Back Home

Rest-ful service is a pattern/implementation that is much simpler than the soap services it largly replaced. However it has no mechanism for security

JWT - JSON Web Tokens

One of the emerging standards for secure messaging in a microservices platform is JWT in Auth0 JWT's are compact and self contained. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

  • Compact: Because of its smaller size, JWTs can be sent through an URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means leas overhead or bloat which can be especially on mobile apps.
  • Self-contained : The payload contains all the required information about the user, avoiding the need to query the database more than once.

The two primarily applications:

  • Authentication : This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties, because as they can be signed, for example using public/private key pairs, you can be sure that the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

The proposed beifits of jwt/auth0

  • Easier to (horizontally) scale
  • Easier to use
  • More flexible
  • More secure
  • Built-in expiration functionality
  • No need to ask users for 'cookie consent'
  • Prevents CSRF
  • Works better on mobile
  • Works for users that block cookies

Authentication Tools

  • KeyCloak is an open source identity and access management solution, which provides mechanisms supporting OAuth2. Keycloak has web admin console where administrators can manage all aspects of the server. We can easily run it using docker container.
  • AWS KMS

See also vertx Security

 
microservice_security.txt · Last modified: 2017/10/20 06:19 by root
 
RSS - 200 © CrosswireDigitialMedia Ltd