How Does a Workload Authenticate an API Request?: Implementing Transaction Tokens with Keycloak

ssuserbeb7c0 84 views 29 slides Jul 03, 2024
Slide 1
Slide 1 of 29
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29

About This Presentation

CloudNativeSecurityCon North America 2024

Size: 2.25 MB
Language: en
Added: Jul 03, 2024
Slides: 29 pages

Slide Content

How Does a Workload Authenticate an API Request?: Implementing Transaction Tokens with Keycloak CloudNativeSecurityCon NA 2024 Hitachi, Ltd. OSS Solution Center 06/27/2024 Yoshiyuki Tabata

About the speaker Specialist in API authorization Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields Contributor to OSS related to authentication, authorization, and API management Keycloak (IAM OSS) 3scale (API management OSS) Other activities Speaker at events such as Apidays , API Specifications Conference, OAuth Security Workshop, etc. Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata Senior OSS Consultant at Hitachi, Ltd. CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder LinkedIn: @ytabata , X: @yo_tabata , GitHub: @y-tabata

1. Difficulty for workloads to authenticate API requests 2. Introduction of Transaction Tokens 3. Implementing Transaction Tokens with Keycloak Contents 2 4. Demonstration

1. Difficulty for workloads to authenticate API requests 2. Introduction of Transaction Tokens 3. Implementing Transaction Tokens with Keycloak Contents 3 4. Demonstration

De f acto standard for API authentication: OAuth 2.0 (RFC6750) RFC6750 (The OAuth 2.0 Authorization Framework: Bearer Token Usage) describes "the client requests the protected resource from the resource server and authenticates by presenting the access token ," and is the most common way to authenticate API requests. The way of issuing an access token is described in RFC6749 (The OAuth 2.0 Authorization Framework). Client Authorization Server Resource Server 2. API request w/ access token by following RFC6750 1. issue access token by following RFC6749

Recommended checks of OAuth access token To authenticate an API request, the resource server should perform at least the following checks of the OAuth access token. These are recommended by such as RFC6750 , and also by the draft CNCF Zero Trust Whitepaper *1 . Signature (if assertion-based tokens like JWT): Verify if the token has not been tampered with. exp and nbf claims: Validate the expiration time of the token. iss claim: Confirm the issuer's identity. aud claim: Check if the audience includes the resource server. scope claim (if exists): Ensure that the resource owner authorizes access to the resource. Client Resource Server API request w/ access token by following RFC6750 Check the access token! *1: CNCF Zero Trust Whitepaper: https://github.com/cncf/tag-security/pull/1229

Token Redirect attack Token redirect attack is an attack in which a token generated for consumption by one resource server is used to gain access to a different resource server. Among the token checks, the audience check is to deal with token redirect attacks . aud claim: Check if the audience includes the resource server. Client Resource Server 2 1. API request w/ access token Detect the token is not for the RS2! Resource Server 1 2 . API request w/ the same access token The token is only for RS1.

Difficulty for workloads to check "Audience" In cloud-native architectures, there are many internal workloads , and each workload should check the audience is the workload itself or not, especially in zero trust context . The audience is decided based on the resource owner's consent , but it's hard for the resource owner to identify all audiences and consent for each consumption. Client API request w/ access token Check audience! Workload 1 Workload 2 Workload 3 Resource Server Workload 4 … Check audience! Check audience! Check audience!

1. Difficulty for workloads to authenticate API requests 2. Introduction of Transaction Tokens 3. Implementing Transaction Tokens with Keycloak Contents 8 4. Demonstration

Transaction Tokens ( Txn -Tokens) Txn -Tokens are discussed in IETF OAUTH WG , and its internet draft is published draft-ietf-oauth-transaction-tokens-01 . Txn -Tokens are short-lived, signed JWTs that assert the identity of a user or a workload and assert an authorization context. Txn -Token body example { " iat ": "1686536226000", " aud ": "trust- domain.example ", // audience "exp": "1686536526000", " txn ": "97053963-771d-49cc-a4e3-20aad399c312", "sub": "d084sdrt234fsaw34tr23t", " rctx ": { " req_ip ": "69.151.72.123", // env context of external call "authn": "urn:ietf:rfc:6749", // env context of the external call " req_wl ": " apigateway.trust-domain.example " // the internal entity that requested the Txn -Token }, " purp " : " trade.stocks ", // purpose or intent of this transaction " azd ": { … } // authorization context details }

