Что нам стоит ААА построить?
Oleksii Petrov
Skelia Ukraine / ETWater
Who am I?
System Architect
Team Lead
PHP Developer
Find me on
@alexhelkar
alexhelkar
https://github.com/alexhelkar
Identification
Authentication
Authorization
Accounting
Domain
I-A-A-A
Identification
Identification
Coffee Shops
Coffee Shop: Workflow
Killer Feature
As a
Coffee shop owner
In order to
Give a discounts to returning customers
I want to
Earn more money
Coffee Shop:
Discounts Solution
Coffee Shop:
Discounts Solution
Stateless
Coffeeshop
HTTP Cookies (1996)
Cookies: Subsequent Request
Cookies: Embedding data
Where the data lives?
Adding Security
Adding Security
Subsequent Requests
Is that still secure?
How to protect yourself?
What if?
What if?
Hooray!
We invented Sessions...
Now, state is our problem
Now, state is our problem
Scale: Step 1
Scale: Step 1
Scale: Step 2
Shared Cache
Scale: Step 2
Scaling the system
Scale: Step 3
Distributed Cache
Scale: Step 3
Eventual Consistency
Scale: Step 4
Sticky Session
The Web has changed
(2008)
REST
RIA
SPA
AJAX
MVC
Stateless REST
State Awareness
Plugable storages
We are not asked to save server's state anymore
Easy to scale
What about Identification?
Let's design a Token
ID Token Requirements
Self-contained
Expiration Date
URL-safe
Secure
ID Token Design: Self-contained
{ "exp": "1497052800", "name": "John Doe", "admin": true }
Data
Base64(Data)
ew0KICAiZXhwIjogIjE0OTcwNTI4MDAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJhZG1pbiI6IHRydWUNCn0=
{ "alg": "HS256" }
Meta
Passphrase
my-secret-passphrase
ID Token Design: Security
Base64(Data)
ew0KICAiZXhwIjogIjE0OTcwNTI4MDAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJhZG1pbiI6IHRydWUNCn0=
ew0KICAiYWxnIjogIkhTMjU2Ig0KfQ==
Base64(Meta)
ID Token Design: Security
HMACSHA256( Base64(Meta).Base64(Data), "my-secret-passphrase" )
d0Ao0wmaXL_X3uxLPL8K58DJvyq7vjbrFJFg85mrMe4
SIGNATURE
Base64(Meta).
Base64(Data).
SIGNATURE
eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiIxNDk3MDUyODAwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.d0Ao0wmaXL_X3uxLPL8K58DJvyq7vjbrFJFg85mrMe4
Hooray!
We invented a
JWT Tokens...
Workflow
HMAC
RSA
A Unicorn?
Real Life Example
Token
Authentication Server
Resourse Server
The Platform
Issues?
Invalidate a single
Token
Change a JWT Secret Key
Create a Blacklist
Shared Cache
Create a Blacklist
Distributed Cache
Short TTL
Really?
JWT Benefits?
Store on a client?
Session/Local storage could be a security issue
Easier to use?
NO! It's not! Session management is you problem
More secure?
Same as signed cookie. You can sign anything you want
JWT Benefits?
Built-in expiration?
Expiration could be used in ANY server-side implementation
Easier to use?
NO! It's not! Session management is you problem
More secure?
Same as signed cookie. You can sign anything you want
JWT Benefits?
Data goes stale
Any data you put in token will live until expiration date
Tokens invalidation
Impossible to resolve this issue and remain stateless
JUST A TOKEN FORMAT!
JWT just a format for a token as many others out there
How Metro solves their problem?
+ Blacklist
+ Local cache
on station
+ Eventual
Consistency
+ Central server
https://habrahabr.ru/post/141213/
What to use?
OAuth2
Authentication framework
Bearer Tokens
State stored on a servers
JWT
Could be premature. Hard to keep stateless. (Remember Metro?). Useful in scoped env.
