►
Description
Are you wondering how to secure microservices? Eclipse MicroProfile JWT (https://microprofile.io/) is the answer. MicroProfile JWT designs a token based authentication and authorization mechanism, which enables authorized access from clients to services or from services to services by using JWT token. This session will give you a quick overview on the MicroProfile JWT design, followed by a live demo of 2 microservices communication by passing on the JSON web token, running on Open Liberty (https://openliberty.io/) and Quarkus (https://quarkus.io/). Come to this session to understand the technology and learn how to use it.
Speaker(s):
Emily Jiang (IBM)
A
A
So,
alternatively,
you
can
reach
me
via
twitter.
My
twitter
handle
emily
fh
jiang,
so
great.
So
in
this
session
I
will
talk
about
secure
micro
services
made
easy
using
micro
profile
gwt.
A
So,
let's
carry
on
so
it's
you
may
have
heard
of
oos2
open
id
connect
or
dwt.
They
are
very
popular
technologies
for
secure
for
securing
applications.
There's
the!
However,
they
are
still
very
popular
to
secure
microservices.
A
So
what
are
they
then?
So
all
else
too
is
also
authorization
protocol.
I
bet
most
of
you
have
used
oauth
2
before
no
matter
whether
you
notice
it
or
not.
A
So,
for
example,
when
you
first
log
on
to
a
website,
you
might
have
seen
a
pop-up
to
say:
do
you
want
to
log
in
using
facebook
or
using
github
or
using
google,
so
that
is
also
to
working
in
the
background,
so
both
basically
oo2
allows
logging
in
into
a
third-party
website
using
social
network.
A
A
So
what
is
the
gwt?
Actually
gwt
contains
a
number
of
claims
and
these
claims
can
be
transferred
between
two
parties
securely
and
safely.
So
these
settle
claims
represented
as
a
json
object.
That
is
the
basis
64
url,
encoded
and
digitally
signed.
They
can
also
encrypt
it
if
you
want
so
both
the
os,
2
and
open
id
connect
can
use
jwt.
As
a
token
format,
so
here
you
are
so
this
is
a
basic
technology
we
use.
A
So
what
is
what
is
that
jwt
actually
is
a
lot
of
people
pronounce
jwt
as
a
jolt,
so
you
often
often
hear
george,
so
that's
gwt,
so
gwtn
is
the
kind
of
urf
a
url
safeway
of
representing
claims
and
it
can
be
transferred
between
two
parties
and
it's
a
contain
all
the
information
and
to
guarantee
whether
this
payload
hasn't
been
tampered
with
or
not.
So
this
is
claims
all
represented
as
a
json
object
and
also
is
a
sign
and
can
be
further
encrypted.
A
If
you
want
so,
the
signature
can
be
used
to
verify
whether
the
token
has
been
tampered
with
or
not
so
for
more
information
you
can
log
on
to
ifc7519,
so
why
gwt
is
so
prevalent
because
it
provides
a
great
way
to
propagate
user
identity
for
authentication
purpose
and
also
is
very
powerful.
It
can
contain
the
user
attributes
or
the
user
entitlement,
access
right
and
etc
for
authorization
purpose.
A
A
So
what
is
the
trust
model
for
dwlt
as
twt
ism
is
self-described
and
very
verifiable
by
using
the
signature,
so
basically
how
it
works.
A
wins
of
dwt
is
the
first
accredited.
The
user
will
sign
gwt
using
its
private
key
and
then
the
pass
the
gpwt
to
the
destination
on
a
windowed
receiver.
When
the
destination
receives
the
dwt,
it
will
be
able
to
use
a
matching
public
key
to
verify
the
gwt
and
to
tell
whether
to
verify
whether
this
gwt
has
has
been
tampered
with
or
not.
A
So
you
may
have
also
heard
of
there's
a
lot
different
kind
of
the
terms
like
gwt
gws
and
gwen
gw
key.
So
what
what's
a?
What's
the
difference?
Actually,
if
you
think
of
gwt,
is
actually
the
abstract,
it's
almost
like
an
abstract
class.
The
the
up,
the
detailed
implementation
is
either
gws
or
gwe.
A
Gws
is
a
sign.
The
gwt
is
widely
used.
Most
of
the
time
when
you
talk
about
gwt
is
a
gws
and
a
gwe
is
a
kind
of
encrypted
gws
and
what
is
a
gw
key?
Actually
dbw
key
is
the
cryptographic
key
to
for
the
public
key.
As
I
mentioned
earlier,
the
destination
the
receiver
will
need
to
use
a
public
key
to
verify
whether
these,
whether
the
gwt
hasn't
been
manipulated
or
not.
So
this
gw,
this
public
key,
will
be
able
to
play
in
the
gw
key.