Transaction Tokens ( Txn -Tokens) A workload performs an OAuth 2.0 Token Exchange (RFC8693) to obtain a Txn -Token, by invoking a special Token Service (the Txn -Token Service ) and provides sufficient context to generate a Txn -Token. Client 2 . API request w/ access token Workload 1 Workload 2 Resource Server … Authorization Server Txn -Token Service 1. issue access token 3. Txn -Token request 4 . issue Txn -Token 5. API request w/ Txn -Token following RFC8693 following RFC6749 following RFC6750

Transaction Tokens ( Txn -Tokens) Txn -Tokens help prevent spurious invocations by ensuring that a workload receiving an invocation can independently verify the user or workload on whose behalf an external call was made and any context relevant to the processing of the call. Client 2 . API request w/ access token Workload 1 Workload 2 Resource Server … Authorization Server Txn -Token Service 1. issue access token 3. Txn -Token request 4 . issue Txn -Token 5. API request w/ Txn -Token The audience includes WL 2 . The audience is only WL1 . Check audience ! Can also check purpose and requesting workload

1. Difficulty for workloads to authenticate API requests 2. Introduction of Transaction Tokens 3. Implementing Transaction Tokens with Keycloak Contents 12 4. Demonstration

Major features Supporting standards. ex. OAuth 2.0, OpenID Connect 1.0, SAML v2, OAuth 2.0 Token Exchange (Preview) , … Login with social networks. Connect to existing user stores. ex. LDAP, Active Directory, … Keycloak Keycloak is IAM (Identity and Access Management) OSS. Keycloak provides OAuth2 authorization server features and single sign-on features. Keycloak is a CNCF incubating project. Supporting Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect 1.0 SAML v2 GitHub X Facebook Identity Management Social Login OAuth 2.0

Service Provider Interfaces (SPI) Keycloak is designed to cover most use cases without requiring custom code but is also flexibly customizable. To achieve this Keycloak has many Service Provider Interfaces (SPI) for which you can introduce your custom features without building Keycloak source code. In Keycloak, there are over 100 SPIs , and there are over 400 built-in SPI providers . Keycloak Authentication SPI User Storage SPI OAuth2 Token Exchange SPI Custom Authenticator Original User Store Txn -Tokens SPI Provider

Implementing Transaction Tokens with Keycloak By implementing an SPI provider and extending token exchange feature , Keycloak can have Txn -Token service features. One Keycloak can play two roles: OAuth2 authorization server and Txn -Token service . Client 2 . API request w/ access token Workload 1 Workload 2 Resource Server … Keycloak 1. issue access token 3. Txn -Token request 4 . issue Txn -Token 5. API request w/ Txn -Token

Implementer's consideration: client authentication As the same OAuth 2.0 Token Exchange (RFC8693), client authentication is necessary to issue Txn -Token. The way of client authentication is out of the scope of the specification but recommended to rely on mechanisms such as SPIFFE . Client 2 . API request w/ access token Workload 1 Workload 2 Resource Server … Keycloak 3. Txn -Token request 4 . issue Txn -Token 5. API request w/ Txn -Token client authentication is necessary 1. issue access token

Implementer's consideration: client authentication There are 2 formats for SPIFFE Verifiable Identity Document (SVID) : an X.509 certificate ( X.509-SVID ), and a JWT token ( JWT-SVID ). X.509-SVID Client authentication occurs with mutual TLS utilizing the PKI method of associating a certificate to a client, similar to tls_client_auth defined by RFC8705 . Workload Keycloak Txn -Token request POST / txn -token-service/ token_endpoint HTTP 1.1 Host: txn -token- service.trust - domain.example Content-Type: application/x-www-form- urlencoded grant_type =urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange & requested_token_type =urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn-token &audience=http%3A%2F%2Ftrust-domain.example &scope= finance.watchlist.add & subject_token = <<access token>> & subject_token_type =urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token & request_context =eyAiaXBfYWRkcmVzcyI6ICIxMjcuMC4wLjEiLCAiY2xpZW50IjogIm1vYmlsZS1hcHAiLCAiY2xpZW50X3ZlcnNpb24iOiAidjExIiB9 & client_id = <<client ID>> mTLS

