Microservice Authentication and Authorization | Nic Jackson
Переглядів 76,599
День томуNic Jackson (HashiCorp) | devopsconference.de/speaker/n...
In this talk we will look at how you can secure your microservices, we will identify the difference between authentication and authorization and why both are required. We will investigate some common patterns for request validation, including HMAC and JWT to avoid the confused deputy problem, and also how you can manage and secure secret information. Finally, we will see how we can leverage tools like the open source HashiCorp Vault as well as features from cloud providers like AWS and GCP, to keep your systems and users secure. Takeaways:
- Using JWT for Authz
- How to implement two factor authentication into your applications
- Securing microservice secrets
- Implementing TLS and MTLS
- Securing database access, don’t be the next Equifax
- Encryption in transit, secure your data
- Building a secure secret access policy
Join us at the next DevOpsCon: devopsconference.de/
The Conference for Continuous Delivery, Microservices, Containers, Cloud & Lean Business
Follow us on Twitter: / devops_con
Like us on Facebook: / devopscon
@Jesufemi_O 3 роки тому
This is an amazing lecture! brilliantly taught!
@ivandamyanov 16 днів тому
What a great talk, thanks for sharing!
@vivienh.missamou208 3 роки тому
Hi Nick, good job on exposing to audience keys to care about AuthNZ. Thanks for your signature:)
@0xAtari 3 роки тому
Great talk!
@jaskaransingh6251 3 роки тому
Thanks Nic. This was very helpful.
@meemootube 3 роки тому
What an explanation 🙏🏽😊.. thanks
@hiimshort 3 роки тому
Excellent talk!
@abhi31389 2 роки тому
Nic, amazing presentation!
@NiamorH 3 роки тому
Do you also pass along signed tokens in message queues for identity propagation in addition to security? If so, is there a convention on how to do that (like the authorization bearer for http requests)?
@harjitsinghchhibber 2 роки тому
This is very useful. Thanks Nic!
@rainerwahnsinn3262 3 роки тому
The title of the talk should have been "Introduction to JWT + General best practices". The talk is pretty beginner oriented. If you have a slight idea about security, you won't loose much skipping it. Also right at the interesting bits when he talked about Vault, the screen shows the wrong slides, see 46:10 and 53:38
@NiamorH 3 роки тому
1:00:40 you recommend to pass along the signed token from service A to service B. But in the token there is the 'aud' claim which is probably limited to the gateway. Should the audience verification be disabled on service B?
@logantcooper6 2 місяці тому
Brock Allen and Dominick Baier (the identity server guys) have talked about the audience claim and said it can be replaced with scopes for most scenarios. Unless you are into some SaaS scenarios with multiple instances of your token server sharing key signing material then it's safe to just use scopes. I would have each service know what scopes it's willing to accept and check incoming tokens for said scopes.
@jwbonnett 8 місяців тому
What if a JWT expires though a process? e.g. is valid for one service but by the time it is passed to another it becomes invalid?
@9860923474 4 роки тому
Really good throught process. First time I could understand how JWT can be hacked. I will never use the default verify implementation as that can lead to hacks, instead a custom verifyToken function can check on the specific algorithm instead of relying on algo types from jwt.
@mobe6524 2 роки тому
First of all, nice prez! Although, I'd like to ask a question :) I don't seem to find the answer anywhere (it gotta be somewhere, I'm still looking) Anyway, I saw there are two ways implementation of security: 1- Authentication first, you get the token, and then you make requests reroutes through the gateway 2- Everything goes through the gateway, including authentication (it's considered as another microservice) So yeah, everyone shows the 1st implementation, where 2nd is also used but not very common, and I wanna ask why? I mean, if we're in a microservices architecture, why don't I have authentication behind the gateway as well? Is it more complicated (yeah, you'd have to reroute every authorization & authentication endpoints to retrieve the token), but would that be the only reason? Doesn't make sense to me ... Any thoughts?
@meepk633 8 місяців тому
Hashicorp sounds like a futuristic crime org that grows illegal superorgans. I love it.