A
So
what
is
the
gws
looks
like
gws
has
the
three
parts
it
contains:
the
header,
payload
and
signature.
Remember
they
are
all
basically
for
url
encoded,
so
in
the
header
on
the
top,
it
contains
the
type
which
is
gwt
and
also
ugly.
Everything
like
for
the
decoders
is
a
dw
payload.
So,
for
example,
when
the
algorithm
is
rs256
or
ie256
hs256,
these
are
a
lot
of
the
algorithms
and
then
the
second
part
is
the
payload
you
can
see.
This
is
all
claims
and
then
finally,
the
signature.
A
A
A
So
I
briefly
mentioned
about
this,
the
dwt.
So
how
can
you
create
a
dwt,
so
gwt
can
be
created
by
the
like
application
by
directly
calling
some
apis.
This
api
can
be
like
someone
app
server
supply
like
offer
you
some
api,
like
open
liberty,
offer
your
api
to
directly
create
a
dwt
and
also
like
vertex
also
has
an
api.
A
dwto
can
allow
a
time
can
give
you
option
to
create
a
gwt
as
well.
Alternatively,
you
can
go
to
the
security
reverse
proxy
server.
A
I
support
gwt
concrete
gwt
after
user
login,
so
the
finally,
actually,
this
is
probably
the
most
used
version.
Basically
open
id
connect.
The
providers
such
as
ibm,
w3id,
blue
id
sm,
pin
azure
auth0
liberty
with
open
id
connect
provider,
feature
kick
clock
octa.
They
can
all
create
a
dwt
for
you,
so
that's
the
kind
of
quicker
tour
about
dwt.
So
what
is
microprofile
dwt
remember.
First
thing
I
want
to
emphasize
a
microprofile
dwt
is
provide
a
way
to
secure
actual
services.
A
However,
there
is
a
challenge
with
securing
micro
services,
because
these
macro
services
are
mainly
stateless
and
security.
Contacts
cannot
be
saved
in
the
back
end
cannot
receive
it
in
the
on
the
server
side.
So
the
security
contacts
need
to
pass
with
a
request
like
using
the
http
header
and
et
cetera.
The
other
thing
is
the
macro:
services
normally
need
to
like
talk
to
other
micro
services,
so
you
need
to
also
provide
a
way
to
ensure
this
interoperable,
so
macro
provide
gwt
like
a
full
field.
Two
purpose:
one
is
a
secure
macro
services.
A
So
in
the
macro
profile
one,
I
always
define
the
interoperable
dwt
token
format
and
also
the
apis
to
be
able
to
access
the
token
you
know
101
it
also
like
includes
support
for
dwk
and
etc.
Open
liberty
support
both
microprofile
gwt-100
and
1.1.
A
So
it's
like
her.
That's
the
kind
of
quickly
goes
through
the
requirement,
so
what
is
the
micro
provided
ability
really
like
what
he
did
add
over
and
above
dwt?
So
basically
it
has
a
three
requirement:
the
first
one.
It
says
that
okay,
your
gwt,
must
contain
the
issue
issuer,
so
is
a
iss
and
second,
it
introduced
two
more
claims.
One
is
european:
they
are
the
other
one
in
the
groups
the
thirdly,
the
microprofile
gwt
must
be
stunned
using
iso
256.
A
I
mentioned
earlier.
You
could
assign
dwt
unit
other
algorithm,
however
microprofile
dwt
101.11
like
ask,
you
must
sign
with,
is
256.
and
actually
in
the
in
the
spec
we
said
yeshua
and
the
upn
must
be
mandatory.
We
didn't
see
whether
groups
is
mandatory
or
not.
However,
in
the
1.2
to
be
released
later
we
say,
groups
actually
is
optional,
so
how
the
macro
profile
dwt
works.
A
So
I
also
the
for
the
creation,
dwt
or
or
already
mentioned,
like,
however,
in
the
backend,
when
your
macro
service
access
like
get
hold
of
the
the
macro
profile
dwt
by
what
kind
of
format
to
be
able
to
get
hold
of
this
microprofile
gwt
for
the
jax
res
application,
they
can
access
the
json
json
web
token
from
the
security
context
so
showing
I
have
an
example
here.
You
can
directly
do
a
add
context,
security
contacts
and
then
you
can
do
a
get
user
principle
and
the
user
principle
is
the
json
web
token.
A
So
it's
okay,
I
described
what
microprofile
dwt
is
and
how
the
like
microservice
access,
the
json
json
web
token
and
actually
how
it
works.
And
how
can
I
use
the
microprofile
dwt
to
secure
my
macro
service
actually
for
secure
micro
services?
