JSON Web Token (JWT)

JWT (JSON Web Token) defines a container to transport data between interested parties (see Figure 11-3). It became an IETF standard in May 2015 with the RFC 7519¹. A JWT can be used to:

• Propagate one’s identity information between interested parties. For example, user attributes such as first name, last name, email address, phone number, etc.

• Propagate one’s entitlements between interested parties. The entitlements define what the user is capable of doing at a target system.

• Transfer data securely between interested parties over an unsecured channel. A JWT can be used to transfer signed and/or encrypted messages.

• Assert one’s identity, given that the recipient of the JWT trusts the asserting party (the token issuer). For example, the issuer of a JWT can sign the payload with its private key, which makes it protected for integrity, so that no one in the middle can alter the message. The recipient can validate the signature of the JWT, by verifying it with the corresponding public key of the issuer. If the recipient trusts the public key known to it, it also trusts the issuer of the JWT.

A JWT can be signed or encrypted or both. A signed JWT is known as a JWS² (JSON Web Signature) and an encrypted JWT is known as a JWE³ (JSON Web Encryption) . In fact a JWT does not exist itself — either it has to be a JWS or a JWE. It’s like an abstract class — the JWS and JWE are the concrete implementations. Let me be little precise here. JWS and JWE have a broader meaning beyond JWT. JWS defines how to serialize (or represent) any signed message payload; it can be JSON, XML, or can be in any format. In the same way, JWE defines how to serialize an encrypted payload. Both JWS and JWE support two types of serializations: compact serialization and JSON serialization. We call a JWS or JWE, a JWT only if it follows the compact serialization. Any JWT must follow compact serialization. In other words a JWS or JWE token, which follows JSON serialization, cannot be called a JWT.

This looks gibberish until you break it by periods (.) and base64url-decode each part. There are two periods in it, which break the whole string into three parts (see Figure 11-4). Once you base64url-decode the fist part, it appears like so:

{"alg":"RS256","kid":"78b4cf23656dc395364f1b6c02907691f2cdffe1"}

This first part (once parted by the periods) of the JWT is known as the JOSE header. JOSE stands for JavaScript Object Signing and Encryption—and it’s the name of the IETF working group⁴ that works on standardizing the representation of integrity-protected data using JSON data structures.

The JOSE header indicates that it’s a signed message with the provided algorithm under the alg parameter. The token issuer asserts the identity of the end user by signing the JWT, which carries data related to the user’s identity. Both the alg and kid elements there are not defined in the JWT specification, but in the JSON Web Signature (JWS) specification. The JWT specification only defines two elements (typ and cty) in the JOSE header and both the JWS and JWE specifications extend it to add more appropriate elements.

The second part of the JWT, as shown in Figure 11-4, is known as the JWT claim set (see Figure 11-6). Whitespace can be explicitly retained while building the JWT claim set—no canonicalization is required before base64url encoding or decoding. Canonicalization is the process of converting different forms of a message into a single standard form. This is used mostly before signing XML messages.

The JWT claim set represents a JSON object whose members are the claims asserted by the JWT issuer. Each claim name within a JWT must be unique. If there are duplicate claim names, then the JWT parser will either return a parsing error or just return the claims set with the very last duplicate claim. JWT specification does not explicitly define which claims are mandatory and which are optional. It’s up to the each application of JWT to define mandatory and optional claims. For example, the OpenID Connect specification defines the mandatory and optional claims. According to the OpenID Connect core specification, iss, sub, add, exp, and iat are treated as mandatory elements, while auth_time, nonce, acr, amr, and azp are optional elements. In addition to the mandatory and optional claims, which are defined in the specification, the token issuer can include additional elements into the JWT claim set.

The third part of the JWT (shown in Figure 11-4) is the signature, which is also base64url encoded. The cryptographic elements related to the signature are defined in the JOSE header. In this particular example, the token issued uses RSASSA-PKCS1-V1_5 with the SHA-256 hashing algorithm, which is expressed by the value of the alg element in the JOSE header: RS256. The signature is calculated against the first two parts in the JWS—the JOSE header and the JWT claim set.

Propagating Trust and User Identity

The user context from one microservice to another can be passed along with a JWS (see Figure 11-7). Since a key known to the calling microservice signs the JWS, it will carry both the end user identity (as claimed in the JWT) and the identity of the calling microservice (via the signature). In other words, the calling microservice itself is the issuer of the JWS. To accept the JWS, the recipient microservice first needs to validate the signature of the JWS against the public key embedded in the JWS itself or retrieved via any other mechanism. That’s not just enough — then it needs to check whether it can trust that key or not. Trust between microservices can be established in multiple ways. One way is to provision the trusted certificates, by service, to each microservice. It’s a no brainer to realize that this would not scale in a microservices deployment. The approach we would like to suggest is to build a private certificate authority (CA) and use intermediate certificate authorities by different microservices teams, if the need arises. Now, rather than trusting every individual certificate, the recipient microservices will only trust either the root certificate authority or an intermediary. That will vastly reduce the overhead in certificate provisioning.

