SlideShare a Scribd company logo

Protecting Java Microservices: Best Practices and Strategies

Rodrigo Cândido da Silva
Rodrigo Cândido da Silva

Microservices have become the hottest topic in software architecture over the past year, and much can be said about their benefits. But there are many challenges related to their security implementation and security context propagation over their components. This session addresses how to perform authentication and authorization inside a microservices architecture, covering technologies such as OAuth2, OpenID Connect, and JSON Web Token and use of Spring Cloud Security to integrate with a Spring and/or Java EE–based application platform.

Technology
1 of 27
Download to read offline
Protecting Java Microservices Alessandro Ribeiro Rodrigo Cândido da Silva Best Practices and Strategies
Agenda ● Microservices ● Security requirements ● OAuth2, JWT, OpenID Connect ● Security practices
Monolithic vs. Microservices
How can we handle security needs over it?
REST APIs are vulnerable ● RESTful architecture doesn't define security procedures ● They are equally vulnerable as standard web apps ● There are many security vulnerabilities ○ Injection attacks ○ Replay attacks ○ Cross-site scripting ○ Denial of Service (DoS) ○ Man-in-the-middle
Authentication & Authorization
OAuth2 ● Open standard protocol specification ● Enables applications to access each other’s data without sharing credentials ● Avoid password issues ● Required for delegating access ○ Third party applications ○ For specified resource and limited time ○ Can be selectively be revoked
OAuth2 overview
OAuth2 token ● Access Token ○ Short-lived token ● Refresh Token ○ Long-lived token ● Bearer token ○ Hash random token ○ Only defines a secret concept (no user identity) ● Proof of possession { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "bearer", "expires_in": 3600, "scope": "read write", "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA" }
What's the issue w/using OAuth2 only? Not using a stateless token model (needs 3rd party validation)
How OAuth2 + JWT will work then? Stateless token model (embedded validate in the service)
JSON Web Tokens "Compact and self-contained way for securely transmitting information as a JSON object"
JSON Web Tokens OAuth2 + JWT (Replaces the bearer token to use JWT) { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTMyODMxNzksInVzZXJfbmFtZSI6InVzZXIiLCJhdX Rob3JpdGllcyI6WyJVU0VSIiwiTUFOQUdFUiJdLCJqdGkiOiJkMGY5OTY2OC01NzdkLTRkZTEtODkwYi1hNDY1MTBkZj g2YjAiLCJjbGllbnRfaWQiOiJjbGllbnQiLCJzY29wZSI6WyJvcGVuaWQiXX0.iH1pnwJZPZi05hdpY9MDGIvtx34Dj8 lxc5fdU5c5NCCtUblT_L9kdZO6NaOIIZffbGzSHoyVUEZkSwkGXm6lT1jRTcOHq2khAZlwmO3hN3c1xb8bumAgmpF8fJ SIKTVIkFJpbVO4uDfHSSbBm6QsTbqHkNgNwWSWbNG1n6ZlsHCcZCh37cmgbh-B4tPD9QEfH3CSI6Z7AgUbS9UCIytjm0 2sgxgAr3liOcykRrdcOvxgIBx_yGDvornQ5JOBVdW-TS0-uJmHe6sHCFYeBNchJhRi7xqZCMYFD6IcP4dftPupzg3IMl 5oWberxhZTCCLoi18JtQyZgIgqmSlOAIq8wg", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "d0f99668-577d-4de1-890b-a46510df86b0", "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA" }
OpenID Connect ● Identity layer on top of OAuth2 protocol ● ID tokens are JWT tokens ● REST-based ● Provide core endpoints ○ Authorization ○ Token, UserInfo (Identity, Authentication) + OAuth2 = OpenID Connect
Summary view
Best Practices
Create an API gateway “Applies the defense in depth principle”
Only exposes the gateway at DMZ over TLS “Cryptography data in transit"
Ensure data privacy “Sensitive data should be encrypted as early as possible"
Rate limiting the incoming client traffic “Prevents the DoS attacks"
"External requests should be verified" Implement CSRF and CORS filter protection
Increase security at the container level “Achieve the least-privilege security concept"
Monitor everything that is possible “Detects and prevents attacks"
Q&A ?
Thank you! Obrigado!
References • https://www.slideshare.net/spnewman/appsec-and-microservices • https://github.com/magnhaug/blogposts/blob/master/microservices-security.md • http://blog.leanix.net/en/authorization-authentication-with-microservices • http://colinmorelli.com/blog/2015/5/21/security-in-microservices • http://guild.beach.io/t/microservices-security/111 • http://techgenix.com/security-challenges-presented-microservices/ • https://book.gameontext.org/microservices/ApplicationSecurity.html • https://techbeacon.com/8-best-practices-microservices-security • http://www.devopsschool.com/slides/microservices/security-with-microservices/Security%20with% 20Microservices.pdf • https://www.owasp.org/index.php/REST_Security_Cheat_Sheet • http://www.grahamlea.com/2015/07/microservices-security-questions/ • http://blog.restcase.com/top-5-rest-api-security-guidelines/

