I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS

apigee 2,830 views 26 slides Oct 28, 2015
Slide 1
Slide 1 of 26
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26

About This Presentation

I Love APIs 2015
Learn how Apigee Edge can generate or validate JWT, can generate or validate JWS signatures, or encrypt and decrypt using JWE.

Size: 4.97 MB
Language: en
Added: Oct 28, 2015
Slides: 26 pages

Slide Content

1
ADVANCED SECURITY EXTENSIONS IN
APIGEE EDGE: !
JWT, JWE, JWS!
Dino Chiesa, "
Vinit Mehta

SECURITY EXTENSIONS IN
APIGEE EDGE: JWT, JWE, JWS!
Mehta, Chiesa
2

3
What do these companies have in common?

All are supporting OpenID Connect and JWT.
4

Authentication and Authorization is hard."
"
Many systems do it poorly. (Do YOU provide 2FA ?)"
"
JWT and OpenID Connect will help solve that problem."
"
You need to get JWT, now.
5

JWT, JWE, JWS
6

JWS, JWE, JWT are all part of JOSE:"
“JSON Object Signing and Encryption”
7

JWT Enables Federated Identity
8©2015 Apigee. All Rights Reserved.
Internal Client
Application
Authentication
Server"
(aka Identity
Provider, IdP)
API Proxy
User
store
Login
Create
JWT (Signed)
JWT
Data
Public Key
Internal "
Systems
JWT
Data
JWT
Data
Data
JWT
Validate
Validate
Validate
Validate

JWT Integrates with external Identity Providers
9©2015 Apigee. All Rights Reserved.
Partner
Application’s
Authentication
Server"
(aka Identity
Provider, IdP)
API Proxy
User
store
Login
JWT (Signed) JWT
JWT
Data
JWT
Data
Data
Public Key
Validate
1 2
3
4
5
6
7
Internal "
or Partner
Systems

• JWS – Signature"
IETF RFC 7515"
https://tools.ietf.org/
html/rfc7515
• JSON representation of
Signed or HMAC’ed
Content
• Payload that is signed need
not be JSON!
• The resulting JWS can be
verified by receivers"

• JWE – Encryption"
IETF RFC 7516"
https://tools.ietf.org/
html/rfc7516 "

• JSON representation of
Encrypted content
• Payload that is encrypted
need not be JSON
• Resulting JWE Can be
decrypted by receivers
JSON Web Token, Signature, Encryption
10
• JWT – Token"
IETF RFC 7519"
https://tools.ietf.org/
html/rfc7519
• Signed, or optionally,
Encrypted, set of claims.
• Issuer, Subject, audience,
issue time, not-before
time, expiration.
• Used as a BEARER token
• “Self-validating”
• Receiving parties can
make decisions based on
the claims and signing
party, or encrypting party.
©2015 Apigee. All Rights Reserved.

• JWS – Signature"
IETF RFC 7515"
https://tools.ietf.org/
html/rfc7515
• JSON representation of
Signed or HMAC’ed
Content
• Payload that is signed need
not be JSON!
• The resulting JWS can be
verified by receivers"

• JWE – Encryption"
IETF RFC 7516"
https://tools.ietf.org/
html/rfc7516 "

• JSON representation of
Encrypted content
• Payload that is encrypted
need not be JSON
• Resulting JWE Can be
decrypted by receivers
JSON Web Token, Signature, Encryption
11
• JWT – Token"
IETF RFC 7519"
https://tools.ietf.org/
html/rfc7519
• Signed, or optionally,
Encrypted, set of claims.
• Issuer, Subject, audience,
issue time, not-before
time, expiration.
• Used as a BEARER token
• “Self-validating”
• Receiving parties can
make decisions based on
the claims and signing
party, or encrypting party.
©2015 Apigee. All Rights Reserved.

Demo: Azure AD JWT!
and JWT.io
12

Apigee Edge includes standard policies for many security
tasks. "
"
Oauth1.0a generation and verification,"
Oauth2 generation and verification,"
SAML generation and verification…
13

Apigee Edge does not yet include standard policies for "
JWT, JWE, JWS
14

But … Code + Configure !
15

• Embed your Java code as a policy in
Apigee Edge
• One Interface, one method, 2 parameters
• Can read policy configuration
• Can read and write context variables
• …anchor anywhere in Edge policy flow
• One of the ways to extend Edge with
custom code. Also JavaScript, Python,
nodejs.
• RTFM: "
http://apigee.com/docs/api-services/
reference/java-callout-policy
What are Java Callouts?
16©2015 Apigee. All Rights Reserved.

• Re-usable now in any of
your Proxies
• Configure it with XML as
any other policy
• Make decisions based
on embedded claims
• Can read JWT generated
by third parties, such as
Google or Windows
Azure
Java Callout for JWT Parse/Verification
17©2015 Apigee. All Rights Reserved.
https://github.com/apigee/iloveapis2015-jwt-jwe-jws

• Re-usable now in any
of your Proxies
• Configure it with XML
as any other policy
• Generate JWT for use
by others
• Can be used by
backends or other
systems called by
clients
• Can be consumed by
Edge itself
Java Callout for JWT Generation
18©2015 Apigee. All Rights Reserved.

JWT Code walkthrough!
& Demo
19

Some comments
• This JWT policy handles Signed, not Encrypted JWT
• RS256 and HS256 are supported
• We have a different policy that produces Encrypted JWT
(JWE) using RS256
• JWT cannot be “revoked” – so limit your lifetimes
• Exercise for the reader:
– ES256, other algorithms
20©2015 Apigee. All Rights Reserved.

When to use JWT vs Oauth 2.0 tokens?
21

When to use JWT vs Oauth 2.0 tokens?
• Trick Question! JWT are OAuth2.0 tokens
• Better phrased as: When to use JWT vs Opaque Oauth 2.0 tokens?
• Federation
• When you want the client to know everything that is being claimed
• JWT implies minimal impact to client and server apps
• JWT do not work well with revocation
22©2015 Apigee. All Rights Reserved.

• Re-usable now in any of your
Proxies
• Configure it with XML as any
other policy
• Generate JWE for use by
others
• Configurable Key strength and
key derivation
• Can be used by backends or
other systems called by clients
• Can be consumed by Edge
itself
Java Callout for JWE Generation
23©2015 Apigee. All Rights Reserved.
https://github.com/apigee/iloveapis2015-jwt-jwe-jws

Java Callout for JWE Decryption
24©2015 Apigee. All Rights Reserved.

When to use JWS and JWE?
• Trick Question! Don’t ever use them!
• No, seriously.
• JWS and JWE imply some change to client apps
• More limited scope of usage than JWT
• There are already ways to sign and encrypt arbitrary data
• My opinion: JWE and JWS are mostly interesting in support of JWT
25©2015 Apigee. All Rights Reserved.

What did we learn?
26



APIs



Apps



Users
©2015 Apigee. All Rights Reserved.
• YOU NEED to handle JWT
• You can use JWT, JWS, JWE in Apigee
Edge today via custom policies
• No coding needed !
• These policies complement the existing
built-in policies in Apigee Edge
https://github.com/apigee/iloveapis2015-jwt-jwe-jws
Tags
security jwt jwe jws apigee edge apis #iloveapis2015 #iloveapis
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 2,830
  • Slides 26
  • Favorites 9
  • Age 3689 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views
View More in This Category