Preface
Modern applications implement a microservice architecture: they are a collection of microservices, i.e. independent services, which each have a small well-defined responsibility and a well-defined API exposed via. a standard communication protocol (e.g. HTTP, AMQP, TCP). The application is typically deployed as a (Kubernetes) cluster of (Docker) containers each containing a microservice. While such applications are highly testable and maintainable as a consequence of being highly modular, one question arises: how is authorization implemented in a microservice architecture? In particular, how are microservice-to-microservice requests authorized? Since the application is now decentralized, there is no longer any ambient authority that receives all requests and enforces an access control policy on them.
The goal of this lecture is to introduce you to protocols and tools for implementing access control in a microservice architecture, and to suggest a maintainable design which prevents access control checks from permeating the whole architecture.
Preparation
Access Control in the Decentralized Cloud [B] by Kevin Leffew (4 pages of text)
-
note: focus on the problems with authorization in the cloud (macaroons are "a" solution, not "the" solution).
DAC (use case: a user lets a service access a cloud-resource on their behalf)
-
JWT: JSON Web Tokens [B] (8 pages of text)
-
OAuth, What Every Software Engineer Should Know [B] by Kacper Wdowik (8 pages of text)
-
Proof of Possession: Mutual TLS for Client Authentication [B] (3 pages of text)
-
OIDC: OpenID Connect, by Virag Mody [B] (9 pages of text)
MAC (use case: a company controls which user can do which op on which cloud-resource)
-
OAuth is DAC. What do you do for MAC? [L], by Johan Peeters (3 pages)
-
"OAuth was designed for the social media world. In that world, there are resources that are (perceived to) belong to end-users. The idea was "It’s that user that should control who has access to that", i.e. "Which (partially trusted) client can do what to my resource". This is DAC. This is very different from what businesses usually want. What businesses want, is MAC. Where we have a central entity, enforcing a centralized policy, controlling who can do what. Yet, increasingly, businesses are using a protocol that was designed to do DAC." - Johan Peeters (paraphrase), OAuth Security Workshop, 2018. (see Further Reading).
-
-
Protecting Microservices and APIs with ABAC, OAuth & OIDC [A] [A], by Axiomatics (6 pages)
-
Open Policy Agent (OPA)
-
Introduction (5 pages text; rest is code & pictures)
-
Philosophy (3 pages)
-
Lecture
Exercise
Further Reading
-
Bearer Token, by Aaron Parecki (3:06)
-
OAuth Simplest Guide, by Takahiko Kawasaki (3 pages of text)
-
OAuth & OpenID, by Hagrid, at OktaDev (16.35)
-
OAuth 2.0 Specification Map, and Tools & Libs.
-
Core: RFC 6749, 6750, and 6819.
-
More: this (security), 8705 (proof of possession), 8707 (attenuation), this (single-page apps).
-
explanation, by Aaron Parechi (32:34)
-
-
-
Securing APIs and Microservices with OAuth, OpenID Connect, and ABAC: Axiomatics (56:47)
-
Macaroons, by Arnar Birgisson et al. (14 pages)
-
JWT, Macaroons & PASETOs (29:35)
-
JWTs suck, talk by Randall Degges at DevNet Create 2018 (52:50)
-
casbin - an authorization library that supports access control models (12k stars on Github)