Professional Documents
Culture Documents
Implementing Microservices Security Patterns & Protocols With Spring Security 5
Implementing Microservices Security Patterns & Protocols With Spring Security 5
Dec 13 2018
● Who has tried the OAuth 2.0 Client features in Spring Security 5.1?
● Who has tried the OAuth 2.0 Resource Server features in Spring Security 5.1?
So you want to build
secure cloud native
applications!
The Security Toolbox
It’s easy to get confused
Goal for this talk is to organize the security toolbox
So you can build secure cloud native applications
So you can work better with your infosec team
The plan is to explore
security patterns and
protocols through a series Cover w/ Image
App 1 App 1
Server Database
How to allow users to use the credentials with app 1 and app 2?
Extract user tables into its own database
App 1 App 1
Server Database
User
Database
App 2 App 2
Server Database
Extract user tables into its own database
Challenges
● 2 application collects credentials and thus can App 1 App 1
leak credentials Server DB
Challenges
App 1 App 1
Server
● 3rd party app does not understand the DB
App 1 App 1
Server Database
Demo
How can my new cloud native
application integrate with the existing
corporate standard Active Directory /
LDAP / SAML infrastructure?
Introduce OpenID Connect to LDAP Bridge
● Configure the OpenID Connect Server
to use LDAP when Authenticating App 1 App 1
Server DB
users
OpenID Connect
OAuth 2
● Given a JWS document you can answer two questions about the JSON payload of the
document
○ Has this JSON object been changed since it was created?
○ Who created this JSON object?
“JSON Web Signature (JWS) represents content secured with digital signatures or Message
Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and
identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA)
specification and an IANA registry defined by that specification. Related encryption capabilities are
described in the separate JSON Web Encryption (JWE) specification.” RFC 7515
JWS Format
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwI
iwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2c
Bab30RMHrHDcEfxjoYZgeFONFh7HgQ
base64url(header).base64url(payload).base64url(signature)
JWS Features
● A JWS document encoded in the compact serialization format can be safely included
in URLs or HTTP authorization headers
● It is easy to determine who created the document via shared secret or a certificate
Demo
OAuth 2.0 Authorization Framework
● Is a framework for allowing users to authorize applications to access their data
○ An invoicing application might request permission to allow it to send emails
containing invoices and payment reminders from your gmail account
● Authorized applications get an access token that they can use to call a service
○ invoicing app gets an access token it can use to call gmail to send an email but
can’t use the token to delete emails or read them
● Does not tell the authorized application anything about the identity of the user
○ The invoicing app can’t find out profile or other information about the user that
authorized the invoicing app to send emails via gmail
This framework was designed with the clear expectation that future work will define
prescriptive profiles and extensions necessary to achieve full web-scale interoperability.”
- RFC 6749
4 Key OAuth Concepts / Terms
● Resource Server
○ a network accessible service
○ typically a web application or an api
● Resource Owner
○ An entity that can agree to provide access to a protected resource
○ typically a person
● Client
○ an application making requests to a resource server
○ Typically web application calling an api or an api calling an api
● Authorization Server
○ Ask the resource owner if they will allow a client to access a resource server on
their behalf
○ Issues access tokens allowing client to call the resource server
Getting an Access Token from an OAuth2 Server
yes Authorization
Resource Owner Server
n
ca
fi I
r
w ne ver x
o er
t he ce s
sk ur AT
s e a reso
a
ple cess
ac Resource Server
X
App 1 AT
Server
aka
Client
Resource Owner Password Credentials Grant
Give me an access
token because I
know the users
password
By the way be
warned I can’t be
trusted to keep the
token secure so give
me a temporary
access token
● Defines a userinfo endpoint that clients can call to learn details about the user such as
email address, profile, contact info … etc.
✅ OpenID Connect
✅ OAuth 2
✅ Javascript Object Signing and Encryption (jose)
✅ JSON Web Token (JWT)
✅ JSON Web Signature (JWS) ✅ JSON Web Encryption (JWE)
✅ JSON Web Algorithms (JWA) & JSON Web Key (JWK)
How is a single microservice
secured?
