Securing APIs From theory to practice
Security architecture has almost become a lost art in many organizations. Due to the latter leveraging speed over stability and security, while having this common desire to build everything from scratch.
These two ends of the spectrum do not collide. If you want to iterate quickly, you need a bullet proof stack.
Among the common problems in today's service oriented approach to applications is identity management. Not only that we have to authenticate users, but applications too as they became more self aware and standalone. Resulting in hundreds of services communicating together without human intervention.
With the increased popularity of open source technologies, the internet became packed with cool and free tony stark grade products. Tested daily and always up to date.
This article aims at providing an approach to dealing with authentication in a microservice architecture with seamless integration. Using redhat's opensource product, Keycloak and a cloud native oriented development flow with quarkus. Yet again another redhat framework for modern java applications. we'll be securing our application with RBAC without having to implement any specific boilerplate.
I like to keep things cloud native, so we'll integrate things like healthchecks, Openapi and swagger ui out of the box.
You can build a native executable using graalvm. We used a lot of libraries and yet our application started in 0.009s. The human eye blinks in 0.15s.
In the past we used to build big statefull apps that handles authentication using things like cookies that doesn't scale well since they are stored in the backend server whether in cache or in the database. These systems keeps running in the wild today. Theey are secure and thoughtful, but they don't benefit from today's inventions.So Let's see how the whole stack behaves from the bottom up in a modern style.
Linux did a great job at handling the operating system layer. providing isolation, virtual networking and a whole set of abstractions that made things like virtual machines and docker containers a thing.
One thing to keep in mind when using token based authentication. Keep your token as lightweight as possible. People find it easy to inject user related information inside the token. After a year of development, the token becomes like a database containing everything and it takes forever to travel from one service to another, so keep your token clean.
This is where OpenID connect specification shines. Every system implementing it, has to provide some predefined endpoints like the userinfo endpoint where you can grab all the user related data. a refresh token endpoint to refresh your access token which lives for minutes and sometimes seconds, etc..
I used SmallRye JWT which is a library for implementing the Eclipse MicroProfile JWT RBAC.
With that we reach the end of our tutorial.
These two ends of the spectrum do not collide. If you want to iterate quickly, you need a bullet proof stack.
Among the common problems in today's service oriented approach to applications is identity management. Not only that we have to authenticate users, but applications too as they became more self aware and standalone. Resulting in hundreds of services communicating together without human intervention.
With the increased popularity of open source technologies, the internet became packed with cool and free tony stark grade products. Tested daily and always up to date.
This article aims at providing an approach to dealing with authentication in a microservice architecture with seamless integration. Using redhat's opensource product, Keycloak and a cloud native oriented development flow with quarkus. Yet again another redhat framework for modern java applications. we'll be securing our application with RBAC without having to implement any specific boilerplate.
I like to keep things cloud native, so we'll integrate things like healthchecks, Openapi and swagger ui out of the box.
I've provided an index.html file that makes the API self explanatory.
You can build a native executable using graalvm. We used a lot of libraries and yet our application started in 0.009s. The human eye blinks in 0.15s.
If you're in a hurry, you can check my repo on github and try it out yourself.
git clone https://github.com/Kyouuma/Tutorials.git
git clone https://github.com/Kyouuma/Tutorials.git
cd Tutorials/quarkus-keycloak
docker-compose -f src/main/docker/docker-compose.yaml up -d
./mvnw quarkus:dev
./mvnw quarkus:dev
STATE OF THE WORLD
In the past we used to build big statefull apps that handles authentication using things like cookies that doesn't scale well since they are stored in the backend server whether in cache or in the database. These systems keeps running in the wild today. Theey are secure and thoughtful, but they don't benefit from today's inventions.So Let's see how the whole stack behaves from the bottom up in a modern style.
Linux did a great job at handling the operating system layer. providing isolation, virtual networking and a whole set of abstractions that made things like virtual machines and docker containers a thing.
So people started shipping their applications in containers and the service oriented approach became even easier and more robust.
But with thousands of containers running together in multiple servers all around the globe composing our giant Payment app or Uber style app, managing them became very complex and things like container orchestration saw the limelight.
Google seized the opportunity and kubernetes was born in june 2014. Providing even more abstractions. Presenting our whole infrastructure to us as a single computer and providing simple APIs to manage everything.
All major companies like redhat, microsoft and so on.. saw the potential of such a system, google offered kubernetes copyrights to CNCF and all cloud providers and big companies jumped in to contribute.
In such a manner kuberenetes' goal changed to become a single runtime engine for every device out there.
Agile development became even more agile. Faster is the word you here in every company, iterate, ship, deploy, scale.. Everyone forgot security while enjoying the easy money after two weeks of development.
Last year, things like GDPR hit the IT industry, and companies had to implement security quickly. For all i know, security isn't a non functional requirements in a world where information is key, It's very hard and sometimes impossible to implement after-hand.
So people had to redesign their databases, secrets management approaches [ which is very rare in most companies, you rarely hear the term ], their social logins, kerberos system and so on..
What if i told you that you can have an Identity and Access management system, with very few click you can have social logins, interface with multiple identity provides through all the major protocols such as OpenID connect, SAML V2. Do you have LDAP? Kerberos? with little to no effort as a developer you can only worry about the business side of things and let the professionals hand security.
I used keycloak in production for a year now. I never looked back ever since. You have all your authentication requirements out of the box, coupled with an admin API if you want to customize things your way. It is built on Wildfly electron and has an outstanding plug and play style to it.
Nothing fancy really, i created a simple public client. Since we'll be handling authentication on the client side. Our backend service only has to worry about verifying the identity of the token issuer.
If you need your services to talk in a secure manner to each other, you can add a confidential client to keycloak and grant access to very few services.
Nothing fancy really, i created a simple public client. Since we'll be handling authentication on the client side. Our backend service only has to worry about verifying the identity of the token issuer.
If you need your services to talk in a secure manner to each other, you can add a confidential client to keycloak and grant access to very few services.
One thing to keep in mind when using token based authentication. Keep your token as lightweight as possible. People find it easy to inject user related information inside the token. After a year of development, the token becomes like a database containing everything and it takes forever to travel from one service to another, so keep your token clean.
This is where OpenID connect specification shines. Every system implementing it, has to provide some predefined endpoints like the userinfo endpoint where you can grab all the user related data. a refresh token endpoint to refresh your access token which lives for minutes and sometimes seconds, etc..
Once you obtain the token you can inject it in your header and issue requests to the API.
I've documented the code enough for you to navigate your way through it seamlessly. You can run quarkus in dev mode and only keycloak preconfigured in docker. The dev mode is a unique feature for a java application that you don't find anywhere else providing realtime compilation of your code.
I'll just briefly go through the various files presented out of the box for you to start building your API.
I used SmallRye JWT which is a library for implementing the Eclipse MicroProfile JWT RBAC.
The LivenessHealthCheck.java & The readlinessHealthCheck.java implement the SmallRye health library to provide kubernetes with two endpoints to check the health of our application and let it decide whether to discard or run. A simple yet powerful mechanism for a self healing service.
With that we reach the end of our tutorial.
Conclusion
There's a technologist named Kelsey Hightower who works with google, he said something that struck me. That in IT we focused on technology more than the benefit of using it to solve real world problems. Everyday people inventing similar tools and SDKs and forgot the most important thing that science provides. Answers.
Comments
Post a Comment