Loggin in to a website seems easy. But what seems so simple, is only easy as long as the website is based on a monolith in the background. But what happens, if there are lots of microservices at work? How do the microservices know that the user is who he is and how can this be achieved efficiently? The use of JSON Web Tokens (JWT) can be a solution. Presentation from the 2017 microXchg Conference in Berlin.

1. Authorization
and
Authentication
in
Microservice Environments
Bernd
Schönbach

2. Overview
2Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Introduction
• What’s the problem anyway?
• And how exactly do JSON Web Tokens help here?
• What are JSON Web Tokens?
• Some examples
• Mind the gap
• JWS vs. JWE

3. Introduction

4. LeanIX helps companies to manage and
optimize their IT Architecture
4Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Current IT Architecture Create Transparency Optimize IT Architecture
• Missing information (e.g.
interfaces, technologies)
• Hard to introduce new
products & sales channels
• High costs and risks
• Import existing data into
LeanIX (via Excel or API)
• Invite experts to share
their knowledge
• Use best-practice reports
to identify issues
• Define target architecture
and roadmaps

5. LeanIX is a web-based platform
to capture and share knowledge about IT
5Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Fact Sheets & Tagging
Context-based Search
API, Import & Export
Comments & Threads
IT Inventory Collaboration Platform Interactive Reporting
Activity Stream &
Notifications
Subscriptions
Print & Export (PDF)
Best Practice Reports
Interactive Adaption

6. What’s the problem anyway?

7. What’s the problem anyway?
7Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

8. What’s the problem anyway?
8Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

9. What’s the problem anyway?
9Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

10. What’s the problem anyway?
10Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

11. And how do JWT exactly help
here?

12. Typical Auth Flow
12Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
Login
Return
OAuth
Token
Check
Oauth Validity
Send
Requests
with
Token
AuthService

13. And now with JWT
13Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
Login
Return
JWT
Check
Token
Validity
Send
Requests
with
Token

14. What are JSON Web Tokens?

15. What are JSON Web Tokens (JWT)?
15Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
RFC
7519:
“JSON
Web
Token
(JWT)
is
a
compact,
URL-­‐safe
means
of
representing
claims
to
be
transferred
between
two
parties.”

16. What are JSON Web Tokens (JWT)?
16Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX

17. What are JSON Web TokenS (JWT)?
17Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Two Types
JSON Web Signature JSON Web Encryption

18. JSON Web Signature (RFC 7515)
18Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Three
Parts
1. Header
2. Payload
(Claims)
3. Signature

19. JWS - Header
19Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
{
"alg": "HS256",
"typ": "JWT“
}
{
"alg": "HS256",
"typ": "JWT“
}
Recommended Values:
• HS256
• RS256
• ES256
Special Case:
• none

20. JWS - Payload
20Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
- Main Information Part
- Contains Information like
- Issuer (iss)
- Expiration time (exp)
- Subject (sub)
- Features
- Permissions
- …
{
"iss": "auth-service-1",
"name": "John Doe",
"admin": true,
"exp": 1487325600
}
Use as few information as possible to keep the Token small!

21. JWS - Signature
21Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)
• Verifies origin and content of JWS Token
• Signature contains Header and Payload

22. JWS Example
22Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Header: { "alg": "HS256", "typ": "JWT"}
Payload:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
Signature:
HMACSHA256(
base64UrlEncode(header) +
"." +
base64UrlEncode(payload),
secret
)

23. JSON Web Encryption (RFC 7516)
23Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Five
Parts
(JWE)
1. Protected
Header
2. Encrypted
Key
3. Initialization
Vector
4. Cipher
text
5. Authentication
Tag

24. JWE Protected Header
24Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as JWS with some minor tweaks
• Two additional Keys:
• enc -> encryption algorithm
• zip -> compression algorithm
• “alg” now describes the algorithm for encrypting CEK
• ”none” is no longer allowed
{
"alg": "RSA-OAEP",
"enc": "A256GCM“,
"typ": "JWT“
}

25. JWE Protected Header
25Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Algorithm used should be an AEAD algorithm
• Authenticated Encryption with Associated Data
• “AEAD algorithms accept two inputs, the plaintext and the
Additional Authenticated Data (AAD) value, and produce two
outputs, the cipher text and the Authentication Tag value.”
• AAD can be base64encoded JWE Protected Header

