Macklin Hartley
I help top-notch organisations by bringing together crystal-clear objectives, a culture of support, streamlined operations, and adaptable technology.
Using OAuth 2.0 for
service-to-service auth
What I'm covering
- What is OAuth 2.0?
- Client credentials workflow example
- Demo
What is OAuth 2.0?
- Industry standard
- Access data from third-party services
- Valet key concept
| Role | Entity |
|---|---|
| Client | Spotify |
| Resource Server | |
| Authorization Server | |
| Resource Owner | A Person |
Who's who?
GET /users/123
Authorization API-KEY-123
☠️
Service A
Service B
GET /users/123
Authorization API-KEY-123
☠️
Service A
Service B
☠️
Service A
Service B
GET /users/123
Authorization NEW-KEY-234
GET /users/123
Authorization API-KEY-123
public Collection<String> getRoles(String auth) {
Collection<String> roles = new ArrayList<>();
if (auth.equals(SERVICE_A_KEY)) {
roles.add(SERVICE_A_ROLE);
}
if (auth.equals(SERVICE_B_KEY)) {
roles.add(SERVICE_B_ROLE);
}
...
return roles;
}OpenID Connect
- Workflow built over OAuth 2.0
- ID Token + Access Token
- Claims
| AuthN | AuthZ |
|---|---|
| Authentication | Authorization |
| Your identity | Your access |
| Who are you? | What are your privileges? |
Service A
Service B
AuthZ
Service
Service A
Service B
AuthZ
Service
POST /token
Client ID: 1234
Client Secret: 1234-1234
Service A
Service B
AuthZ
Service
Access Token: eyJ0eXA...
Expires: 86400
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJEUXhPVVZET1RjeVJVRXhOa1E0TkRsQlEwWXpRVGc0TUVWR01qRTNNekV5T0RaRE5qa3lOdyJ9.eyJpc3MiOiJodHRwczovL3Zndy1wYXltZW50cy1zcGlrZS5hdXRoMC5jb20vIiwic3ViIjoiZVBrZzIxTTNkWE9yZmxKR3E1MXVFcFRGTlFvTnp2SUdAY2xpZW50cyIsImF1ZCI6Im.TudIn5Q35axZ56k6iL6ahi8hkV0SjHnqgmfzywBLNNCkOz6iHHBm6TOY3BEY0oFQ3tIRxbr4I8Tu1gTbIlUiTMVH9chA5AR_NbhbYnNXXhVm2OzJABiwJFZrEFR8XL3Dx7MCqWeeInHpKFC5nz0LLlPvuZmncGW2S_kBeGkGAfeuMxjXQADLgBafr61FNx9XjQ8JT5BfDC0FEIq7pn3MIYgvDpWmtFlKe5pfPaHszPjdjNcmSzeiSnqXhSqknPvnc5pkWLpt0LzEdpJDcRwdNpKfalgOejkJSH07EYLoQH1Mp7AH5a0w10mr5qO82jU14SL_Dkd6JIrtKM2krA
{ "typ": "JWT", "alg": "RS256" } . { "iss": "https://auth0.com" "sub": "1234@clients", "exp": 1540272674, "scope": "read:users write:users" } . HMACSHA256(header.payload, secret)
Service A
Service B
AuthZ
Service
POST /users/123
Authorization: Bearer eyJ0eXA...
Service A
Service B
AuthZ
Service
GET /verify/jwks.json
Verify token
Verify signature
Check scopes
Demo!
https://github.com/macklin-hartley-vgw/auth0-s2s-spike
Using OAuth 2.0 for Service-to-service Auth
By Macklin Hartley
Using OAuth 2.0 for Service-to-service Auth
A crash course in setting up secure authenticated communication between micro-services using OAuth 2.0