Implementer's consideration: client authentication There are 2 formats for SPIFFE Verifiable Identity Document (SVID) : an X.509 certificate ( X.509-SVID ), and a JWT token ( JWT-SVID ). JWT-SVID Client authentication occurs with a JWT bearer token. In the context of OAuth 2.0 token exchange , using the actor_token parameter. Workload Keycloak Txn -Token request POST / txn -token-service/ token_endpoint HTTP 1.1 Host: txn -token- service.trust - domain.example Content-Type: application/x-www-form- urlencoded grant_type =urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange & requested_token_type =urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Atxn-token &audience=http%3A%2F%2Ftrust-domain.example &scope= finance.watchlist.add & subject_token = <<access token>> & subject_token_type =urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token & request_context =eyAiaXBfYWRkcmVzcyI6ICIxMjcuMC4wLjEiLCAiY2xpZW50IjogIm1vYmlsZS1hcHAiLCAiY2xpZW50X3ZlcnNpb24iOiAidjExIiB9 & actor_token =<<JWT-SVID>> & actor_token_type =urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt

Implementer's consideration: client authentication How to verify SVIDs is another consideration. To verify SVIDs, Keycloak needs the latest SVIDs which are rotated frequently and automatically . Option 1 : Keycloak fetches SVIDs from SPIFFE Workload Endpoint every time Keycloak receives a Txn -Token request. Option 2 : Trigger a SVID rotation and update the credential Keycloak has. Keycloak Workload Txn -Token request SPIFFE implementation ( SPIRE ) Option 1. fetch SVIDs Option 2. update SVIDs (asynchronously)

1. Difficulty for workloads to authenticate API requests 2. Introduction of Transaction Tokens 3. Implementing Transaction Tokens with Keycloak Contents 20 4. Demonstration

Demonstration configuration OPA Authorization with Envoy and JWT-SVIDs: https://spiffe.io/docs/latest/microservices/envoy-jwt-opa/readme/ The configuration is based on SPIFFE quickstart . Here, we use JWT-SVID , because its implementation is easier than X.509-SVID. The original quickstart configuration

Demonstration configuration OPA Authorization with Envoy and JWT-SVIDs: https://spiffe.io/docs/latest/microservices/envoy-jwt-opa/readme/ The configuration is based on SPIFFE quickstart . Here, we use JWT-SVID , because its implementation is easier than X.509-SVID. Display a web page Display another web page Provide APIs Inject JWT-SVID Inject JWT-SVID Validate JWT-SVID Call APIs w/ JWT-SVID Call APIs w/ JWT-SVID Make authorize decision The original quickstart configuration

Demonstration configuration OPA Authorization with Envoy and JWT-SVIDs: https://spiffe.io/docs/latest/microservices/envoy-jwt-opa/readme/ The configuration is based on SPIFFE quickstart . Here, we use JWT-SVID , because its implementation is easier than X.509-SVID. Keycloak Change to provide APIs Change to provide APIs Add Txn -Token request and Txn -Token injection logic Add Txn -Token request and Txn -Token injection logic Keycloak was newly introduced as an authorization server and Txn -Token service Check aud , purp , and req_wl of the Txn -Token to make authorization decisions Call APIs w/ JWT-SVID, Txn -Token Call APIs w/ JWT-SVID, Txn -Token

Resource Server Demonstration configuration The configuration is based on SPIFFE quickstart . Here, we use JWT-SVID , because its implementation is easier than X.509-SVID. Client Frontend-2 Backend OPA 5. Request Authz. Frontend Keycloak 1. issue access token ✗ ✓ 2. API request w/ access token ✗ ✓ 3. Txn -Token request w/ JWT-SVID 4 . API request w/ Txn - T oken Check: aud is Backend purp is " finance.watchlist.add " req_wl is Frontend , not Frontend-2

Summary We implemented Txn -Tokens in Keycloak and demonstrated it. There is room for consideration of client authentication . There are 2 formats for SVID: X.509-SVID and JWT-SVID . In the demo, we used JWT-SVID . If using X.509-SVID, we must consider how to receive X.509-SVID in Keycloak. Adding the Txn -Token and the JWT-SVID to the API request is a bit redundant, so it might be better to consider integrating the Txn -Token service with the SVID provider. How to verify SVIDs is another consideration. To verify SVIDs, Keycloak needs the latest SVIDs which are rotated frequently and automatically. There are 2 options: fetching SVIDs from the SPIFFE Workload Endpoint or triggering an SVID rotation . These are future tasks.

Trademarks OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. X is a trademark or registered trademark of X Corp. in the United States and other countries. Facebook is a trademark or registered trademark of Meta Platforms, Inc. in the United States and other countries. Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.

Yoshiyuki Tabata 06/27/2024 Hitachi, Ltd. OSS Solution Center END How Does a Workload Authenticate an API Request?: Implementing Transaction Tokens with Keycloak 27
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 84
  • Slides 29
  • Age 516 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category