Microservice Authentication and Authorization | Nic Jackson

Подписаться 7 тыс.

Просмотров 77 тыс.

50% 1

Nic Jackson (HashiCorp) | devopsconference.de/speaker/n...
In this talk we will look at how you can secure your microservices, we will identify the difference between authentication and authorization and why both are required. We will investigate some common patterns for request validation, including HMAC and JWT to avoid the confused deputy problem, and also how you can manage and secure secret information. Finally, we will see how we can leverage tools like the open source HashiCorp Vault as well as features from cloud providers like AWS and GCP, to keep your systems and users secure. Takeaways:
- Using JWT for Authz
- How to implement two factor authentication into your applications
- Securing microservice secrets
- Implementing TLS and MTLS
- Securing database access, don’t be the next Equifax
- Encryption in transit, secure your data
- Building a secure secret access policy
Join us at the next DevOpsCon: devopsconference.de/
The Conference for Continuous Delivery, Microservices, Containers, Cloud & Lean Business
Follow us on Twitter: / devops_con
Like us on Facebook: / devopscon

Опубликовано:

8 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 47

@meepk633 10 месяцев назад

Hashicorp sounds like a futuristic crime org that grows illegal superorgans. I love it.

@Jesufemi_O 3 года назад

This is an amazing lecture! brilliantly taught!

@jaskaransingh6251 4 года назад

Thanks Nic. This was very helpful.

@vivienh.missamou208 3 года назад

Hi Nick, good job on exposing to audience keys to care about AuthNZ. Thanks for your signature:)

@meemootube 3 года назад

What an explanation 🙏🏽😊.. thanks

@ivandamyanov 2 месяца назад

What a great talk, thanks for sharing!

@kanji_nakamoto 3 года назад

Great talk!

@NiamorH 3 года назад

Do you also pass along signed tokens in message queues for identity propagation in addition to security? If so, is there a convention on how to do that (like the authorization bearer for http requests)?

@rainerwahnsinn3262 3 года назад

The title of the talk should have been "Introduction to JWT + General best practices". The talk is pretty beginner oriented. If you have a slight idea about security, you won't loose much skipping it. Also right at the interesting bits when he talked about Vault, the screen shows the wrong slides, see 46:10 and 53:38

@harjitsinghchhibber 2 года назад

This is very useful. Thanks Nic!

@hiimshort 3 года назад

Excellent talk!

@abhi31389 2 года назад

Nic, amazing presentation!

@NiamorH 3 года назад

1:00:40 you recommend to pass along the signed token from service A to service B. But in the token there is the 'aud' claim which is probably limited to the gateway. Should the audience verification be disabled on service B?

@logantcooper6 4 месяца назад

Brock Allen and Dominick Baier (the identity server guys) have talked about the audience claim and said it can be replaced with scopes for most scenarios. Unless you are into some SaaS scenarios with multiple instances of your token server sharing key signing material then it's safe to just use scopes. I would have each service know what scopes it's willing to accept and check incoming tokens for said scopes.

@mobe6524 2 года назад

First of all, nice prez! Although, I'd like to ask a question :) I don't seem to find the answer anywhere (it gotta be somewhere, I'm still looking) Anyway, I saw there are two ways implementation of security: 1- Authentication first, you get the token, and then you make requests reroutes through the gateway 2- Everything goes through the gateway, including authentication (it's considered as another microservice) So yeah, everyone shows the 1st implementation, where 2nd is also used but not very common, and I wanna ask why? I mean, if we're in a microservices architecture, why don't I have authentication behind the gateway as well? Is it more complicated (yeah, you'd have to reroute every authorization & authentication endpoints to retrieve the token), but would that be the only reason? Doesn't make sense to me ... Any thoughts?

@jwbonnett 10 месяцев назад

What if a JWT expires though a process? e.g. is valid for one service but by the time it is passed to another it becomes invalid?

@9860923474 4 года назад

Really good throught process. First time I could understand how JWT can be hacked. I will never use the default verify implementation as that can lead to hacks, instead a custom verifyToken function can check on the specific algorithm instead of relying on algo types from jwt.

@davidalsbury5980 3 года назад

I watch tech videos to learn about your political positions

@chandranshpandey1929 Год назад

seems to very similar presentation i have seen in youtube

@obed-shanghaiproduction6577 4 года назад

Very good content! Presenter could have done better.

@manas_singh 3 года назад

13:35 Why do I see Trump on my screen?

@richardfaasen8689 3 года назад

JWT tokens can easily be > 1.5 KB in size, not something I want to send around to my API infrastructure with every request.

@jeffreyjflim 4 года назад

Good grief. I came here to learn, but got this instead: - some personal insert about politics - s-looow as molasses speech (no, speeding it up does not help because see my other points) - meandering, lack of structure - a whole bunch of talk about JWT. That's precisely what the talk is supposed to be about, right? oh, wait...

@tjblackman08 3 года назад

Agreed, mostly, although I did appreciate the content of the talk. The political "joke" was boring, I watched the whole video at 1.5 speed with ease, and the title could have more accurately described the content of the talk. However, I didn't think the content was lacking structure. I found the talk quite informative and thorough, especially for a developer working towards a JWT based system. If that's not you, then yeah... probably a bit of a waste of time.

@habiks 4 года назад

Damn.. if the host could just chit chat less about things only he thinks are funny and if he could speak a bit faster..

@TimAllardyce 4 года назад

Thanks for the heads up -- playback 1.5x is pretty watchable

@samuelvishesh 4 года назад

Keep politics out of TECH

@shilpidey3184 4 года назад

Shame on him for bringing in his political views (I'm sure endorsed by HashiCorp) into this talk. How smug, elitist, and opinionated, and assuming we all should and do agree or care about his political views.

@vadym8713 4 года назад

Sam it is funny how tech people want to stay out of the politics which using tech for ruining democracy and economics

@samuelvishesh 4 года назад

@@vadym8713 the Swordsmith doesn't sweat about who the blade slays, just on how good the sword performs in the hands of a swordsman. *I'm just in for the tool, not politics* Technology is a tool, the TECH community should focus on the tool, not on who's using it and what's his/her political leanings.

@pedrogalusso8244 3 года назад

@@samuelvishesh is that a rule? He is entitled to his own opinion, and you are entitled to not watch, or dismiss his political point of view and withdraw the technical information you find useful.

@pedrogalusso8244 3 года назад

@@shilpidey3184 Elitist? XD hahaha. Opinionated yes... but elitist?

@nathanstott1909 4 года назад

Why impose your political opinions on a IT lecture. Very unprofessional

@BeholdingKrishna 4 года назад

Good topic has been ruined by this guy.

@KevinOnik 3 года назад

When you think you are funny and your political views must be presented within your presentation while you can not speak at normal speed. For god sake....

@et379 3 года назад

Imagine feeling offended because someone spent 30 seconds out of 65 minutes poking fun at an obvious idiot. Btw: this is RU-vid. You can change the playback speed.

@patricknazar 3 года назад

Who would have thought that academic material would be so politically charged. You've offended many and you're so willing to do so. Think what you think, but I was disgusted to hear it.

@ryeguy01 3 года назад

Why would you get offended hearing someone else's political opinions, even if you disagree with them? It was a couple minute blurb in a talk. Agreed it was out of place, but..chill.

@Gazzaroo 2 года назад

Diddums

@kovalski6000 3 года назад

I have never listened to such unprofessional speech. This kind of public humiliation of someboody based on your opinion, which may seem true to you, is completely unacceptable. Watch some lectures on public behavior and then start talking about microservices.