26. JWE Encrypted Key
26Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Encrypted Content Encryption Key (CEK)
• CEK = Symmetric Key used to encrypt plaintext
• CEK is used to produce cipher text and Authentication Tag

27. JWE Initialization Vector
27Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• A random numeric value used to “salt” encrypted value
• Ensures for same content, encrypted value differs
• May be left empy if enc Algorithm does not use IV

28. JWE Ciphertext
28Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as Payload in JWS
• Is encrypted with enc algorithm
• Is encrypted using initialization vector
• But must not be JSON can be plaintext

29. JWE Authentication Tag
29Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Is also a result of enc algorithm
• Ensures integrity of cipher text
• Ensures integrity Additional Authenticated Data

30. JWE
30Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Again all parts are base64 Encoded and concatenated with dots:
BASE64URL(UTF8(JWE Protected Header)) .
BASE64URL(JWE Encrypted Key) .
BASE64URL(JWE Initialization Vector) .
BASE64URL(JWE Ciphertext) .
BASE64URL(JWE Authentication Tag)

31. Some examples
31

32. JWS creation in Java
32Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
public String createJwt(User loggedInUser) {
JwtBuilder builder = Jwts.builder()
.setSubject(loggedInUser.getUsername())
.claim(„payload“, loggedInUser.getPayload())
.setId(loggedInUser.getId())
.setExpiration(calculateExpirationTime());
return builder.signWith(
SignatureAlgorithm.RS256, privateKey
)
.compact();
}

33. JWS checking in Java
33Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Claims claims = Jwts.parser()
.setSigningKey(publicKey)
.parseClaimsJws(accesTokenString)
.getBody();
Important Side Note:
- Ensure checking always uses the correct algorithm
- “none” alg header must not lead to unchecked token if signed is
expected!
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

34. JWS Usage in Java with Dropwizard
34Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
@Override
public Optional<User> authenticate(String accessToken) {
if (accessToken == null)
return Optional.absent();
OAuth2Token token = this.parser.parse(accessToken);
return Optional.fromNullable((User) token.getPrincipal());
}
Adapt Authenticator Class:
Use @Auth Annotation:
public Response getX(
@Auth @ApiParam(access="internal") User user
){
[…]
}

35. JWS example
35Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Live Presentation

36. JWS libraries
36Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Libraries exist for nearly every programming language:
• .NET
• Pyhton
• Node.js
• Java
• JavaScript
• Perl
• Ruby
• Elixir
• Go
• Haskell
• Rust
• Lua
• Scala
• D
• Clojure
• Objective C
• Swift
• C
• Kdb+/Q
• Delphi
• PHP
• Crystal
• …

37. Mind the gap

38. Mind the gap
38Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Don’ts:
• Never ever send passwords in JWT
• And also no hashes..
• You cannot control where the JWT goes
• Don’t verify token validity with Auth-Service
Dos:
• Always verify token (checksum)
• Add as few as possible but at least enough to avoid calls
to other services

39. Back to JWS vs JWE
vs

40. JSON Web Encryption (JWE)
40Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is unreadable to the user
• You potentially can use classified information
• Only one key needed which can be distributed easily
Pros
Cons
• Need to distribute secret to all services
• Attack vector increases

41. JSON Web Encryption (JWE)
41Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key

42. JSON Web Signature (JWS)
42Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is readable to the user
• Only the public key needs to be distributed
• Only the Auth-Service needs high protection
• If private key is compromised exchange here and distribute pub key
Pros
Cons
• Everything is readable to the user

43. Auth Service
JSON Web Signature (JWS)
43Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
Public Key

44. Conclusion

45. Conclusion
Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Allows to keep loose coupling of Microservices
• Secure transfer of Authorization and Authentication claims
• Further domains can be found in Single Sign On Contexts
• Easy to implement due to library availability

46. Thanks
(and yes we are hiring)
https://www.leanix.net/en/jobs

47. Sources
47Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• https://tools.ietf.org/html/rfc7519 RFC for JWT
• https://tools.ietf.org/html/rfc7518 RFC for JWA (used in JWS and JWE)
• https://jwt.io/
• https://www.leanix.net/
• Devil Smiley CC BY 4.0 https://www.creativetail.com
• Further Articles on JWT:
• https://blog.codecentric.de/2016/11/json-web-token-jwt-im-detail/
• https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3