Recommended

パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法inet-lab
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
 
Autenticação com Json Web Token (JWT)
Autenticação com Json Web Token (JWT)Autenticação com Json Web Token (JWT)
Autenticação com Json Web Token (JWT)Ivan Rosolen
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Blockchain Technology - The Next Superpower By Priyank Vaghela
Blockchain Technology - The Next Superpower By Priyank VaghelaBlockchain Technology - The Next Superpower By Priyank Vaghela
Blockchain Technology - The Next Superpower By Priyank VaghelaPriyankVaghela
 

Recommended

パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法inet-lab
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
 
Autenticação com Json Web Token (JWT)
Autenticação com Json Web Token (JWT)Autenticação com Json Web Token (JWT)
Autenticação com Json Web Token (JWT)Ivan Rosolen
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Blockchain Technology - The Next Superpower By Priyank Vaghela
Blockchain Technology - The Next Superpower By Priyank VaghelaBlockchain Technology - The Next Superpower By Priyank Vaghela
Blockchain Technology - The Next Superpower By Priyank VaghelaPriyankVaghela
 
Block chain b4usolution
Block chain b4usolutionBlock chain b4usolution
Block chain b4usolutionHoa Le
 
Sidechains introduction
Sidechains introductionSidechains introduction
Sidechains introductionLin Lin (Wendy)
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainArunimShukla
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Registro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinRegistro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinEdilson Osorio Junior
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Sidechain talk
Sidechain talkSidechain talk
Sidechain talkjojva
 
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?Digipolis Antwerpen
 
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
[WSO2Con USA 2018] Managing Transactions in Your Microservice ArchitectureWSO2
 
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)Brod Tech
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Valio Bonev
 
CILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth FederationCILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth Federationjbasney
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Abhishek Kumar
 
Dicas e truques
Dicas e truquesDicas e truques
Dicas e truquesDemoiselle Framework
 
Intro into blockchain
Intro into blockchainIntro into blockchain
Intro into blockchainRoderik van der Veer
 
Capodieci - Proof of... what?
Capodieci - Proof of... what?Capodieci - Proof of... what?
Capodieci - Proof of... what?Roberto Capodieci
 
Hands on with multichain
Hands on with multichainHands on with multichain
Hands on with multichainRoderik van der Veer
 
Information security in private blockchains
Information security in private blockchainsInformation security in private blockchains
Information security in private blockchainsCoin Sciences Ltd
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Boolberry reduces blockchain bloat
Boolberry reduces blockchain bloatBoolberry reduces blockchain bloat
Boolberry reduces blockchain bloatboolberry
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 

More Related Content

What's hot

Block chain b4usolution
Block chain b4usolutionBlock chain b4usolution
Block chain b4usolutionHoa Le
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainArunimShukla
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Registro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinRegistro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinEdilson Osorio Junior
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Sidechain talk
Sidechain talkSidechain talk
Sidechain talkjojva
 