Microservices talk to each other
Essence of the solution
Every request to a microservice must include a security token that the microservice can
easily validate and use for making authentication / authorization decisions.
What protocol does your microservice speak?
● HTTP (REST, SOAP)
● AMQP (Messaging)
● Protocols will evolve over time so it’s best to make sure that any security solution can
work with current and future protocols
What format should the security token use?
● Is the token format standardized?
● Are there lots of libraries in lots of programming languages for working with the
token?
● Your HTTP only microservices will likely evolve to support support other protocols
such as AMQP, Thrift, or gRPC
● JWT is a simple and useful security token format with libraries available in most
programming languages
Microservice Microservice
JWT
A B
Implementing a ● Implementing a Resource Server
Resource Server
with Spring
Security 5.1
Demo
Multiple Microservices
How should the UI code interact with microservices?
Browser
What about CORS?
What about a Native
Mobile Clients?
A B C
Monolithic Edge Gateway
Make a UI Microservice that is exposed to end users and have it serve up the UI?
Browser
Native Mobile
UI
A B C
Backend For Frontend (BFF)
Extend each UI experience with a dedicated backend component for UI
http://samnewman.io/patterns/architectural/bff/
Browser
WEB iPhone
iPhone Mobile
BFF BFF
A B C
The Big Picture
Edge
Microservice Microservice Microservice
Microservices
Internal
Microservices
Problem: How can we secure the call chain between different microservices?
Bearer Token Relay
Oauth2
Server
Get token
BFF A B
● The access and id tokens are passed from the edge microservice to the downstream
microservices.
● Bearer tokens have many well known attacks against them. Collaborate with your
infosec team on a solution that takes your specific context into account before
Bearer Token Cautionary Tale Facebook hack of 50 million
accounts
“The perpetrator’s ultimate aim was to steal what are known as “OAuth bearer tokens.”
Essentially, these tokens prove the Facebook user is the rightful owner of an account
and denote what they have access to. As Shadwell describes them: “OAuth tokens are
like car keys, if you're holding them you can use them, there's no discrimination of the
holder.” And in the context of this attack, those keys unlocked not just Facebook accounts,
but any site that affected users accessed with a Facebook login. That might include
Instagram or news websites.” -- Forbes Arcticle @
https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-
why-its-a-disaster-for-internet-security/#5a1b65a20336
● How to implement Token Relay with Spring
Security 5
Token Relay
Bearer Token Exchange
Oauth2
Server Get token
Get token
BFF A B
● At every hop of the microservice call chain we exchange the token we got for a new
token to use with downstream services
● Bearer tokens have many well known attacks against them. Collaborate with your
infosec team on a solution that takes your specific context into account before
● How to implement Token Exchange with Spring
Security 5
Token Exchange
Service Username / Password
Oauth2
Server
Get token
BFF A B
● At every hop of the microservice call chain we exchange the token we got for a new
token to use with downstream services
● Bearer tokens have many well known attacks against them. Collaborate with your
infosec team on a solution that takes your specific context into account before
using token exchange.
● How to use Client Credentials with Spring
Security 5
Client Credentials
PCF and Microservice Security
PCF and Microservice Security
● PCF provides three features that are useful when implementing microservices security
○ Route Services
○ Container to Container networking
○ Container Instance Identity
● https://docs.cloudfoundry.org/servic
es/route-services.html
Container-to-Container Networking
● Enables direct communication between
application containers on Cloud Foundry
● https://docs.cloudfoundry.org/concepts/u
nderstand-cf-networking.html
Container Instance Identity
● Every container instance created on a Cloud Foundry is assigned a unique
○ X.509 certificate
○ PKCS#1 RSA private key
● The certificate and key pair are rotated every 24 hours or shorter duration set by the
administrator
● Enables mutual TLS between microservices calling each other OAuth spec assumes
TLS is used
○ https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-vi
a-automatic-cert-rotation