Microservice Authentication and Authorization | Nic Jackson
Рет қаралды 76,794
Күн бұрынNic Jackson (HashiCorp) | devopsconference.de/speaker/n...
In this talk we will look at how you can secure your microservices, we will identify the difference between authentication and authorization and why both are required. We will investigate some common patterns for request validation, including HMAC and JWT to avoid the confused deputy problem, and also how you can manage and secure secret information. Finally, we will see how we can leverage tools like the open source HashiCorp Vault as well as features from cloud providers like AWS and GCP, to keep your systems and users secure. Takeaways:
- Using JWT for Authz
- How to implement two factor authentication into your applications
- Securing microservice secrets
- Implementing TLS and MTLS
- Securing database access, don’t be the next Equifax
- Encryption in transit, secure your data
- Building a secure secret access policy
Join us at the next DevOpsCon: devopsconference.de/
The Conference for Continuous Delivery, Microservices, Containers, Cloud & Lean Business
Follow us on Twitter: / devops_con
Like us on Facebook: / devopscon
@ivandamyanov Ай бұрын
What a great talk, thanks for sharing!
@Jesufemi_O 3 жыл бұрын
This is an amazing lecture! brilliantly taught!
@vivienh.missamou208 3 жыл бұрын
Hi Nick, good job on exposing to audience keys to care about AuthNZ. Thanks for your signature:)
@jaskaransingh6251 3 жыл бұрын
Thanks Nic. This was very helpful.
@kanji_nakamoto 3 жыл бұрын
Great talk!
@meemootube 3 жыл бұрын
What an explanation 🙏🏽😊.. thanks
@hiimshort 3 жыл бұрын
Excellent talk!
@NiamorH 3 жыл бұрын
Do you also pass along signed tokens in message queues for identity propagation in addition to security? If so, is there a convention on how to do that (like the authorization bearer for http requests)?
@rainerwahnsinn3262 3 жыл бұрын
The title of the talk should have been "Introduction to JWT + General best practices". The talk is pretty beginner oriented. If you have a slight idea about security, you won't loose much skipping it. Also right at the interesting bits when he talked about Vault, the screen shows the wrong slides, see 46:10 and 53:38
@harjitsinghchhibber 2 жыл бұрын
This is very useful. Thanks Nic!
@abhi31389 2 жыл бұрын
Nic, amazing presentation!
@mobe6524 2 жыл бұрын
First of all, nice prez! Although, I'd like to ask a question :) I don't seem to find the answer anywhere (it gotta be somewhere, I'm still looking) Anyway, I saw there are two ways implementation of security: 1- Authentication first, you get the token, and then you make requests reroutes through the gateway 2- Everything goes through the gateway, including authentication (it's considered as another microservice) So yeah, everyone shows the 1st implementation, where 2nd is also used but not very common, and I wanna ask why? I mean, if we're in a microservices architecture, why don't I have authentication behind the gateway as well? Is it more complicated (yeah, you'd have to reroute every authorization & authentication endpoints to retrieve the token), but would that be the only reason? Doesn't make sense to me ... Any thoughts?
@NiamorH 3 жыл бұрын
1:00:40 you recommend to pass along the signed token from service A to service B. But in the token there is the 'aud' claim which is probably limited to the gateway. Should the audience verification be disabled on service B?
@logantcooper6 3 ай бұрын
Brock Allen and Dominick Baier (the identity server guys) have talked about the audience claim and said it can be replaced with scopes for most scenarios. Unless you are into some SaaS scenarios with multiple instances of your token server sharing key signing material then it's safe to just use scopes. I would have each service know what scopes it's willing to accept and check incoming tokens for said scopes.
@jwbonnett 9 ай бұрын
What if a JWT expires though a process? e.g. is valid for one service but by the time it is passed to another it becomes invalid?
@9860923474 4 жыл бұрын
Really good throught process. First time I could understand how JWT can be hacked. I will never use the default verify implementation as that can lead to hacks, instead a custom verifyToken function can check on the specific algorithm instead of relying on algo types from jwt.
@meepk633 9 ай бұрын
Hashicorp sounds like a futuristic crime org that grows illegal superorgans. I love it.