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?Digipolis Antwerpen
 
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
[WSO2Con USA 2018] Managing Transactions in Your Microservice ArchitectureWSO2
 
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)Brod Tech
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Valio Bonev
 
CILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth FederationCILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth Federationjbasney
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Abhishek Kumar
 
Capodieci - Proof of... what?
Capodieci - Proof of... what?Capodieci - Proof of... what?
Capodieci - Proof of... what?Roberto Capodieci
 
Information security in private blockchains
Information security in private blockchainsInformation security in private blockchains
Information security in private blockchainsCoin Sciences Ltd
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Boolberry reduces blockchain bloat
Boolberry reduces blockchain bloatBoolberry reduces blockchain bloat
Boolberry reduces blockchain bloatboolberry
 

What's hot (20)

Block chain b4usolution
Block chain b4usolutionBlock chain b4usolution
Block chain b4usolution
 
Sidechains introduction
Sidechains introductionSidechains introduction
Sidechains introduction
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to Blockchain
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Registro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede BitcoinRegistro de Informações no Blockchain da rede Bitcoin
Registro de Informações no Blockchain da rede Bitcoin
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Sidechain talk
Sidechain talkSidechain talk
Sidechain talk
 
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
Meetup 19/12/2016 - Blockchain-as-a-service voor Antwerpen?
 
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
[WSO2Con USA 2018] Managing Transactions in Your Microservice Architecture
 
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
 
Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)Azure Unchained (Azure boot camp Sofia 2017)
Azure Unchained (Azure boot camp Sofia 2017)
 
CILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth FederationCILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth Federation
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
 
Dicas e truques
Dicas e truquesDicas e truques
Dicas e truques
 
Intro into blockchain
Intro into blockchainIntro into blockchain
Intro into blockchain
 
Capodieci - Proof of... what?
Capodieci - Proof of... what?Capodieci - Proof of... what?
Capodieci - Proof of... what?
 
Hands on with multichain
Hands on with multichainHands on with multichain
Hands on with multichain
 
Information security in private blockchains
Information security in private blockchainsInformation security in private blockchains
Information security in private blockchains
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Boolberry reduces blockchain bloat
Boolberry reduces blockchain bloatBoolberry reduces blockchain bloat
Boolberry reduces blockchain bloat
 

Similar to Protecting Java Microservices: Best Practices and Strategies

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureWSO2
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?VMware Tanzu
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Jwt the complete guide to json web tokens
Jwt the complete guide to json web tokensJwt the complete guide to json web tokens
Jwt the complete guide to json web tokensremayssat
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Mediacurrent
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFVMware Tanzu
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 

Similar to Protecting Java Microservices: Best Practices and Strategies (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
Jwt the complete guide to json web tokens
Jwt the complete guide to json web tokensJwt the complete guide to json web tokens
Jwt the complete guide to json web tokens
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Pentesting jwt
Pentesting jwtPentesting jwt
Pentesting jwt
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Microservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCFMicroservices Security Patterns & Protocols with Spring & PCF
Microservices Security Patterns & Protocols with Spring & PCF
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 

More from Rodrigo Cândido da Silva

Protegendo Microservices: Boas Práticas e Estratégias de Implementação
Protegendo Microservices: Boas Práticas e Estratégias de ImplementaçãoProtegendo Microservices: Boas Práticas e Estratégias de Implementação
Protegendo Microservices: Boas Práticas e Estratégias de ImplementaçãoRodrigo Cândido da Silva
 
Workshop Microservices - Distribuindo os Microservices com Docker e Kubernetes
Workshop Microservices - Distribuindo os Microservices com Docker e KubernetesWorkshop Microservices - Distribuindo os Microservices com Docker e Kubernetes
Workshop Microservices - Distribuindo os Microservices com Docker e KubernetesRodrigo Cândido da Silva
 
Workshop Microservices - Microservices com Spring Cloud e Netflix OSS
Workshop Microservices - Microservices com Spring Cloud e Netflix OSSWorkshop Microservices - Microservices com Spring Cloud e Netflix OSS
Workshop Microservices - Microservices com Spring Cloud e Netflix OSSRodrigo Cândido da Silva
 
