complex architectures for authentication and
play

Complex architectures for authentication and authorization on AWS - PowerPoint PPT Presentation

Sep 29, 2022 •116 likes •510 views

Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019 Our Focus Today ? Authenticate Key patterns for authentication & Authorize and

  1. Complex architectures for authentication and authorization on AWS Boyan Dimitrov Director Platform Engineering @ Sixt @nathariel September 2019

  2. Our Focus Today ? Authenticate • Key patterns for authentication & Authorize and authorization - Client to service - Service to service - Service to Infra • Focusing on the application and Service more complex microservices environments

  3. ? Our Focus Today Authenticate & Authorize Autenticate & Authorize Service Service Service IdP Autenticate Service & Authorize Service Service

  4. Before we begin: The Foundations OIDC ( OpenID Connect ) - a protocol OAUTH 2.0 – for Authentication built on top of a protocol for Authorization OAuth 2.0

  5. Before we begin: AWS Cognito Identity providers Social Identity Providers Federate Federate Authorize S3 Other Identity Providers AWS Cognito AWS Cognito User Pools Federated Identities SAML OIDC EC2

  6. Tip #1 If you are starting a new project on AWS involving auth and you need IdP, Use Cognito

  7. Client to service auth

  8. Auth primer Auth Service Custom Authorizer 6b. Invoke custom auth function 6a. Check token scope 3. Invoke API with JWT Service 7. Forward request Amazon API Gateway 1. Authenticate via Mobile credentials 5. Return validity Client 4. Validate JWT 2. Receive JWT Amazon Cognito

  9. We live in a complex world… Service Service Service auth auth Elastic Load Balancer On-Prem Service auth auth Service auth Service Amazon API Gateway auth Service Service auth Service Amazon Cognito

  10. Auth challenges in complex architectures I already have a / multiple IdPs, how to integrate all of that ? • • Where do we do authentication & token validation in a heterogeneous environment with various ingress points ? How do we do authorization and on what level ? • What about service to service auth? • What about infrastructure auth ? •

  11. Tip #2 Consider IdP Federation to simplify your problem

  12. Authentication: Common Identity Format SAML OIDC Standard Access Token Authenticate federate External Perimeter Amazon Cognito Internal Perimeter Service Service Service Service

  13. Define your authorization strategy ACL MAC DAC RBAC ADAC PBAC …

  14. Tip #3 If Authorization requirements are unclear, start with RBAC and complicate as needed ACL MAC DAC RBAC ADAC PBAC …

  15. { RBAC Authorization "name": "John Doe", "email": "john.doe@foo.com", Primer "roles": ["finance_controller"] … } SAML OIDC External Perimeter Amazon Cognito X Internal Perimeter Amazon API Gateway If role ==„finance_controller“... Service Service Service Service

  16. Tip #4 Do not embed volatile business roles into your applications – implement access controls around service capabilities instead

  17. Delegate auth to a central auth service API Contract { "name": "John Doe", POST /users "email": "john.doe @foo.com", GET /users/<id> "roles": ["finance_controller"], PUT /users/<id> “user_id": 343242, DELETE /users/<id> … } User Service Associated Permissions GET /users/343242 users:create:any users:read:any Authorised? users:read:own users:update:any users:update:own users:delete:own Role users:delete:any Permission Auth finance_controller -> users:read:own Service

  18. Centralised Auth Service Advantages • Externalised auth decisions and business roles management • Easier to manage and change User Service • Single source of truth Disadvantages Another synchronous dependency • Auth • Additional latency Service • Single point of failure? • Manual effort in keeping permissions up to date

  19. Centralised Auth Service Optimisations: automate permission discovery Service:Permissions Map Associated Permissions Register permissions on startup com.x.service.user users:create:any users:create:any com.x.service.user users:read:any users:read:any com.x.service.user users:read:own Auth users:read:own User Service com.x.service.user users:update:any Service users:update:any com.x.service.user users:update:own users:update:own com.x.service.user users:delete:own users:delete:own com.x.service.user users:delete:any users:delete:any

  20. Centralised Auth Service Optimisations: caching associated roles Role Permission finance_controller -> com.x.service.user users:read:own Associated Permissions users:create:any users:read:any users:read:own Auth User Service users:update:any Service users:update:own users:delete:own users:delete:any

  21. Centralised Auth Service Optimisations: caching associated roles Role Permission finance_controller ALLOW com.x.service.user users:read:own Associated Permissions and Roles users:create:any users:read:any finance_controller -> users:read:own Auth User Service users:update:any Service users:update:all users:delete:own 1. On Startup user service caches relevant users:delete:any roles for its permissions 2. Receive live updates during runtime

  22. Centralised Auth Service Optimisations: caching auth result { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], Associated Permissions “user_id": 343242, “jti“: 21312e1d123 users:create:any … users:read:any } users:read:own users:update:any users:update:all User Service users:delete:own users:delete:any Auth Service

  23. Centralised Auth Service Optimisations: caching auth result { "name": "John Doe", "email": "john.doe @foo.com", "roles": ["finance_controller"], Permissions and Cached Policy Result “user_id": 343242, “jti“: 21312e1d123 users:create:any … users:read:any } 21312e1d123 -> users:read:own users:update:any users:update:all User Service users:delete:own users:delete:any 1. Authorize operation 2. Cache authorization response with TTL Auth Service

  24. Bonus: Local token validation { { "name": "John Doe", “keys": [{ "email": "john.doe @foo.com", “kid": "5689example", "roles": ["finance_controller"], “alg": "RS256" … }, { “kid": "5689example" … } }]} User Service Amazon Cognito Cache the access token JWK for local validation

  25. Authorization SAML OIDC External Perimeter Amazon Cognito Internal Perimeter Auth Service “Decentralised“ authorisation Service Service Service Service