@davidalsbury5980 3 жыл бұрын
I watch tech videos to learn about your political positions
@chandranshpandey1929 Жыл бұрын
seems to very similar presentation i have seen in youtube
@manas_singh 3 жыл бұрын
13:35 Why do I see Trump on my screen?
@obed-shanghaiproduction6577 4 жыл бұрын
Very good content! Presenter could have done better.
@jeffreyjflim 4 жыл бұрын
Good grief. I came here to learn, but got this instead: - some personal insert about politics - s-looow as molasses speech (no, speeding it up does not help because see my other points) - meandering, lack of structure - a whole bunch of talk about JWT. That's precisely what the talk is supposed to be about, right? oh, wait...
@tjblackman08 3 жыл бұрын
Agreed, mostly, although I did appreciate the content of the talk. The political "joke" was boring, I watched the whole video at 1.5 speed with ease, and the title could have more accurately described the content of the talk. However, I didn't think the content was lacking structure. I found the talk quite informative and thorough, especially for a developer working towards a JWT based system. If that's not you, then yeah... probably a bit of a waste of time.
@richardfaasen8689 3 жыл бұрын
JWT tokens can easily be > 1.5 KB in size, not something I want to send around to my API infrastructure with every request.
@habiks 4 жыл бұрын
Damn.. if the host could just chit chat less about things only he thinks are funny and if he could speak a bit faster..
@TimAllardyce 4 жыл бұрын
Thanks for the heads up -- playback 1.5x is pretty watchable
@samuelvishesh 4 жыл бұрын
Keep politics out of TECH
@shilpidey3184 4 жыл бұрын
Shame on him for bringing in his political views (I'm sure endorsed by HashiCorp) into this talk. How smug, elitist, and opinionated, and assuming we all should and do agree or care about his political views.
@vadym8713 4 жыл бұрын
Sam it is funny how tech people want to stay out of the politics which using tech for ruining democracy and economics
@samuelvishesh 4 жыл бұрын
@@vadym8713 the Swordsmith doesn't sweat about who the blade slays, just on how good the sword performs in the hands of a swordsman. *I'm just in for the tool, not politics* Technology is a tool, the TECH community should focus on the tool, not on who's using it and what's his/her political leanings.
@pedrogalusso8244 3 жыл бұрын
@@samuelvishesh is that a rule? He is entitled to his own opinion, and you are entitled to not watch, or dismiss his political point of view and withdraw the technical information you find useful.
@pedrogalusso8244 3 жыл бұрын
@@shilpidey3184 Elitist? XD hahaha. Opinionated yes... but elitist?
@BeholdingKrishna 4 жыл бұрын
Good topic has been ruined by this guy.
@nathanstott1909 4 жыл бұрын
Why impose your political opinions on a IT lecture. Very unprofessional
@KevinOnik 3 жыл бұрын
When you think you are funny and your political views must be presented within your presentation while you can not speak at normal speed. For god sake....
@et379 3 жыл бұрын
Imagine feeling offended because someone spent 30 seconds out of 65 minutes poking fun at an obvious idiot. Btw: this is KZbin. You can change the playback speed.
@patricknazar 3 жыл бұрын
Who would have thought that academic material would be so politically charged. You've offended many and you're so willing to do so. Think what you think, but I was disgusted to hear it.
@ryeguy01 3 жыл бұрын
Why would you get offended hearing someone else's political opinions, even if you disagree with them? It was a couple minute blurb in a talk. Agreed it was out of place, but..chill.
@Gazzaroo 2 жыл бұрын
Diddums
@kovalski6000 3 жыл бұрын
I have never listened to such unprofessional speech. This kind of public humiliation of someboody based on your opinion, which may seem true to you, is completely unacceptable. Watch some lectures on public behavior and then start talking about microservices.
Giggle Jiggle
Рет қаралды 37 МЛН
CNCF [Cloud Native Computing Foundation]
Рет қаралды 85 М.
EDA Summit
Рет қаралды 25 М.
CNCF [Cloud Native Computing Foundation]
Рет қаралды 636
Dan Vega
Рет қаралды 112 М.
iSpring Tech
Рет қаралды 2,5 М.
Devoxx
Рет қаралды 296 М.
GOTO Conferences
Рет қаралды 46 М.
GOTO Conferences
Рет қаралды 537 М.