Could migrate later, because clients do not matter
Let's talk microservices
Real Life Microservices
API Gateway
Microservices
Otolaryngologist
Service
Neurologist
Service
Surgeon
Service
Doctor's Appointment
Do you really think that programmers invented microservices?
API Gateway
(pattern)
Common things...
Rate Limit
Parameters validation
Authorization
Load balancing
Circuit breaker
CORS Headers
IP Restrictions
Usage Limits
Caching
Request Transformer
Response Transformer
How it looks?
The "Pattern"
Not a SPOF
Enhance 3rd parties
Resell 3rd parties
Solutions
Kong
API Gateway
AWS
API Gateway
Amazon
Mashape
2015
AWS Gateway
Our case
Our case
Authorization (V1)
Authenticated Users
Can access only own data
Anonymous Users
Can access only anonymous data by ID
Authorization V2
Domain
Hierarchy
Sharing Access
Shares Read Access
Family Access
Company Access
Service Accounts
Limited Access to one/multiple companies
Others
Limited Access to one/multiple users
Admin Accounts
Full Access to all accounts
Hierarchical Data
Observations
Users
User Groups
Sharing Concept
Resousrce
{
"name": "User",
"actions": ["User::READ"]
}
Resousrce
{ "name": "User", "actions": ["User::READ"] "actionsToIds":[ "MODIFY": [ "454f99ea0ed23", "ae0381edcb6f6" ] ] }
Resousrce
{ "name": "User", "actions": ["User::READ"] "actionsToIds":[ "MODIFY": [ "454f99ea0ed23", "ae0381edcb6f6" ] ], "children": [ { "name": "Project", "actions": ["Project::REPORTS"] } ] }
User
{
"id": "0e78bce089b43"
}
User
{ "id": "0e78bce089b4" "shared": [ "56a0a8e364ed": [ // Resources list ] ] }
User
{
"id": "0e78bce089b4"
"shared": [
"56a0a8e364ed": [
{
"name": "Project",
"actions": ["Project::REPORTS"] } ] ] }
User
{ "id": "0e78bce089b4" "shared": [ "56a0a8e364ed": [ { "name": "Project",
"actionsToIds": { "Project::REPORTS": [ "80dfd6e7c112" ] } } ] ] }
User
{ "id": "0e78bce089b4" "shared": [ "56a0a8e364ed": [ // Resources list ] ] "usersSharedToMe": [ "8ddc2a735157" ] }
Group
{
"id": "e6443763fa73"
"shared": [
"56a0a8e364ed": [
// Resources list
]
]
"usersSharedToMe": [
"8ddc2a735157"
]
}
Rule of Thumb
Most concrete Authorization Rules should WIN
Collapsing Rules
Collapsing Rules
{ "id": "0e78bce089b4" // USER 1 "shared": [ "56a0a8e364ed": [ // USER 2 { "name": "Project",
"actionsToIds": { "Project::REPORTS": [ // ACTION "80dfd6e7c112" // PROJECT ] } } ] ] }
Collapsing Rules
[
{
"filter": [
"userId": "56a0a8e364ed", // USER 2
"actions": [User::FULL_ACCESS]
]
},
{
"filter": [ "userId": "56a0a8e364ed", // USER 1 "projectId": "80dfd6e7c112", // Resource "actions": [Project::REPORTS] // Action ] } ]
Out of a demo
API Endpoint + Method
Defines scope of ACL rule to be sent
User Groups
ACL Service managing who consist in what group
Resource ID field
Defined in configs
AWS S3 Example
{
"Id": "Policy1487428541537",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1485128492714",
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket/*",
"Principal": "*"
}
]
}
And remember ...
There is no Unicorns
out there
Thanks!
Questions?
Find me on
@alexhelkar
alexhelkar
https://github.com/alexhelkar
Что нам стоит ААА построить?
By Oleksii Petrov
Что нам стоит ААА построить?
- 2,477