  26. Centralised Auth Service Advantages • Externalised auth decisions and business roles management • Easier to manage and change • Single source of truth User Service • Decentralised token validation and auth Disadvantages Another synchronous dependency • Auth • Additional latency Service • Single point of failure? • Manual effort in keeping permissions up to date

  27. DEMO

  28. Demo Architecture Register a user & Authenticate Admin Webapp Demo Webapp Amazon Cognito User Pool Manage Permissions Authorize hello request Fetch IdP JWK Auth Service Hello World Service • Automated permission registration • Auth rules caching • Decentralised authorization • Local token validation

  29. ? So far we covered… Authenticate & Authorize Autenticate & Authorize Service Service Service IdP Autenticate Service & Authorize Service Service

  30. Service 2 Service Auth

  31. Why do we need S2S Auth? • Authorize service calls without user context ( batch jobs, async operations..) • Protect applications storing senstive information for internal actors too • Multi-tenant environments

  32. Service to service auth Service Permission com.x.service.user ALLOW com.x.service.email email:send:any { “service":“com.x.service.user, Amazon Cognito … Auth Service } 1. Auth using creds 2. Get an identitiy User Service Email Service 3. Send identity token with requests

  33. Tip #5 Give identity to your applications and automate the credential management!

  34. Client 2 Service and Service 2 Service Auth SAML OIDC External Perimeter Amazon Cognito Internal Perimeter S3 ? Auth Service Service Service Service Service

  35. (AWS) Infra Auth

  36. Cognito Federated Identities to the rescue User Service Amazon Cognito 1. Get Identity 2. Exchange Amazon Cognito User Pool Token Token for Identity Federation IAM Creds 3. Access AWS Services

  37. That’s all ? Authenticate & Authorize Autenticate Service & Authorize Service Service IdP Autenticate Service & Authorize Service Service

  38. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Authentication: A User-Centered Security R emy Degenne Chair for Network Architectures

Web Authentication: A User-Centered Security R emy Degenne Chair for Network Architectures

Web Authentication: A User-Centered Security R emy Degenne Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen October 10, 2013 R emy Degenne: Web Authentication: A

1.03k views • 15 slides
Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Version 1.0 Cornelius Klbel (corny@cornelinux.de) May 2014 (CC BY-NC-SA 4.0) Everybody knows that a password - be it simple or even complex - is a potential vulnerability. Two factor authentication is the way to authenticate a user not only

400 views • 5 slides
The F-MPJ Challenge: Solving Complex Problems on Hierachical Architectures with Java Sabela

The F-MPJ Challenge: Solving Complex Problems on Hierachical Architectures with Java Sabela

Introduction Message Passing in Java with F-MPJ Complex Application in Bioinformatic: ProtTest Performance Evaluation Conclusions The F-MPJ Challenge: Solving Complex Problems on Hierachical Architectures with Java Sabela Ramos Garea

431 views • 41 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Composition and Deployment of Complex Container-Based Application Architectures on Multi-Clouds

Composition and Deployment of Complex Container-Based Application Architectures on Multi-Clouds

Composition and Deployment of Complex Container-Based Application Architectures on Multi-Clouds DI4R Lisbon, Portugal Andy S. Alic 1 , Marica Antonacci 2 , Ignacio Blanquer 1 , Miguel October 2018 Caballer 1 , Giacinto Donvito 2 , lvaro

297 views • 12 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
A Multi-Level Meta-Object Protocol for Fault- Tolerance in Complex Architectures Franois Taani

A Multi-Level Meta-Object Protocol for Fault- Tolerance in Complex Architectures Franois Taani

A Multi-Level Meta-Object Protocol for Fault- Tolerance in Complex Architectures Franois Taani ( * ) , Jean-Charles Fabre, Marc-Olivier Killijian LAAS-CNRS ( ( * ): Now at Lancaster University) DSN'2005, The International Conference on

741 views • 34 slides
CTIT Introduction Motivation Two trends in robotics Conflicting! More complex

CTIT Introduction Motivation Two trends in robotics Conflicting! More complex

Connecting Two Robot-Software Communication Architectures: ROS and LUNA Communicating Process Architectures 2016, Copenhagen, DK W. Mathijs van der Wer ff , Jan F . Broenink University of Twente CTIT institute, Robotics &amp; Mechatronics

544 views • 26 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
A UML Profile for Modeling Complex A UML Profile for Modeling Complex Real-Time Architectures

A UML Profile for Modeling Complex A UML Profile for Modeling Complex Real-Time Architectures

A UML Profile for Modeling Complex A UML Profile for Modeling Complex Real-Time Architectures Real-Time Architectures Bran Selic Bran Selic Rational Software Inc. Rational Software Inc. bselic@rational.com bselic@rational.com Overview

490 views • 32 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor

Windows Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Windows Security

265 views • 23 slides
Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend Introduction to Apache CXF Production quality framework for creating Java JAX-RS 2.0 and JAX-WS services Widely used and integrated into

1.01k views • 27 slides
OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with

Network Tokens A DPI-alternative to deploy network services ONF Spotlight: 5G Transformation with Open Source Yiannis Yiakoumis, Co-Founder &amp; CEO, Selfie Networks Work with Nick McKeown (Stanford), Frode Sorensen (NKOM)

506 views • 29 slides
OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth

OAuth 2.0 Weina Ma Weina.Ma@uoit.ca Agenda OAuth overview Simple example OAuth protocol workflow Server-side web application flow Client-side web application flow Whats the problem As the web grows, more and more sites

786 views • 45 slides
2nd Meeting of ICAC Federated Identity Status &amp; Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status &amp; Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status &amp; Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides

More recommend