@davidalsbury5980 3 роки тому
I watch tech videos to learn about your political positions
@chandranshpandey1929 Рік тому
seems to very similar presentation i have seen in youtube
@manas_singh 3 роки тому
13:35 Why do I see Trump on my screen?
@obed-shanghaiproduction6577 4 роки тому
Very good content! Presenter could have done better.
@richardfaasen8689 3 роки тому
JWT tokens can easily be > 1.5 KB in size, not something I want to send around to my API infrastructure with every request.
@jeffreyjflim 4 роки тому
Good grief. I came here to learn, but got this instead: - some personal insert about politics - s-looow as molasses speech (no, speeding it up does not help because see my other points) - meandering, lack of structure - a whole bunch of talk about JWT. That's precisely what the talk is supposed to be about, right? oh, wait...
@tjblackman08 3 роки тому
Agreed, mostly, although I did appreciate the content of the talk. The political "joke" was boring, I watched the whole video at 1.5 speed with ease, and the title could have more accurately described the content of the talk. However, I didn't think the content was lacking structure. I found the talk quite informative and thorough, especially for a developer working towards a JWT based system. If that's not you, then yeah... probably a bit of a waste of time.
@habiks 4 роки тому
Damn.. if the host could just chit chat less about things only he thinks are funny and if he could speak a bit faster..
@TimAllardyce 4 роки тому
Thanks for the heads up -- playback 1.5x is pretty watchable
@samuelvishesh 4 роки тому
Keep politics out of TECH
@shilpidey3184 4 роки тому
Shame on him for bringing in his political views (I'm sure endorsed by HashiCorp) into this talk. How smug, elitist, and opinionated, and assuming we all should and do agree or care about his political views.
@vadym8713 4 роки тому
Sam it is funny how tech people want to stay out of the politics which using tech for ruining democracy and economics
@samuelvishesh 4 роки тому
@@vadym8713 the Swordsmith doesn't sweat about who the blade slays, just on how good the sword performs in the hands of a swordsman. *I'm just in for the tool, not politics* Technology is a tool, the TECH community should focus on the tool, not on who's using it and what's his/her political leanings.
@pedrogalusso8244 3 роки тому
@@samuelvishesh is that a rule? He is entitled to his own opinion, and you are entitled to not watch, or dismiss his political point of view and withdraw the technical information you find useful.
@pedrogalusso8244 3 роки тому
@@shilpidey3184 Elitist? XD hahaha. Opinionated yes... but elitist?
@nathanstott1909 3 роки тому
Why impose your political opinions on a IT lecture. Very unprofessional
@patricknazar 3 роки тому
Who would have thought that academic material would be so politically charged. You've offended many and you're so willing to do so. Think what you think, but I was disgusted to hear it.
@ryeguy01 3 роки тому
Why would you get offended hearing someone else's political opinions, even if you disagree with them? It was a couple minute blurb in a talk. Agreed it was out of place, but..chill.
@Gazzaroo 2 роки тому
Diddums
@BeholdingKrishna 4 роки тому
Good topic has been ruined by this guy.
@KevinOnik 3 роки тому
When you think you are funny and your political views must be presented within your presentation while you can not speak at normal speed. For god sake....
@et379 3 роки тому
Imagine feeling offended because someone spent 30 seconds out of 65 minutes poking fun at an obvious idiot. Btw: this is UKposts. You can change the playback speed.
@kovalski6000 3 роки тому
I have never listened to such unprofessional speech. This kind of public humiliation of someboody based on your opinion, which may seem true to you, is completely unacceptable. Watch some lectures on public behavior and then start talking about microservices.
DevOps Conference
Переглядів 3,1 тис.
Євробачення Україна | Eurovision Ukraine official
Переглядів 652 тис.
Eurovision Song Contest
Переглядів 4,3 млн
EDA Summit
Переглядів 24 тис.
Devoxx
Переглядів 140 тис.
iSpring Tech
Переглядів 2,5 тис.