Service to Service Authentication with OAuth

1. Service to Service Authentication with OAuth Zalando Tech Meetup Dortmund, 2016-05-12 Background: Mike Mozart / CC BY 2.0

2. ZALANDO 15 countries 3 fulfillment centers 18 million active customers 3 billion € revenue 2015 135+ million visits per month 10.000+ employees in Europe

3. RADICAL AGILITY

4. AUTONOMY

5. ONE DATA CENTER PER TEAM

6. ISOLATED AWS ACCOUNTS Internet *.abc.example.org *.xyz.example.org ELB Team ABC EC2 ELB Team XYZ EC2

7. SOME NUMBERS.. ● 1000+ in Zalando Tech ● 100+ AWS Accounts ● 300+ Applications

8. SERVICE TO SERVICE Internet bob.xyz.example.org ELB Team ABC EC2 alice Team XYZ bob

9. AUTHENTICATION CANDIDATES ● ● ● ● ● HTTP Basic Auth SAML Kerberos OAuth 2.0 “Notariat”

10. AUTHENTICATION CANDIDATES ● ● ● ● ● HTTP Basic Auth SAML Kerberos OAuth 2.0 “Notariat”

11. OAUTH? The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service. - oauth.net

12. OAUTH ROLES ● Resource Owner ● Client ● Resource Server ● Authorization Server

13. OAUTH ROLES ● Resource Owner ⟺ User ● Client ⟺ Application ● Resource Server ⟺ REST API ● Authorization Server ⟺ OAuth Provider

14. OAUTH REDIRECT FLOW Authz Server / OAuth Provider validate token Resource Server / REST API Resource Owner / User Client / Application access protected resource

15. EXAMPLE OAUTH REDIRECT FLOW https://demo.zmon.io/

16. OAUTH FOR SERVICE TO SERVICE ● One Service User per Application ● Resource Owner Password Credentials Grant Type ● Automatic credential distribution and rotation

17. SERVICE TO SERVICE Authorization: Bearer 123f ELB Team ABC EC2 alice S3 Team XYZ bob Authz Server / OAuth Provider validate token

18. OAUTH CREDENTIAL DISTRIBUTION VIA S3 BUCKETS WEB UI create app rotate passwords store passwords AWS S3 get password Authz Server / OAuth Provider get access token alice

19. OAUTH SERVICE TO SERVICE FLOW ● Alice reads OAuth credentials from S3 ● Alice gets access token from Auth. Server ● Alice calls Bob with Bearer token ● Bob validates token against Auth. Server

20. EASY ENOUGH ● Install some OAuth Provider ● Set up credential distribution ● PROFIT!!!

21.

22. WHAT ABOUT ● Network Latency? ● Token Storage? ● Availability? alice create token bob Authz Server / OAuth Provider Token Storage validate

23. PLAN B: GOALS ● Robustness & resilience ● Low latency for token validation ● Horizontal scalability

24. PLAN B: APPROACH ● JWT access token ● No write operation ● Cassandra alice create token bob Provider credential storage Token Info validate

25. JSON WEB TOKENS (JWT)

26. PLAN B TOKEN ENDPOINT $ curl -u alice-service:mypw \ -d 'grant_type=password&username=alice-service&password=123' \ https://planb-provider.example.org/oauth2/access_token?realm=/services { "access_token": "eyJraWQiOXN0a2V5LWVzMjU2..", "token_type": "Bearer", "expires_in": 28800, "scope": "cn", "realm": "/services" }

27. JWT AS OAUTH ACCESS TOKEN Authorization: Bearer ↲ a8dfcf02-2d21-fe12-8791-822f48749018 Authorization: Bearer ↲ eyJraWQiOiJ0ZXN0a2V5LWVzMjU2IiwiYWxnIjoiRVMyNTYifQ. eyJzdWIiOiJ0ZXN0MiIsInNjb3BlIjpbImNuIl0sImlzcyI6IkIiLCJyZ WFsbSI6Ii9zZXJ2aWNlcyIsImV4cCI6MTQ1NzMxOTgxNCwiaWF0IjoxND U3MjkxMDE0fQ. KmDsVB09RAOYwT0Y6E9tdQpg0rAPd8SExYhcZ9tXEO6y9AWX4wBylnmNH VoetWu7MwoexWkaKdpKk09IodMVug 36 chars vs ~300 chars

28. JWT: HOW TO VALIDATE? ● JWT libs exist for every major language ● De-facto standard: HTTP call to Token Info ● New OAuth RFC defines Token Introspection Endpoint

29. PLAN B TOKEN INFO GET /oauth2/tokeninfo?access_token=eyJraWQiOiJ0ZXN0a2VLWVzMjU2.. { "expires_in": 28292, "grant_type": "password", "realm": "/services", "scope": ["cn", "pets.read"], "token_type": "Bearer", "uid": "alice-service" }

30. REVOKING TOKENS ● Self-contained JWT tokens ● No revocation standard

31. REVOCATION LISTS ● Revoke single tokens ● Revoke tokens by claims “Revoke all tokens issued before 1st of May for user John Doe”

32. REVOCATION SERVICE POST /revocations Revocation Service GET /revocations?from=... Token Info

33. PLAN B: COMPLETE PICTURE call with Bearer token poll public keys alice Provider create token bob Token Info validate poll revocation lists S3 credential storage Revocation

34. ALICE’ PERSPECTIVE ● OAuth credentials in CREDENTIALS_DIR ● Token endpoint available at OAUTH2_ACCESS_TOKEN_URL

35. BOB’S PERSPECTIVE ● Validation endpoint (Token Info) available at TOKENINFO_URL

36. PLAN B: GOALS? ● Robustness & resilience ⇒ Cassandra, no SPOF ● Low latency for token validation ⇒ Token Info next to application ● Horizontal scalability ⇒ Cassandra, “stateless” Token Info

37. PLAN B IN PRODUCTION ● ● ● ● ● ● >1300 active service users (last 5 days) 8 h JWT lifetime 40 rps on Token Endpoint (Provider) 1500 rps on Token Info (caching!) 0.5 ms JWT validation (99%) 11 ms Token Info latency (99%)

38.

39. PLAN B PROVIDER Created for Service2Service, but also supports: ● Authorization Code Grant Type ● Implicit Grant Type ● User Consent

40. PLAN B FOR CUSTOMERS ● 3rd party Mobile App ● OAuth Implicit Flow

41. PLAN B FOR CUSTOMERS ● Consent Screen ● Consent stored in Cassandra

42. Questions? Plan B Docs planb.readthedocs.org STUPS Homepage stups.io tech.zalando.com @try_except_