Loggin in to a website seems easy. But what seems so simple, is only easy as long as the website is based on a monolith in the background. But what happens, if there are lots of microservices at work? How do the microservices know that the user is who he is and how can this be achieved efficiently? The use of JSON Web Tokens (JWT) can be a solution.
Presentation from the 2017 microXchg Conference in Berlin.
2. Overview
2Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Introduction
• What’s the problem anyway?
• And how exactly do JSON Web Tokens help here?
• What are JSON Web Tokens?
• Some examples
• Mind the gap
• JWS vs. JWE
4. LeanIX helps companies to manage and
optimize their IT Architecture
4Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Current IT Architecture Create Transparency Optimize IT Architecture
• Missing information (e.g.
interfaces, technologies)
• Hard to introduce new
products & sales channels
• High costs and risks
• Import existing data into
LeanIX (via Excel or API)
• Invite experts to share
their knowledge
• Use best-practice reports
to identify issues
• Define target architecture
and roadmaps
5. LeanIX is a web-based platform
to capture and share knowledge about IT
5Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Fact Sheets & Tagging
Context-based Search
API, Import & Export
Comments & Threads
IT Inventory Collaboration Platform Interactive Reporting
Activity Stream &
Notifications
Subscriptions
Print & Export (PDF)
Best Practice Reports
Interactive Adaption
12. Typical Auth Flow
12Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
Login
Return
OAuth
Token
Check
Oauth Validity
Send
Requests
with
Token
AuthService
13. And now with JWT
13Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
UI
Auth Service
Microservice 2
Microservice 1
Microservice 3
Login
Return
JWT
Check
Token
Validity
Send
Requests
with
Token
15. What are JSON Web Tokens (JWT)?
15Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
RFC
7519:
“JSON
Web
Token
(JWT)
is
a
compact,
URL-‐safe
means
of
representing
claims
to
be
transferred
between
two
parties.”
16. What are JSON Web Tokens (JWT)?
16Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
17. What are JSON Web TokenS (JWT)?
17Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Two Types
JSON Web Signature JSON Web Encryption
18. JSON Web Signature (RFC 7515)
18Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Three
Parts
1. Header
2. Payload
(Claims)
3. Signature
20. JWS - Payload
20Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
- Main Information Part
- Contains Information like
- Issuer (iss)
- Expiration time (exp)
- Subject (sub)
- Features
- Permissions
- …
{
"iss": "auth-service-1",
"name": "John Doe",
"admin": true,
"exp": 1487325600
}
Use as few information as possible to keep the Token small!
21. JWS - Signature
21Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)
• Verifies origin and content of JWS Token
• Signature contains Header and Payload
23. JSON Web Encryption (RFC 7516)
23Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Five
Parts
(JWE)
1. Protected
Header
2. Encrypted
Key
3. Initialization
Vector
4. Cipher
text
5. Authentication
Tag
24. JWE Protected Header
24Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as JWS with some minor tweaks
• Two additional Keys:
• enc -> encryption algorithm
• zip -> compression algorithm
• “alg” now describes the algorithm for encrypting CEK
• ”none” is no longer allowed
{
"alg": "RSA-OAEP",
"enc": "A256GCM“,
"typ": "JWT“
}
25. JWE Protected Header
25Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Algorithm used should be an AEAD algorithm
• Authenticated Encryption with Associated Data
• “AEAD algorithms accept two inputs, the plaintext and the
Additional Authenticated Data (AAD) value, and produce two
outputs, the cipher text and the Authentication Tag value.”
• AAD can be base64encoded JWE Protected Header
26. JWE Encrypted Key
26Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Encrypted Content Encryption Key (CEK)
• CEK = Symmetric Key used to encrypt plaintext
• CEK is used to produce cipher text and Authentication Tag
27. JWE Initialization Vector
27Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• A random numeric value used to “salt” encrypted value
• Ensures for same content, encrypted value differs
• May be left empy if enc Algorithm does not use IV
28. JWE Ciphertext
28Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Basically the same as Payload in JWS
• Is encrypted with enc algorithm
• Is encrypted using initialization vector
• But must not be JSON can be plaintext
29. JWE Authentication Tag
29Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Is also a result of enc algorithm
• Ensures integrity of cipher text
• Ensures integrity Additional Authenticated Data
30. JWE
30Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Again all parts are base64 Encoded and concatenated with dots:
BASE64URL(UTF8(JWE Protected Header)) .
BASE64URL(JWE Encrypted Key) .
BASE64URL(JWE Initialization Vector) .
BASE64URL(JWE Ciphertext) .
BASE64URL(JWE Authentication Tag)
32. JWS creation in Java
32Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
public String createJwt(User loggedInUser) {
JwtBuilder builder = Jwts.builder()
.setSubject(loggedInUser.getUsername())
.claim(„payload“, loggedInUser.getPayload())
.setId(loggedInUser.getId())
.setExpiration(calculateExpirationTime());
return builder.signWith(
SignatureAlgorithm.RS256, privateKey
)
.compact();
}
33. JWS checking in Java
33Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Claims claims = Jwts.parser()
.setSigningKey(publicKey)
.parseClaimsJws(accesTokenString)
.getBody();
Important Side Note:
- Ensure checking always uses the correct algorithm
- “none” alg header must not lead to unchecked token if signed is
expected!
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
34. JWS Usage in Java with Dropwizard
34Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
@Override
public Optional<User> authenticate(String accessToken) {
if (accessToken == null)
return Optional.absent();
OAuth2Token token = this.parser.parse(accessToken);
return Optional.fromNullable((User) token.getPrincipal());
}
Adapt Authenticator Class:
Use @Auth Annotation:
public Response getX(
@Auth @ApiParam(access="internal") User user
){
[…]
}
38. Mind the gap
38Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Don’ts:
• Never ever send passwords in JWT
• And also no hashes..
• You cannot control where the JWT goes
• Don’t verify token validity with Auth-Service
Dos:
• Always verify token (checksum)
• Add as few as possible but at least enough to avoid calls
to other services
40. JSON Web Encryption (JWE)
40Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is unreadable to the user
• You potentially can use classified information
• Only one key needed which can be distributed easily
Pros
Cons
• Need to distribute secret to all services
• Attack vector increases
41. JSON Web Encryption (JWE)
41Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
42. JSON Web Signature (JWS)
42Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Everything is readable to the user
• Only the public key needs to be distributed
• Only the Auth-Service needs high protection
• If private key is compromised exchange here and distribute pub key
Pros
Cons
• Everything is readable to the user
43. Auth Service
JSON Web Signature (JWS)
43Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
Auth Service
Microservice 2
Microservice 1
Microservice 3
Private Key
Public Key
45. Conclusion
Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• Allows to keep loose coupling of Microservices
• Secure transfer of Authorization and Authentication claims
• Further domains can be found in Single Sign On Contexts
• Easy to implement due to library availability
47. Sources
47Authorization and Authentication in Microservice Environments – Bernd Schönbach – LeanIX
• https://tools.ietf.org/html/rfc7519 RFC for JWT
• https://tools.ietf.org/html/rfc7518 RFC for JWA (used in JWS and JWE)
• https://jwt.io/
• https://www.leanix.net/
• Devil Smiley CC BY 4.0 https://www.creativetail.com
• Further Articles on JWT:
• https://blog.codecentric.de/2016/11/json-web-token-jwt-im-detail/
• https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3