Workshop Microservices - Construindo APIs RESTful com Spring Boot
Workshop Microservices - Construindo APIs RESTful com Spring BootWorkshop Microservices - Construindo APIs RESTful com Spring Boot
Workshop Microservices - Construindo APIs RESTful com Spring BootRodrigo Cândido da Silva
 
Workshop Microservices - Arquitetura Microservices
Workshop Microservices - Arquitetura MicroservicesWorkshop Microservices - Arquitetura Microservices
Workshop Microservices - Arquitetura MicroservicesRodrigo Cândido da Silva
 
TDC Floripa 2017 - Criando Microservices Reativos com Java
TDC Floripa 2017 - Criando Microservices Reativos com JavaTDC Floripa 2017 - Criando Microservices Reativos com Java
TDC Floripa 2017 - Criando Microservices Reativos com JavaRodrigo Cândido da Silva
 
GUJavaSC - Combinando Micro-serviços com Práticas DevOps
GUJavaSC - Combinando Micro-serviços com Práticas DevOpsGUJavaSC - Combinando Micro-serviços com Práticas DevOps
GUJavaSC - Combinando Micro-serviços com Práticas DevOpsRodrigo Cândido da Silva
 
GUJavaSC - Criando Micro-serviços Reativos com Java
GUJavaSC - Criando Micro-serviços Reativos com JavaGUJavaSC - Criando Micro-serviços Reativos com Java
GUJavaSC - Criando Micro-serviços Reativos com JavaRodrigo Cândido da Silva
 
JavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EEJavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EERodrigo Cândido da Silva
 
JavaOne LATAM 2016 - Combinando AngularJS com Java EE
JavaOne LATAM 2016 - Combinando AngularJS com Java EEJavaOne LATAM 2016 - Combinando AngularJS com Java EE
JavaOne LATAM 2016 - Combinando AngularJS com Java EERodrigo Cândido da Silva
 
JavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data REST
JavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data RESTJavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data REST
JavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data RESTRodrigo Cândido da Silva
 
TDC Floripa 2016 - Decolando seus micro-serviços na Spring Cloud
TDC Floripa 2016 - Decolando seus micro-serviços na Spring CloudTDC Floripa 2016 - Decolando seus micro-serviços na Spring Cloud
TDC Floripa 2016 - Decolando seus micro-serviços na Spring CloudRodrigo Cândido da Silva
 
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...Rodrigo Cândido da Silva
 
QCon 2015 - Combinando AngularJS com Java EE
QCon 2015 - Combinando AngularJS com Java EEQCon 2015 - Combinando AngularJS com Java EE
QCon 2015 - Combinando AngularJS com Java EERodrigo Cândido da Silva
 
JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2
JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2
JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2Rodrigo Cândido da Silva
 

More from Rodrigo Cândido da Silva (20)

Java 9, 10 e ... 11
Java 9, 10 e ... 11Java 9, 10 e ... 11
Java 9, 10 e ... 11
 
Cloud Native Java EE
Cloud Native Java EECloud Native Java EE
Cloud Native Java EE
 
Protegendo Microservices: Boas Práticas e Estratégias de Implementação
Protegendo Microservices: Boas Práticas e Estratégias de ImplementaçãoProtegendo Microservices: Boas Práticas e Estratégias de Implementação
Protegendo Microservices: Boas Práticas e Estratégias de Implementação
 
As novidades da nova versão do Java 9
As novidades da nova versão do Java 9As novidades da nova versão do Java 9
As novidades da nova versão do Java 9
 
Workshop Microservices - Distribuindo os Microservices com Docker e Kubernetes
Workshop Microservices - Distribuindo os Microservices com Docker e KubernetesWorkshop Microservices - Distribuindo os Microservices com Docker e Kubernetes
Workshop Microservices - Distribuindo os Microservices com Docker e Kubernetes
 