Note

Trust bootstrap is a harder problem to solve. The Secure Production Identity Framework For Everyone (SPIFFE)⁵ project builds an interesting solution around this, which can be used to bootstrap trust between different nodes in a microservices deployment. With SPIFFE, each node will get an identifier and a key pair, which can be used to authenticate to other nodes it communicates with.

In the JWT, the public key corresponding to the key used to sign the token represents the caller (or the calling microservice). How does the recipient microservice find the end user information? The JWT carries a parameter called sub in its claim set, which represents the subject or the user who owns the JWT. If any microservice needs to identify the user during its operations, this is the attribute it should look into. The value of the sub attribute is unique only for a given issuer. If you have a microservice, which accepts tokens from multiple issuers, then the uniqueness of the user should be decided as a combination of the issuer and the sub attribute. In addition to the subject identifier, the JWT can also carry user attributes such as first_name, last_name, email, and so on.

Note

When we pass user context between microservices via a JWT, each microservice has to bear the cost of JWT validation, which also includes a cryptographic operation to validate the token signature. Caching the JWT at the microservices level against the data extracted out of it would reduce the impact of repetitive token validation. The cache expiration time must match the JWT expiration time. Once again, the impact of caching would be quite low if the JWT expiration time is quite low.

When issuing a JWT from a token issuer, it has to be issued to a given audience. The audience is the consumer of the token. For example, if the microservice foo wants to talk to the microservice bar, then the token is issued by foo (or a third party issuer), and the audience of the token is bar. The aud parameter in the JWT claim set specifies the intended audience of the token. It can be a single recipient or a set of recipients. Prior to any validation check, the token recipient must first see whether the particular JWT is issued for its use. If not, it should reject it immediately. The token issuer should know, prior to issuing the token, who the intended recipient (or the recipients) of the token is. The value of the aud parameter must be a pre-agreed value between the token issuer and the recipients. In a microservices environment, we can use a regular expression to validate the audience of the token. For example, the value of the aud in the token can be *.facilelogin.com, while each recipient under the facilelogin.com domain can have its own aud values: foo.facilelogin.com, bar.facilelogin.com, and so on.

Transport Layer Security (TLS) Mutual Authentication

Transport Layer Security (TLS) mutual authentication, also known as client authentication or two-way Secure Socket Layer (SSL), is part of the TLS handshake process. In one-way TLS, only the server proves its identity to the client; this is mostly used in e-commerce to win consumer confidence by guaranteeing the legitimacy of the e-commerce vendor. In contrast, mutual authentication authenticates both parties—the client and the server. In a microservices environment, TLS mutual authentication can be used between microservices to authenticate each other.

Both in TLS mutual authentication and with the JWT-based approach, each microservice needs to have its own certificates. The difference between the two approaches is that, in JWT-based authentication, the JWS can carry the end user identity as well as the upstream service identity. With TLS mutual authentication, the end user identity has to be passed at the application level—probably as an HTTP header.

Short-Lived Certificates

From the end user perspective the short-lived certificates behave the same way as the normal certificates work today, they just have a very short expiration. The TLS client needs not to worry about doing CRL or OCSP validations against short-lived certificates and rather sticks to the expiration time, stamped on the certificate itself.

The challenge in short-lived certificates mostly lies in their deployment and maintenance. Automation is the goddess of rescue! Netflix suggests using a layered approach (see Figure 11-8) to build a short-lived certificate deployment. You would have a system identity or long-lived credential that resides in a TPM (Trusted Platform Module) or an SGX (Software Guard Extension) having lot of security on it. Then use that credential to get a short-lived certificate. Then use the short-lived certificate for your microservice, which would be consumed by another microservice. Each microservice can refresh the short-lived certificates regularly using its long-lived credentials. Having the short-lived certificate is not enough—the underlying platform, which hosts the service (or the TLS terminator), should support dynamic updates to the server certificate. A lot of TLS terminators out there support dynamically reloading the server certificates, but not with zero downtime in most cases.

OAuth 2.0

OAuth 2.0 is a framework for access delegation. It lets someone do something on behalf of someone else. There are four main characters in an OAuth 2.0 flow: the client, the authorization server, the resource server, and the resource owner. Let’s say you build a web application that lets users export their Flickr photos into it. In that case, your web application has to access the Flickr API to export photos on behalf of the users who actually own the photos. There the web application is the OAuth 2.0 client, Flickr is the resource server (which holds its users’ photos), and the Flickr user who wants to export photos to the web application is the resource owner. For your application to access Flickr API on behalf of the Flickr user, it needs some sort of an authorization grant. The authorization server issues the authorization grant, and in this case it’ll be Flickr itself. But, in practice there can be many cases where the authorization server and the resource server are two different entities. OAuth 2.0 does not couple those two together.

