-
Notifications
You must be signed in to change notification settings - Fork 647
Security Getting Started
Service supports authentication and authorization through the support of JSON Web Tokens (JWT). It works by allowing you to annotate your endpoints with the different roles a user must claim when executing those endpoints. The administration of users and tokens is left up to you. What Service will do is accept a JWT from the HTTP request, parse the token with a public key you provide, check if the token is valid and not expired (authentication), then validate the roles in the token with the roles defined in the schema (authorization).
To begin with applying authenication and authorization to Service, a user system must exist where you can generate user tokens with proper claims. There are systems out there like Google and Github that can get you started. For this project we wanted to provide you with the basic code for a user system and token generation. This is what the Sales-Admin application provides.
The JWT are an open, industry standard RFC 7519 method for representing claims securely between two parties. This is a JWT token that was generated for a user using the private.pem file associated with the project.
eyJhbGciOiJSUzI1NiIsImtpZCI6IjU0YmIyMTY1LTcxZTEtNDFhNi1hZjNlLTdkYTRhMGUxZTJjMSIsIn
R5cCI6IkpXVCJ9.eyJyb2xlcyI6WyJBRE1JTiIsIlVTRVIiXSwiZXhwIjoxNjIzMzUyMzA0LCJpYXQiOjE
1OTE4MTYzMDQsImlzcyI6InNlcnZpY2UgcHJvamVjdCIsInN1YiI6IjVjZjM3MjY2LTM0NzMtNDAwNi05O
DRmLTkzMjUxMjI2NzhiNyJ9.PRXgzex6RLGPVqUUjwpSrChRNgdU4jyekxYc6MFu-sUfFRJTyi56SveP64
4dQudO-6bLFbzERVrBMyzj1LU1jXafILEnWbzVmFeRfRoui-Qa11tUcwZ1Csc2cOttZETdSkFB2nLEByjc
j0pALKUgBvl5EuHPQGGEycYWgZ230O6VXOhp6JawQyZhRe1_ODqpoBo5ZbWnRDyW9mW1wq5qLYUIpqqq7W
JehyRo5qhSXwd9i5STIMyCk72nCeIjplK0Td-vjrTwf_IFQHlD0IL4WQNw3tPLHIoJJ1d4gehqVYp_OfCG
i3ZVN-U-lfBfASSFLCYKBDSeSDuCUvbqwWxEtg
If you copy that token into the JWT debugger you will see it represents three pieces of information.
Header
eyJhbGciOiJSUzI1NiIsImtpZCI6IjU0YmIyMTY1LTcxZTEtNDFhNi1hZjNlLTdkYTRhMGUxZTJjMSIsIn
R5cCI6IkpXVCJ9.
{
"alg": "RS256",
"kid": "54bb2165-71e1-41a6-af3e-7da4a0e1e2c1",
"typ": "JWT"
}
- alg (algorithm): The algorithm used to generate the token.
- kid (key id): A unique identifier for looking up the public key from a key store.
- typ (type): The type of token.
Payload
eyJyb2xlcyI6WyJBRE1JTiIsIlVTRVIiXSwiZXhwIjoxNjIzMzUyMzA0LCJpYXQiOjE1OTE4MTYzMDQsImlz
cyI6InNlcnZpY2UgcHJvamVjdCIsInN1YiI6IjVjZjM3MjY2LTM0NzMtNDAwNi05ODRmLTkzMjUxMjI2Nzhi
NyJ9.
{
"roles": [
"ADMIN",
"USER"
],
"exp": 1623352304,
"iat": 1591816304,
"iss": "service project",
"sub": "5cf37266-3473-4006-984f-9325122678b7"
}
- roles: The authorizations the user of the token has.
- iss (issuer): Issuer of the token.
- sub (subject): User of the token.
- exp (expiration time): Time after which the token expires.
- iat (issued at time): Time at which the token was issued; can be used to determine age of the token.
Verifying Signature
PRXgzex6RLGPVqUUjwpSrChRNgdU4jyekxYc6MFu-sUfFRJTyi56SveP644dQudO-6bLFbzERVrBMyzj1LU1
jXafILEnWbzVmFeRfRoui-Qa11tUcwZ1Csc2cOttZETdSkFB2nLEByjcj0pALKUgBvl5EuHPQGGEycYWgZ23
0O6VXOhp6JawQyZhRe1_ODqpoBo5ZbWnRDyW9mW1wq5qLYUIpqqq7WJehyRo5qhSXwd9i5STIMyCk72nCeIj
plK0Td-vjrTwf_IFQHlD0IL4WQNw3tPLHIoJJ1d4gehqVYp_OfCGi3ZVN-U-lfBfASSFLCYKBDSeSDuCUvbq
wWxEtg
RSASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
}
Navigate to the Security Steps page to walk through the process of applying authentication and authorization to the project.
Contact Bill Kennedy at [email protected] if you are having issues getting the project running.