This talk is about how to secure your frontend+backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your frontend application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend.
Video available at https://skillsmatter.com/skillscasts/6058-stateless-authentication-for-microservices
2. @alvaro_sanchez
About me
● Passionate Software Developer.
● Worked at IBM BCS, BEA Systems and Sun
Microsystems.
● Founded Salenda and Escuela de Groovy.
● Working now at as a Web Architect.
● Living between Madrid and Gibraltar.
3. @alvaro_sanchez
About
● HTML5 games platform.
● We provide game developers a Javascript SDK.
● Server side logic and maths are handled by our
industry certified game engines.
● Seamless integration with several casinos.
● Check out play.odobo.com and play for free!
4. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
5. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
6. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
7. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
8. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
9. Authentication in monolithic apps
● Historically, authentication has always been a
stateful service.
● When moving to Single-Page Applications,
and/or having mobile clients, it becomes an
issue.
● If you are build a REST and stateless API, your
authentication should be that way too.
@alvaro_sanchez
13. Authentication and microservices
● Authentication: to verify the identity of the
user given the credentials received.
● Authorization: to determine if the user should
be granted access to a particular resource.
● In a microservices context:
○ Authentication can be a microservice itself.
○ Authorization is a common functionality in all of them.
@alvaro_sanchez
14. Authentication and microservices
Authentication
Service
@alvaro_sanchez
Javascript front-end
UI
Mobile app
Shopping cart
Service
Catalog
Service
Orders Service
Shipping
Service
User
repository
Catalog DB
Invoicing
DB
Shipping
partners
Web
Backend
Mobile
Backend
15. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
16. Introducing OAuth 2.0
An open protocol to allow secure authorization
in a simple and standard method from web,
mobile and desktop applications.
@alvaro_sanchez
17. OAuth 2.0: roles
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holds the
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
the RS on behalf of the RO.
@alvaro_sanchez
18. OAuth 2.0: roles
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holds the
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
the RS on behalf of the RO.
@alvaro_sanchez
19. OAuth 2.0: roles
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holds the
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
the RS on behalf of the RO.
@alvaro_sanchez
20. OAuth 2.0: roles
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holds the
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
the RS on behalf of the RO.
@alvaro_sanchez
22. OAuth 2.0: protocol flow
Hey, backend, could you please give me a list of
games?
@alvaro_sanchez
23. OAuth 2.0: protocol flow
Sorry mate, this is a protected resource. You will
need to present me an access token
@alvaro_sanchez
24. OAuth 2.0: protocol flow
Hi Google, can I get an access token please?
Backend is asking
@alvaro_sanchez
25. OAuth 2.0: protocol flow
Sure thing sir. I just need to ask a few details to
@alvaro_sanchez
the user first
26. OAuth 2.0: protocol flow
Hi, could you please provide me your
credentials? I need to verify your identity
@alvaro_sanchez
27. OAuth 2.0: protocol flow
That’s no problem at all. I am bob@gmail.com and
my password is secret.
@alvaro_sanchez
28. OAuth 2.0: protocol flow
The user is who claims to be. Here is your access
token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa
@alvaro_sanchez
29. OAuth 2.0: protocol flow
Hi Backend, this is my token:
qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa
@alvaro_sanchez
30. OAuth 2.0: protocol flow
Hi, I’ve been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa.
Could you please tell me who it belongs to?
@alvaro_sanchez
31. OAuth 2.0: protocol flow
Of course. That token is still valid and it belongs to
@alvaro_sanchez
bob@gmail.com.
32. OAuth 2.0: protocol flow
Everything is allright. This is the list of games.
@alvaro_sanchez
Enjoy!
33. OAuth 2.0: protocol flow
Here you are the list of games.Thank you for your
business and have a good day!
@alvaro_sanchez
34. OAuth 2.0: protocol flow
OAuth 2.0 is a delegation protocol, as
this guy has no idea about the
credentials of this guy
@alvaro_sanchez
35. OAuth 2.0: grant types
● Authorization code: for web server
applications.
● Implicit: for JS front-ends and mobile apps.
● Resource Owner Password Credentials: for
trusted clients.
● Client credentials: for service authentication.
@alvaro_sanchez
36. Authorization code grant
● For server-based applications, where the
client ID and secret are securely stored.
● It’s a redirect flow, so it’s for web server apps.
● The client (web server app) redirects the user
to the authorization server to get a code.
● Then, using the code and its client credentials
asks for an access token.
@alvaro_sanchez
41. Authorization code grant
https://myServerApp.com/oauth?code=CODE
Finishing authentication...
@alvaro_sanchez
42. Authorization code grant
Server-side POST request to: https://graph.
facebook.com/oauth/access_token
With this body:
grant_type=authorization_code
&code=CODE_FROM_QUERY_STRING
&redirect_uri=http://myServerApp.com
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
@alvaro_sanchez
43. Authorization code grant
Example response:
{
"access_token": "RsT5OjbzRn430zqMLgV3Ia",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "e1qoXg7Ik2RRua48lXIV"
@alvaro_sanchez
}
44. @alvaro_sanchez
Implicit grant
● For web applications running on the browser
(eg: AngularJS, etc) or mobile apps.
