Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
©2016 Apigee Corp. All Rights Reserved.
Dino Chiesa
Apigee
dchiesa@apigee.com
Vinit Mehta
Apigee
vmehta@apigee.com
Today’s presenters
Slideshare
slideshare.com/apigee
Apigee Community
https://community.apigee.com
YouTube
youtube.com/apigee
4
What do these companies have in common?
All are supporting OpenID Connect
and JWT.
5
Authentication and Authorization is hard.
Many systems do it poorly. (Do YOU provide 2FA ?)
JWT and OpenID Connect will he...
JWT, JWE, JWS
7
JWS, JWE, JWT are all part of JOSE:
“JSON Object Signing and Encryption”
8
JWT Enables Federated Identity
9©2015 Apigee. All Rights Reserved.
Internal Client
Application
Authentication
Server
(aka ...
JWT Integrates with external Identity Providers
10©2015 Apigee. All Rights Reserved.
Partner
Application’s
Authentication
...
• JWS – Signature
IETF RFC 7515
https://tools.ietf.org/html
/rfc7515
• JSON representation of
Signed or HMAC’ed
Content
• ...
• JWS – Signature
IETF RFC 7515
https://tools.ietf.org/html
/rfc7515
• JSON representation of
Signed or HMAC’ed
Content
• ...
Demo: Azure AD JWT
and JWT.io
13
Apigee Edge includes standard policies for many
security tasks.
Oauth1.0a generation and verification,
Oauth2 generation a...
Apigee Edge does not yet include standard policies for
JWT, JWE, JWS
15
But … Code + Configure !
16
• Embed your Java code as a policy in
Apigee Edge
• One Interface, one method, 2
parameters
• Can read policy configuratio...
• Re-usable now in any of
your Proxies
• Configure it with XML as
any other policy
• Make decisions based
on embedded clai...
• Re-usable now in any
of your Proxies
• Configure it with XML
as any other policy
• Generate JWT for use
by others
• Can ...
JWT Code walkthrough
& Demo
20
Some comments
• This JWT policy handles Signed, not Encrypted JWT
• RS256 and HS256 are supported
• We have a different po...
When to use JWT vs Oauth 2.0 tokens?
22
When to use JWT vs Oauth 2.0 tokens?
• Trick Question! JWT are OAuth2.0 tokens
• Better phrased as: When to use JWT vs Opa...
• Re-usable now in any of your
Proxies
• Configure it with XML as any
other policy
• Generate JWE for use by
others
• Conf...
Java Callout for JWE Decryption
25©2015 Apigee. All Rights Reserved.
When to use JWS and JWE?
• Trick Question! Don’t ever use them!
• No, seriously.
• JWS and JWE imply some change to client...
What did we learn?
27
APIs
Apps
Users
©2015 Apigee. All Rights Reserved.
• YOU NEED to handle JWT
• You can use JWT, JWS, ...
©2016 Apigee Corp. All Rights Reserved.
Questions?
28
Thank you
Nächste SlideShare
Wird geladen in …5
×

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

4.042 Aufrufe

Veröffentlicht am

You know Apigee Edge does OAuth. But what about JWT? These slides will take a deep dive into working demonstrations of our advanced security features, including:

- how Edge can generate or validate JWT
- how to generate or validate JWS signatures
- how to encrypt and decrypt using JWE