Workshop Microservices - Microservices com Spring Cloud e Netflix OSS
Workshop Microservices - Microservices com Spring Cloud e Netflix OSSWorkshop Microservices - Microservices com Spring Cloud e Netflix OSS
Workshop Microservices - Microservices com Spring Cloud e Netflix OSS
 
Workshop Microservices - Construindo APIs RESTful com Spring Boot
Workshop Microservices - Construindo APIs RESTful com Spring BootWorkshop Microservices - Construindo APIs RESTful com Spring Boot
Workshop Microservices - Construindo APIs RESTful com Spring Boot
 
Workshop Microservices - Arquitetura Microservices
Workshop Microservices - Arquitetura MicroservicesWorkshop Microservices - Arquitetura Microservices
Workshop Microservices - Arquitetura Microservices
 
GUJavaSC - Protegendo Microservices em Java
GUJavaSC - Protegendo Microservices em JavaGUJavaSC - Protegendo Microservices em Java
GUJavaSC - Protegendo Microservices em Java
 
TDC Floripa 2017 - Criando Microservices Reativos com Java
TDC Floripa 2017 - Criando Microservices Reativos com JavaTDC Floripa 2017 - Criando Microservices Reativos com Java
TDC Floripa 2017 - Criando Microservices Reativos com Java
 
GUJavaSC - Combinando Micro-serviços com Práticas DevOps
GUJavaSC - Combinando Micro-serviços com Práticas DevOpsGUJavaSC - Combinando Micro-serviços com Práticas DevOps
GUJavaSC - Combinando Micro-serviços com Práticas DevOps
 
GUJavaSC - Criando Micro-serviços Reativos com Java
GUJavaSC - Criando Micro-serviços Reativos com JavaGUJavaSC - Criando Micro-serviços Reativos com Java
GUJavaSC - Criando Micro-serviços Reativos com Java
 
JavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EEJavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EE
 
JavaOne LATAM 2016 - Combinando AngularJS com Java EE
JavaOne LATAM 2016 - Combinando AngularJS com Java EEJavaOne LATAM 2016 - Combinando AngularJS com Java EE
JavaOne LATAM 2016 - Combinando AngularJS com Java EE
 
JavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data REST
JavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data RESTJavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data REST
JavaOne LATAM 2016 - RESTful Services Simplificado com Spring Data REST
 
TDC Floripa 2016 - Decolando seus micro-serviços na Spring Cloud
TDC Floripa 2016 - Decolando seus micro-serviços na Spring CloudTDC Floripa 2016 - Decolando seus micro-serviços na Spring Cloud
TDC Floripa 2016 - Decolando seus micro-serviços na Spring Cloud
 
GUJavaSC - Combinando AngularJS com Java EE
GUJavaSC - Combinando AngularJS com Java EEGUJavaSC - Combinando AngularJS com Java EE
GUJavaSC - Combinando AngularJS com Java EE
 
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...
QCon SP 2016 - Construindo Microservices Auto-curáveis com Spring Cloud e Net...
 
QCon 2015 - Combinando AngularJS com Java EE
QCon 2015 - Combinando AngularJS com Java EEQCon 2015 - Combinando AngularJS com Java EE
QCon 2015 - Combinando AngularJS com Java EE
 
JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2
JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2
JavaOne LATAM 2015 - Segurança em Recursos RESTful com OAuth2
 

Recently uploaded

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Protecting Java Microservices: Best Practices and Strategies

