EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
EclipseCon France Why am I here today? Microservices architecture case Security opCons OAuth2 with JWT Demo with MP-JWT and Apache TomEE #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
EclipseCon France Microservices (SOA with a sexy name) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
TradiConal system EclipseCon France Component A Component B System (Monolithic) Component D Component C #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiConal scalability EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiConal scalability EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiConal scalability EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… with tradiConal scalability EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
… and its tradiConal security EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
What to expect from microservices? EclipseCon France • 2 possible perspec-ves • Technical • Organiza-onal #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Microservices - the technical perspecCve EclipseCon France • Cloud • Containers • Virtualiza-on • Large scale #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
The organizaConal perspecCve EclipseCon France • Agile methodology • Small teams • HR / organiza-onal changes free (Conway’s Law) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
But there are new challenges EclipseCon France • Scalability • Cost reduc-on • Resilience • Monitoring • Security #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Microservices Security OpCons EclipseCon France • Basic Auth • OAuth2 • OpenID Connect • JWT - Facebook / Google way • HTTP Signatures - Amazon way • « In-house » solu-ons • More … #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Baseline Architecture EclipseCon France 1000 users 4 hops x 3 TPS 3000 TPS 12000 TPS frontend backend #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
EclipseCon France Basic Auth (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth Message EclipseCon France POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Basic Auth EclipseCon France username+password (no auth) Base64 Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 3000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth EclipseCon France username+password username+password Base64 Base64 Password Sent Password Sent 3000 TPS 12000 TPS (HTTP+SSL) (HTTP) 15000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
Basic Auth - ARacks EclipseCon France Valid Password Sent 3000 TPS (HTTP+SSL) No auth Invalid 12000 TPS Password Sent 6000 TPS (HTTP) (HTTP+SSL) 9000 TPS (LDAP) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
EclipseCon France OAuth 2.0 (and its problems) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe
The theory behind it EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Based on tokens EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Based on tokens EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Based on tokens EclipseCon France #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2 - Password Grant EclipseCon France (LDAP) POST /oauth2/token Verify Host: api.superbiz.io User-Agent: curl/7.43.0 Password Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Generate Cache-Control: no-store Token Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, (Token Store) "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message EclipseCon France POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message EclipseCon France POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message EclipseCon France POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message EclipseCon France POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2.0 Message EclipseCon France POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}} #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
EclipseCon France 401 #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2 - Refresh Grant EclipseCon France (LDAP) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Verify and Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Generate Pragma: no-cache Token { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, (Token Store) "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", } #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
EclipseCon France Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
What have we achieved? EclipseCon France • Avoid high rate username + password transit on wire • Replaced by a blind « token » referencing a state on the server side • Generate many « short live » passwords stored on devices • Create a « new » …. HTTP Session architecture #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
4 hops OAuth 2 EclipseCon France 12000 TPS Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 No auth Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2 EclipseCon France Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS 12000 TPS (token checks) (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
OAuth 2 EclipseCon France Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS 12000 TPS (token checks) (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
0 hops OAuth 2 EclipseCon France 0 TPS Password Sent 1000/daily backend (HTTP+SSL) (LDAP) OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 0 TPS 0 TPS (token checks) (token checks) #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe @dblevins @tomitribe
Recommend
More recommend