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

  1. 1. ©2016 Apigee Corp. All Rights Reserved.
  2. 2. Dino Chiesa Apigee dchiesa@apigee.com Vinit Mehta Apigee vmehta@apigee.com Today’s presenters
  3. 3. Slideshare slideshare.com/apigee Apigee Community https://community.apigee.com YouTube youtube.com/apigee
  4. 4. 4 What do these companies have in common?
  5. 5. All are supporting OpenID Connect and JWT. 5
  6. 6. Authentication and Authorization is hard. Many systems do it poorly. (Do YOU provide 2FA ?) JWT and OpenID Connect will help solve that problem. You need to get JWT, now. 6
  7. 7. JWT, JWE, JWS 7
  8. 8. JWS, JWE, JWT are all part of JOSE: “JSON Object Signing and Encryption” 8
  9. 9. JWT Enables Federated Identity 9©2015 Apigee. All Rights Reserved. Internal Client Application Authentication Server (aka Identity Provider, IdP) API Proxy User store Login Create JWT (Signed) JWT Data Public Key Internal Systems JWT Data JWT Data Data JWT Validate Validate Validate Validate
  10. 10. JWT Integrates with external Identity Providers 10©2015 Apigee. All Rights Reserved. Partner Application’s Authentication Server (aka Identity Provider, IdP) API Proxy User store Login JWT (Signed) JWT JWT Data JWT Data Data Public Key Validat e 1 2 3 4 5 6 7 Internal or Partner Systems
  11. 11. • JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 11 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
  12. 12. • JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 12 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
  13. 13. Demo: Azure AD JWT and JWT.io 13
  14. 14. Apigee Edge includes standard policies for many security tasks. Oauth1.0a generation and verification, Oauth2 generation and verification, SAML generation and verification… 14
  15. 15. Apigee Edge does not yet include standard policies for JWT, JWE, JWS 15
  16. 16. But … Code + Configure ! 16
  17. 17. • Embed your Java code as a policy in Apigee Edge • One Interface, one method, 2 parameters • Can read policy configuration • Can read and write context variables • …anchor anywhere in Edge policy flow • One of the ways to extend Edge with custom code. Also JavaScript, Python, nodejs. • RTFM: http://apigee.com/docs/api- services/reference/java-callout-policy What are Java Callouts? 17©2015 Apigee. All Rights Reserved.
  18. 18. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Make decisions based on embedded claims • Can read JWT generated by third parties, such as Google or Windows Azure Java Callout for JWT Parse/Verification 18©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
  19. 19. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWT for use by others • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWT Generation 19©2015 Apigee. All Rights Reserved.
  20. 20. JWT Code walkthrough & Demo 20
  21. 21. Some comments • This JWT policy handles Signed, not Encrypted JWT • RS256 and HS256 are supported • We have a different policy that produces Encrypted JWT (JWE) using RS256 • JWT cannot be “revoked” – so limit your lifetimes • Exercise for the reader: –ES256, other algorithms 21©2015 Apigee. All Rights Reserved.
  22. 22. When to use JWT vs Oauth 2.0 tokens? 22
  23. 23. When to use JWT vs Oauth 2.0 tokens? • Trick Question! JWT are OAuth2.0 tokens • Better phrased as: When to use JWT vs Opaque Oauth 2.0 tokens? • Federation • When you want the client to know everything that is being claimed • JWT implies minimal impact to client and server apps • JWT do not work well with revocation 23©2015 Apigee. All Rights Reserved.
  24. 24. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWE for use by others • Configurable Key strength and key derivation • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWE Generation 24©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
  25. 25. Java Callout for JWE Decryption 25©2015 Apigee. All Rights Reserved.
  26. 26. When to use JWS and JWE? • Trick Question! Don’t ever use them! • No, seriously. • JWS and JWE imply some change to client apps • More limited scope of usage than JWT • There are already ways to sign and encrypt arbitrary data • My opinion: JWE and JWS are mostly interesting in support of JWT 26©2015 Apigee. All Rights Reserved.
  27. 27. What did we learn? 27 APIs Apps Users ©2015 Apigee. All Rights Reserved. • YOU NEED to handle JWT • You can use JWT, JWS, JWE in Apigee Edge today via custom policies • No coding needed ! • These policies complement the existing built-in policies in Apigee Edgehttps://github.com/apigee/iloveapis2015-jwt-jwe-jws
  28. 28. ©2016 Apigee Corp. All Rights Reserved. Questions? 28
  29. 29. Thank you

×