  • 1. Protecting Java Microservices Alessandro Ribeiro Rodrigo Cândido da Silva Best Practices and Strategies
  • 2. Agenda ● Microservices ● Security requirements ● OAuth2, JWT, OpenID Connect ● Security practices
  • 4. How can we handle security needs over it?
  • 5. REST APIs are vulnerable ● RESTful architecture doesn't define security procedures ● They are equally vulnerable as standard web apps ● There are many security vulnerabilities ○ Injection attacks ○ Replay attacks ○ Cross-site scripting ○ Denial of Service (DoS) ○ Man-in-the-middle
  • 7. OAuth2 ● Open standard protocol specification ● Enables applications to access each other’s data without sharing credentials ● Avoid password issues ● Required for delegating access ○ Third party applications ○ For specified resource and limited time ○ Can be selectively be revoked
  • 9. OAuth2 token ● Access Token ○ Short-lived token ● Refresh Token ○ Long-lived token ● Bearer token ○ Hash random token ○ Only defines a secret concept (no user identity) ● Proof of possession { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "bearer", "expires_in": 3600, "scope": "read write", "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA" }
  • 10. What's the issue w/using OAuth2 only? Not using a stateless token model (needs 3rd party validation)
  • 11. How OAuth2 + JWT will work then? Stateless token model (embedded validate in the service)
  • 12. JSON Web Tokens "Compact and self-contained way for securely transmitting information as a JSON object"
  • 13. JSON Web Tokens OAuth2 + JWT (Replaces the bearer token to use JWT) { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTMyODMxNzksInVzZXJfbmFtZSI6InVzZXIiLCJhdX Rob3JpdGllcyI6WyJVU0VSIiwiTUFOQUdFUiJdLCJqdGkiOiJkMGY5OTY2OC01NzdkLTRkZTEtODkwYi1hNDY1MTBkZj g2YjAiLCJjbGllbnRfaWQiOiJjbGllbnQiLCJzY29wZSI6WyJvcGVuaWQiXX0.iH1pnwJZPZi05hdpY9MDGIvtx34Dj8 lxc5fdU5c5NCCtUblT_L9kdZO6NaOIIZffbGzSHoyVUEZkSwkGXm6lT1jRTcOHq2khAZlwmO3hN3c1xb8bumAgmpF8fJ SIKTVIkFJpbVO4uDfHSSbBm6QsTbqHkNgNwWSWbNG1n6ZlsHCcZCh37cmgbh-B4tPD9QEfH3CSI6Z7AgUbS9UCIytjm0 2sgxgAr3liOcykRrdcOvxgIBx_yGDvornQ5JOBVdW-TS0-uJmHe6sHCFYeBNchJhRi7xqZCMYFD6IcP4dftPupzg3IMl 5oWberxhZTCCLoi18JtQyZgIgqmSlOAIq8wg", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "d0f99668-577d-4de1-890b-a46510df86b0", "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA" }
  • 14. OpenID Connect ● Identity layer on top of OAuth2 protocol ● ID tokens are JWT tokens ● REST-based ● Provide core endpoints ○ Authorization ○ Token, UserInfo (Identity, Authentication) + OAuth2 = OpenID Connect
  • 17. Create an API gateway “Applies the defense in depth principle”
  • 18. Only exposes the gateway at DMZ over TLS “Cryptography data in transit"
  • 19. Ensure data privacy “Sensitive data should be encrypted as early as possible"
  • 20. Rate limiting the incoming client traffic “Prevents the DoS attacks"
  • 21. "External requests should be verified" Implement CSRF and CORS filter protection
  • 22. Increase security at the container level “Achieve the least-privilege security concept"
  • 23. Monitor everything that is possible “Detects and prevents attacks"
  • 24.
  • 25. Q&A ?
  • 27. References • https://www.slideshare.net/spnewman/appsec-and-microservices • https://github.com/magnhaug/blogposts/blob/master/microservices-security.md • http://blog.leanix.net/en/authorization-authentication-with-microservices • http://colinmorelli.com/blog/2015/5/21/security-in-microservices • http://guild.beach.io/t/microservices-security/111 • http://techgenix.com/security-challenges-presented-microservices/ • https://book.gameontext.org/microservices/ApplicationSecurity.html • https://techbeacon.com/8-best-practices-microservices-security • http://www.devopsschool.com/slides/microservices/security-with-microservices/Security%20with% 20Microservices.pdf • https://www.owasp.org/index.php/REST_Security_Cheat_Sheet • http://www.grahamlea.com/2015/07/microservices-security-questions/ • http://blog.restcase.com/top-5-rest-api-security-guidelines/