OAuth and OpenID Connect for Microservices

preview_player
Показать описание
Jacob Ideskog - Curity - 22/10/2014
Microservices present a new way of scaling API deployments, where each component is an island, performing a small but well defined task. These systems are quicker to develop and allow for a more agile way of working. As in most designs, security is not part of the original blueprint, which can lead to expensive and hard to manage security solutions. In this talk, Jacob Ideskog will illustrate how OAuth and OpenID Connect can be leveraged to created a unified distributed framework for Microservices. He will show how this can be used to deliver Microservices’ promise of agility and scalability while also ensuring security.

The presentation was recorded at the 2014 Platform Summit in Stockholm, Nordic APIs second annual conference.

----------
  1. Nordic APIs
  2. Security
  3. 2014-10-22
  4. API
Рекомендации по теме
An Illustrated Guide 0:16:36

An Illustrated Guide to OAuth and OpenID Connect

OAuth 2.0 & 0:16:19

OAuth 2.0 & OpenID Connect (OIDC): Technical Overview

OAuth 2.0 and 1:02:17

OAuth 2.0 and OpenID Connect (in plain English)

OAuth 2 Explained 0:04:32

OAuth 2 Explained In Simple Terms

Introduction to OAuth 2:43:46

Introduction to OAuth 2.0 and OpenID Connect By Philippe De Ryck

OAuth and OpenID 0:18:33

OAuth and OpenID Connect for Microservices

Что такое OAuth 0:14:27

Что такое OAuth 2.0 и OpenID Connect за 15 минут

OpenID Connect vs 0:08:50

OpenID Connect vs OAuth | OpenID Connect explained

SAML vs. OpenID 0:02:49

SAML vs. OpenID (OIDC): What's the Difference?

What is OAuth 0:08:39

What is OAuth 2.0 and OpenID Connect?

OAuth and OpenID 0:10:18

OAuth and OpenID Connect - Know the Difference

Everything You Ever 0:33:21

Everything You Ever Wanted to Know About OAuth and OIDC

Introduction to OAuth 0:47:18

Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck • GOTO 2018

Openid Connect Authentication 0:08:35

Openid Connect Authentication

OAUTH, OPENID CONNECT 0:57:59

OAUTH, OPENID CONNECT & .NET – THE GOOD PARTS - Anders Abel - NDC London 2024

OAuth and OpenID 0:33:28

OAuth and OpenID Connect Deep Dive

PAR: Securing the 0:50:27

PAR: Securing the OAuth and OpenID Connect Front-Channel - Dominick Baier - NDC Security 2024

SSO: SAML vs 0:06:24

SSO: SAML vs OAUTH vs OIDC

OAuth 2 0 0:36:53

OAuth 2 0 and OpenID Connect for Single Page Applications Philippe De Ryck

OAuth 2.0 explained 0:10:03

OAuth 2.0 explained with examples

SAML Vs OAuth 0:07:40

SAML Vs OAuth Vs Openid Differences and Application

Explain it to 0:47:50

Explain it to Me Like I’m 5: Oauth2 and OpenID

OAuth and OpenID 0:18:45

OAuth and OpenID Connect in Plain English • Nate Barbettini • GOTO 2020

On .NET Live 1:08:58

On .NET Live - OAuth and OpenID Connect for mere mortals

Комментарии
Автор

Good presentation. Thanks for the information

donduke
Автор

Thanks Jacob for providing the relevant information on Authentication Protocols, It would be much helpful for me to understand the background process of Oauth authentication method and i will subscribe and willing to follow your tutorials regularly.

ramireddyyerreddula
Автор

00:00 Introduction

00:48 Traditional monolith systems and their drawbacks

01:54 The microservice way

03:00 Securing a traditional system

03:54 One way for microservices would be that every service does authentication

04:41 OAuth - Delegegation of authentication

05:39 4 actors of OAuth
- Resource Owner (user)
- Authorization Server (AS)
- Client (the app or website backend)
- Resource Server (RS)

06:03 The authentication flow

08:34 OpenID Connect

09:54 The ID-Token

12:48 Two types of tokens
- "by Value" inside of your network
- "by Reference" outside of your firewall

16:14 Now use it to secure Microservices

-andymel
Автор

quite informative. thanks for sharing it.

kinjalbhoiwala
Автор

thanks, good thought on token translation point

jayantmishra
Автор

HI Jacob it was nice video anything on API?

mhsardar
Автор

How long the JWTs live, if they are cached, will they get stale when the resource permissions change.

AjayMahajan
Автор

Nice Jacob!!. I am new to microservices and API. We would like to apply the same authorization api service for other api services and Web app. In web app we are going to call the microservices. Is that possible?

tamilselvansellappan
Автор

Thanks for sharing the nice video, few queries: 1. In case of micro-services environment (not really for delegation), does it makes sense to create audience for each service or a single audience as all micro-services belong to one product? 2. What if it's value token, it's signed but no encrypted, what kind of threat is there especially when it's being used from native app on desktop machine.

navinkaus
Автор

Jacob Ideskog, How can the Reverse Proxy be Stateless 17:41 if it has to translate SESSION_ID to JWT?

antonalekseyev
Автор

Sounds like a good idea to do, is there a project that does this? Right now I've created a simple reverse proxy myself. It accepts by-reference tokens from users, converts it to by-value tokens and passes that to the (internal) proxied service. Added a simple cache to speed up the process a bit. It works ... but I'd rather trust some well known and maintained piece of software, designed by people that know security better.

tehedx
Автор

What happens if someone "Bad Guy" get access to access token?

mehrdadk.
Автор

Is there a way to do this in a stateless way, and still be relatively secure? Perhaps using the JWT as the token, but with minimal info, like a user id only? Or with encrypted info?

saveliybaranov
Автор

at arround 8.30 there is a mistake, the resource server could validate the access token without requesting the auth sever and for that we call jwt a stateless auth as it has same characteristics of the approach of the Passport and airport traveling scenarios. the police could verify your identity via Passport without needing to back to the Passport issuer

abudawood_phd
Автор

Hi Jacob,
I have a doubt here.How the Auth server can validate the credentails entered by RO( the user) bcoz Auth server has no idea abt the user credentails but only the RS has right?
i am in big confusion now after watching this video!!!

bibekdas
Автор

In JWT by value, we have a bad experience with performance because it consumes a lot of CPUs and when you have to have microservices with more than 6000 RPS so it is time to see this pressure and bad working

hamedhatami
Автор

I delegate means I authorize. Delegation can be revoked and so does the authorization.

jigarsutaria
Автор

it's a little confusing, especially talking about "sessions" --- can't you do without sessions?

thorsteinssonh
Автор

Curious, if the value based jwt is inside the network to scale passing around the identity why bother encoding them in jwt? Why can't the values be passed in as plain json? Aren't you paying tax for encoding/decoding the value for no gain?

jillsanluis
Автор

Why don’t you just show us the recorded screen? Only we see is people face. We want to see PPD not the face.

owenzmortgage