OAuth 2.0 introduces multiple grant types. A grant type in OAuth 2.0 explains the protocol; the client should get the resource owner’s consent to access a resource on his behalf. Also, there are some grant types that define a protocol to get a token, just on behalf of himself (client_credentials) — in other words, the client is also the resource owner. Figure 11-10 illustrates OAuth 2.0 protocol at a very high-level. It describes the interactions between the OAuth client, the resource owner, the authorization server, and the resource server.

Whoever wants to access a microservice via the API gateway must get a valid OAuth token first (see Figure 11-11). A system can access a microservice, just by being itself — or on behalf of another user. For the latter case, an example would be when a user logs in to a web application and the web application accesses a microservice on behalf of the user who logged in. When a system wants to access an API on behalf of another user, authorization code is the recommended grant type. In other cases where a system accesses an API by being itself, we can use the client credentials grant type.

With this approach , only the API calls coming from the external clients will go through the API gateway. When one microservice talks to another ,  that needs not to go through the gateway. Also ,  from a given microservice perspective, whether you get a request from an external client or another microservice, what you get is a JWT — so this is a symmetric security model.

XACML (eXtensible Access Control Markup Language)

XACML is the de-facto standard for fine-grained access control. It introduces a way to represent the required set of permissions to access a resource, in a very fine-grained manner in an XML-based domain-specific language (DSL).

XACML provides a reference architecture, a request response protocol, and a policy language. Under the reference architecture, it talks about a Policy Administration Point (PAP), a Policy Decision Point (PDP), a Policy Enforcement Point (PEP), and a Policy Information Point (PIP). This is a highly distributed architecture in which none of the components is tightly coupled. The PAP is the place where you author policies. The PDP is the place where policies are evaluated and decisions are made. While evaluating policies, if there is any missing information that can’t be derived from the XACML request, the PDP calls the PIP. The role of the PIP is to feed the PDP any missing information, which can be user attributes or any other required details. The policy is enforced through a PEP, which sits between the client and the service and intercepts all requests. From the client request, it extracts certain attributes such as the subject, the resource, and the action; then it builds a standard XACML request and calls the PDP. Then it gets a XACML response from the PDP. That is defined under the XACML request/response model. The XACML policy language defines a schema to create XACML policies for access control.

Figure 11-12 shows the XACML component architecture. The policy administrator first needs to define XACML policies via the PAP (Policy Administration Point) and those policies will get stored in the policy store. To check whether a given entity has the permission to access a given resource, the PEP (Policy Enforcement Point) has to intercept the access request, create a XACML request, and send it to the XACML PDP (Policy Decision Point). The XACML request can carry any attributes that could help the decision-making process at the PDP.

For example, it can include the subject identifier, the resource identifier, and the action the given subject is going to perform on the resource. The microservice that needs to authorize the user has to build a XACML request by extracting the relevant attributes from the JWT and talk to the PDP. The PIP (Policy Information Point) comes into the picture when the PDP finds that certain attributes required for policy evaluation are missing in the XACML request. Then the PDP will talk to the PIP to find the missing attributes. The PIP can connect to relevant datastores, find the attributes, and then feed those into the PDP.

There are two main ways to bring in a policy decision point (PDP) to the microservices architecture. In fact PDP is an implementation-agnostic term; it does not have a deep coupling to the policy language in terms of the architectural perspective. As shown in Figure 11-13, one way is to treat the PDP as a single, remote endpoint, where all the microservices connect to authorize the access requests. Each microservice will create its own XACML request and pass it over a communication channel to the PDP. PDP evaluates the request against the corresponding policies and sends back the XACML response.

Figure 11-14 shows an example XACML request in JSON. Here we can assume that someone invokes the bar microservice to buy a beer. The bar microservice extracts the subject or the user who invokes the service from the JWT coming along with the request and builds the XACML request accordingly.

Embedded PDP

As illustrated in Figure 11-15, the embedded PDP will run along with each microservice. It follows an eventing model for policy distribution, where each microservice will subscribe to its interested topics to get the appropriate access control policies from the PAP and then update the embedded PDP. You can have PAPs by microservices teams or one globally in a multi-tenanted mode. When a new policy is available or when there is a policy update, the PAP will publish an event to the corresponding topics. The embedded PDP model introduces a message broker to the microservices architecture.

This approach does not violate the immutable server concept in microservices. Immutable server means  that you build servers or containers directly out of configuration loaded from a repository at the end of the continuous delivery process   and you should be able to build the same container again and again with the same configuration. So ,  we would not expect anyone to log in to a server and do any configuration changes there. With the embedded PDP model — even though the server loads the corresponding policies while it’s running — if we spin up a new container it too gets the same set of policies from the corresponding PAP.

There is an important question that’s still unanswered. What is the role of the API gateway under the context of authorization? We can have two levels of policy enforcements. One is globally for all the requests going through the API gateway (which will act as the policy enforcement point or the PEP), and the other one is at the service level. The service-level policies must be enforced via some kind of an interceptor at the container or the service level.