● Client credentials confidentiality cannot be
guaranteed.
● Similar to the code grant, but in this case, the
client gets an access token directly.
49. Password credentials grant
● In this case, client collects username and
password to get an access token directly.
● Viable solution only for trusted clients:
○ The official website consumer of your API.
○ The official mobile app consuming your API.
○ Etc.
@alvaro_sanchez
51. Password credentials grant
POST request to: https://api.example.
org/oauth/access_token
With this body:
grant_type=password
&username=USERNAME&password=PASSWORD
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
@alvaro_sanchez
52. Password credentials grant
Example response:
{
"access_token": "RsT5OjbzRn430zqMLgV3Ia",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "e1qoXg7Ik2RRua48lXIV"
@alvaro_sanchez
}
53. Client credentials grant
● Service-to-service authentication, without a
particular user being involved.
○ Eg: the Orders microservice making a request to the
Invoicing microservice.
● The application authenticates itself using its
client ID and client secret.
@alvaro_sanchez
54. Client credentials grant
POST request to: https://api.example.
org/oauth/access_token
With this body:
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
@alvaro_sanchez
55. Client credentials grant
Example response:
{
"access_token": "RsT5OjbzRn430zqMLgV3Ia",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "e1qoXg7Ik2RRua48lXIV"
@alvaro_sanchez
}
56. Accessing the protected resource
Once the client has an access token, it can
request a protected resource:
GET /games HTTP/1.1
Host: api.example.org
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
@alvaro_sanchez
57. Token expiration and refresh
● If the Authorization Server issues expiring
tokens, they can be paired with refresh
tokens.
● When the access token has expired, the
refresh token can be used to get a new access
token.
@alvaro_sanchez
58. Tips for a front-end application
● Use the implicit grant.
○ Already supported for 3rd party providers like Google,
@alvaro_sanchez
Facebook.
○ If you hold your own users, have your backend to
implement the OAuth 2.0 Authorization Server role.
● Use HTML5’s localStorage for access and
refresh tokens.
59. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
60. Stateful vs. Stateless
● Authorization Servers are often stateful
services.
○ They store issued access tokens in databases for future
@alvaro_sanchez
checking.
● How can we achieve statelessness?
○ Issuing JWT tokens as access tokens.
61. Introducing JWT
JSON Web Token is a compact URL-safe means of
representing claims to be transferred between
two parties. The claims are encoded as a JSON
object that is digitally signed by hashing it using
a shared secret between the parties.
@alvaro_sanchez
62. Introducing JWT... in Plain English
A secure way to encapsulate arbitrary data that
can be sent over unsecure URL’s.
@alvaro_sanchez
63. When can JWT be useful?
● When generating “one click” action emails.
○ Eg: “delete this comment”, “add this to favorites”.
● To achieve Single Sign-On.
○ Sharing the JWT between different applications.
● Whenever you need to securely send a payload.
○ Eg: to “obscure” URL parameters or POST bodies.
@alvaro_sanchez
64. How does a JWT look like?
Header Claims
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InV
zZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYX
V0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfV
VNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhLTRjNWUt
YmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJ
teS1jbGllbnQtd2l0aC1zZWNyZXQifQ.
AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY
@alvaro_sanchez
Signature
69. Achieving statelessness
● Instead of storing the access token / principal
relationship in a stateful way, do it on a JWT.
● Access tokens with the JWT-encoded
principal can be securely stored on the client’s
browser.
● That way you are achieving one of the basic
principles of REST: State Transfer.
@alvaro_sanchez
70. Tips for using JWT
● JWT claims are just signed by default (JWS -
JSON Web Signature).
○ It prevents the content to be tampered.
● Use encryption to make it bomb proof.
○ Use any algorithm supported by JWE - JSON Web
@alvaro_sanchez
Encryption.
71. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. The Grails plugin.
5. Q&A.
75. Current status
● Latest release: 1.4.0.
● Compatibility layer over Spring Security Core.
○ Login and logout REST endpoints.
○ Token validation filter.
○ Memcached, GORM and Grails Cache token storages.
○ Partial implicit grant support through 3rd party
@alvaro_sanchez
providers.
○ Partial RFC 6750 Bearer Token support.
76. @alvaro_sanchez
Roadmap
● Upcoming release: 1.4.1.
○ Complete RFC 6750 Bearer Token support.
○ Due in few days.
● Next release: 2.0.
○ Complete RFC 6749 OAuth 2.0 support.
○ ETA: Q1 2015.
77. @alvaro_sanchez
Agenda
1. Authentication in monolithic applications vs
microservices.
2. Introduction to OAuth 2.0.
3. Achieving statelessness with JWT.
4. Demo.
5. Q&A.