MicroSvcs_Security

• Security

  • Auth architecture revolution

    • Single server cookie based auth

    • Multi server sticky session based auth

    • Auth Service and token

    • Gateway and token

    • Gateway and JWT

  • Microservices security architecture

    • External access token internal JWT token

    • Encrypted JWT token

    • External access token internal JWT token with token cache

    • Identity proxy with backend services

  • Real world examples

    • Auth at Netflix

    • Tianpan.co

    • An excellent blogger

Security

Auth architecture revolution

Single server cookie based auth

Auth version 1

Multi server sticky session based auth

• Cons:

  • Sticky session binds a session to a server. If the server goes down or needs to be maintained.

  • Sticky session needs to store session data in load balancer.

• Possible solutions:

  1. Session synchronization by replicating across web servers

  2. Store session data completely inside users' browser

     • Cons: Limited size of cookie

  3. Store session data in a shared storage

Sticky session

Auth Service and token

• Pros:

  • Encapsulate everything related with token issuing

  • Introduce the concept of token, which could be passed around between services

• Cons:

  • Services need to implement the logic to validate the token.

  • All services need to talk to authSvc, which might become a performance bottleneck.

  • All requests need to be verified via auth service.

Auth service and token

Gateway and token

• Pros:

  • Gateway centralizes the logic of parsing userInfo. Only gateway need to validate the token with auth service.

• Cons:

  • All requests need to be verified via auth service. Auth service needs to be maintained and scaled in a manageable way.

Gateway and token

Gateway and JWT

• Pros:

  • Compact and lightweight

  • Low pressure on Auth server

  • Simplify the implementation of auth server

• Cons:

  • Could not invalidate a JWT token if it has been leaked

  • JWT might become big

Gateway and token

Microservices security architecture

External access token internal JWT token

• Cons: Still rely on gateway to switch access token with JWT token.

first arch

Encrypted JWT token

• Pros: Stateless token

second arch

External access token internal JWT token with token cache

• Most widely used in practice

third arch

Identity proxy with backend services

• Identity-aware proxy is a reverse proxy that allows either public endpoints or checks credentials for protected endpoints. If the credential is not presented but required, redirect the user to an identity provider. e.g. k8s ingress controller, nginx, envoy, Pomerium, ory.sh/oathkeeper, etc.

• Identity provider and manager is one or a few services that manage the user identity through certain workflows like sign in, forgot password, etc. e.g. ory.sh/kratos, keycloak

• OAuth2 and OpenID Connect provider enables 3rd-party developers to integrate with your service.

• Authorization service controls who can do what.

Real world examples

Auth at Netflix

• https://netflixtechblog.com/edge-authentication-and-token-agnostic-identity-propagation-514e47e0b602
• A talk on InfoQ: https://www.infoq.com/presentations/netflix-user-identity/
• Access control at Netflix: https://netflixtechblog.com/consoleme-a-central-control-plane-for-aws-permissions-and-access-fd09afdd60a8
• Netflix container security: https://netflixtechblog.com/evolving-container-security-with-linux-user-namespaces-afbe3308c082
• Netflix detect credential leak: https://netflixtechblog.com/netflix-cloud-security-detecting-credential-compromise-in-aws-9493d6fd373a
• Netflix viewing privacy: https://netflixtechblog.com/protecting-netflix-viewing-privacy-at-scale-39c675d88f45

Tianpan.co

• https://tianpan.co/#big-picture-authn-authz-and-identity-management

An excellent blogger

• https://medium.com/@chamod.14_80003/token-caching-wso2-api-manager-5c5b3d6ddd09

• https://www.pingidentity.com/en/company/blog/posts/2021/ultimate-guide-token-based-authentication.html

• Protecting Server Resources Hosting Unauthenticated APIs
• Who Owns API Security, and How Much Security Is Enough?
• DSig Part 1: XML Digital Signature and WS-Security Integrity
• DSig Part 2: JSON Web Signature (JWS)
• DSig Part 3: XML DSig vs. JSON Web Signature
• API Security vs. Web Application Security Part 1: A Brief History of Web Application Architecture
• API Security vs. Web Application Security: Part 2
• SAML 2.0 VS. JWT: UNDERSTANDING FEDERATED IDENTITY AND SAML
• Delegation — A General Discussion
• OAuth2 Access Tokens vs API Keys — Using JWTs
• OAuth2 Access Tokens and Multiple Resources Series
• Authorization Series
• The Benefits of JWTs as OAuth2 Access Tokens
• IDENTIVERSE REFLECTIONS: NEWS, TRENDS AND A GLIMPSE INTO THE FUTURE
• The Many Ways of Approaching Identity Architecture
• A Brief Summary of All Things Apigee and API Management that I Have Written
• Authentication vs. Federation vs. SSO
• What is Authorization?
• How To Submit Your Security Tokens to an API Provider Pt. 1
• JWT Use Cases
• Application Security Models
• Identity Propagation in an API Gateway Architecture
• An Alternative to Delegated Access in the Enterprise
• SAML2 vs JWT: Apigee & Azure Active Directory Integration — A JWT Story
• Keeping Your APIs Secure for Multiple User Types
• Sample: WSO2 EI Cache Mediator based Token Caching