit grant https://facebook.com/dialog/oauth ?response_type=token &client_id=YOUR_CLIENT_ID &redirect_uri= http://myFrontendApp.com/#/cb &scope=email,public_profile
  47. @alvaro_sanchez Implicit grant http://myServerApp.comhttps://facebook.com
  48. @alvaro_sanchez Implicit grant https://myFrontendApp.com/#/cb?token=TOKEN Finishing authentication...
  49. @alvaro_sanchez Password credentials grant ● In this case, client collects username and password to get an access token directly. ● Viable solution only for trusted clients: ○ The official website consumer of your API. ○ The official mobile app consuming your API. ○ Etc.
  50. @alvaro_sanchez Password credentials grant
  51. @alvaro_sanchez Password credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=password &username=USERNAME&password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET
  52. @alvaro_sanchez Password credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" }
  53. @alvaro_sanchez Client credentials grant ● Service-to-service authentication, without a particular user being involved. ○ Eg: the Orders microservice making a request to the Invoicing microservice. ● The application authenticates itself using its client ID and client secret.
  54. @alvaro_sanchez Client credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET
  55. @alvaro_sanchez Client credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" }
  56. @alvaro_sanchez Accessing the protected resource Once the client has an access token, it can request a protected resource: GET /games HTTP/1.1 Host: api.example.org Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
  57. @alvaro_sanchez Token expiration and refresh ● If the Authorization Server issues expiring tokens, they can be paired with refresh tokens. ● When the access token has expired, the refresh token can be used to get a new access token.
  58. @alvaro_sanchez Tips for a front-end application ● Use the implicit grant. ○ Already supported for 3rd party providers like Google, Facebook. ○ If you hold your own users, have your backend to implement the OAuth 2.0 Authorization Server role. ● Use HTML5’s localStorage for access and refresh tokens.
  59. @alvaro_sanchez Authentication - Classic approach https://myServerApp.com/
  60. @alvaro_sanchez Authentication - Classic approach https://myServerApp.com/login/auth
  61. @alvaro_sanchez Authentication - Classic approach https://myServerApp.com/home Logged in.
  62. @alvaro_sanchez Your own OAuth 2.0 Auth Server https://myServerApp.com/
  63. @alvaro_sanchez Your own OAuth 2.0 Auth Server https://id.myCorp.com/?client_id=X&redirect_uri=Y
  64. @alvaro_sanchez Your own OAuth 2.0 Auth Server https://myServerApp.com/oauth?code=CODE Finishing authentication...
  65. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  66. @alvaro_sanchez Stateful vs. Stateless ● Authorization Servers are often stateful services. ○ They store issued access tokens in databases for future checking. ● How can we achieve statelessness? ○ Issuing JWT tokens as access tokens.
  67. @alvaro_sanchez Introducing JWT JSON Web Token is a compact URL-safe means of representing claims to be transferred between two parties. The claims are encoded as a JSON object that is digitally signed by hashing it using a shared secret between the parties.
  68. @alvaro_sanchez Introducing JWT... in Plain English A secure way to encapsulate arbitrary data that can be sent over unsecure URL’s.
  69. @alvaro_sanchez When can JWT be useful? ● When generating “one click” action emails. ○ Eg: “delete this comment”, “add this to favorites”. ● To achieve Single Sign-On. ○ Sharing the JWT between different applications. ● Whenever you need to securely send a payload. ○ Eg: to “obscure” URL parameters or POST bodies.
  70. @alvaro_sanchez When can JWT be useful? http://myApp.com/comment/delete/123 VS http://myApp.com/RsT5OjbzRn430zqMLg { "user": "homer.simpson", "controller": "comment", "action": "delete", "id": 123 }
  71. @alvaro_sanchez When can JWT be useful? POST /transfer HTTP/1.1 from=acc1&to=acc2&amount=1000 VS POST /transfer HTTP/1.1 RsT5OjbzRn430zqMLg { "from": "acc1", "to": "acc2", "amount": "1000" }
  72. @alvaro_sanchez How does a JWT look like? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InV zZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYX V0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfV VNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhLTRjNWUt YmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJ teS1jbGllbnQtd2l0aC1zZWNyZXQifQ. AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY Header Claims Signature
  73. @alvaro_sanchez JWT Header { "alg": "HS256", "typ": "JWT" }
  74. @alvaro_sanchez JWT Claims { "exp": 1416471934, "user_name": "user", "scope": [ "read", "write" ], "authorities": [ "ROLE_ADMIN", "ROLE_USER" ], "jti": "9bc92a44-0b1a-4c5e-be70-da52075b9a84", "client_id": "my-client-with-secret" }
  75. @alvaro_sanchez Signature HMACSHA256( base64(header) + "." + base64(payload), "secret" )
  76. @alvaro_sanchez Sample access token response { "access_token": "eyJhbGciOiJIUzI1NiJ9. eyJleHAiOjE0MTY0NzEwNTUsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZS I6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1J TiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIzZGJjODE4Yi0wMjAyLTRiYzItYT djZi1mMmZlNjY4MjAyMmEiLCJjbGllbnRfaWQiOiJteS1jbGllbnQtd2l0 aC1zZWNyZXQifQ. Wao_6hLnOeMHS4HEel1UGWt1g86ad9N0qCexr1IL7IM", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "3dbc818b-0202-4bc2-a7cf-f2fe6682022a" }
  77. @alvaro_sanchez Achieving statelessness ● Instead of storing the access token / principal relationship in a stateful way, do it on a JWT. ● Access tokens with the JWT-encoded principal can be securely stored on the client’s browser. ● That way you are achieving one of the basic principles of REST: State Transfer.
  78. @alvaro_sanchez Tips for using JWT ● JWT claims are normally just signed (JWS - JSON Web Signature). ○ It prevents the content to be tampered. ● Use encryption to make it bomb proof. ○ Use any algorithm supported by JWE - JSON Web Encryption. ○ But be aware of performance!
  79. @alvaro_sanchez About logout functionality ● When going stateless, it’s impossible to invalidate JWT’s before they expire. ● Alternatives: ○ Introduce a stateful logout service. ○ Logout in the client and throw away the token. ○ Use short-lived JWT’s paired with refresh tokens. IMHO the best choice
  80. @alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Q&A.
  81. @alvaro_sanchez Álvaro Sánchez-Mariscal Application Architect - 4finance IT @alvaro_sanchez Images courtesy of Takk!
Anzeige