A
You
have
to
use
them
jakarta,
ee
security
using
rules
allowed,
so
it's
you
can
specify
which
row
allowed
to
access
this
endpoint.
So
it's
a
remember
why
I
mentioned
earlier:
microprofile
gwt
has
like
a
up
and
and
also
groups
that
groups
you
can
see.
I
say
actually
belong
to
the
group
user.
A
So
in
this
case
this
macro
service
again
holder.jwt
and
then
the
the
runtime
will
directly
get
hold
of
the
claim
to
find
out
the
group
with
the
user,
and
then
it
will
say:
okay,
this,
like
request,
allowed
to
be
like
a
served,
because
that
has
a
user
and
also
this
is
the
endpoint
to
allow
user
to
access
it.
A
However,
sometimes
like
maybe
a
group
and
like
rules
kind
of
using
a
different
term,
maybe
you
they
find
a
group
of
groups
in
your
academies
and
administrator.
How
can
you
map
a
map
them
like
to
to
say?
Actually,
when
I
say
adami?
Actually
I
mean
administrator
so
actually
in
liberty,
you
can
configure
them
in
the
application.
Dnd.
A
So
this
is
putting
the
like
all
into
one
picture,
so
it's
basically
like
the
user
directly
get
hold
of
dwt,
either
creator
itself
himself
or
using
a
open
id
connector
provider
or
the
proxy
server
and
then
can
pass
the
dwt
token
to
the
server
when
the
server
receives
a
token,
and
then
it
can
use
the
public
key
to
decode
this
gwt
and
then
can
figure
out
and
then
create
a
json
web
token.
A
So
this
in
this
way
the
application
itself
can
access
the
json
web
token
and
then
be
able
to
like
a
workout
maker
authorization
decision
so
based
on
the
gwt
claims.
A
So
this
is
the
following
is
a
kind
of
three
very
popular
use
case
using
this
microprofile
dwt.
The
first
one
is
the
kind
of
very
simple.
So
basically,
the
client
like
a
creator
dwt
and
then
pass
the
dwt
to
this
to
the
back
end,
so
the
back
end
will
say:
make
authorization
decision
based
on
the
dwt
claims.
A
The
second
one
is
that
the
client
doesn't
create
a
dwt
is
a
delegate
to
the
creation
to
the
reverse
proxy
server.
So
this
one
is
after
user
login,
the
reverse
proxy
server
created
gwt
and
then
pass
down
the
downstream
to
the
other
server,
so
other
can
directly
make
a
authorization
decision
based
on
the
gwt
claims,
mostly
based
on
the
groups.
A
So
this
is
third
one.
So
this
is
a
used.
Kind
of
popular
is
quite
some
widely
used.
Basically,
you
rely
on
the
op
id
connect
for
the
single
scion.
So
what
is
how
it
works?
Basic
client
directly
invoke.
The
application,
like
a
liberty,
for
example,
in
server
xml,
is
that
you
configure
to
use
to
use
the
open
id
connected
provider
directly
to
do
the
authentication
so
that
open
id
connector
servers,
maybe
is
kind
of
kick
cloak
or
octa
and
etc.
A
It
can
create
a
microprofile
dwt
token,
and
then
you
can
pass
it
downstream
and
then
the
micro
services
get
hold
of
jw
t
and
actually
observe
that,
like
a
json
web
token
to
see
which
groups
you
belong
to
and
then
can
match
with
it
with
the
back
and
the
endpoint
requirement
and
then
determine
whether
these
requests
can
be
served
or
not
so
in
open
liberty.
Actually,
we
support
like
a
gwt
and
also
microprofile
gwt.
A
Today,
like
a
dwt1o
like
open
id
connect,
a
client
can
directly
like
talk
to
other
open
id
connected
server
provider
such
as
code,
key
cloak,
okata,
etc,
and
also
has
a
single
sign
on
and
also
support,
micro
provided
wt1011.
A
So
that's
a
quicker
tour
of
the
dwt
and
microprofile
deliberate.
So
let
me
give
you
a
quick
demo
to
see
how
to
use
the
macro
profile
dwt
to
secure
like
micro
services,
so
I
have
two
micro
services
so
service
a
running
on
open
library.
So
it's
a
service
a
and
already
started
like
using
the
dev
mode
running
on
open
library
and
service
b
service.
A
A
is
trying
to
access
the
service
b
service
b
is
running
on
quakers,
so
you
can
see
it's
it's
on
quadcopters,
so
in
the
port,
now
you
see,
it's
directly
is
a
is
running
on
quakers.
So
it's.
Let
me
first
show
you
service
service
b.
A
So
it
has
like
endpoint
protected.
So
is
this
the
get
the
database
value?
So
basically
it's
saying
rules
allowed.
So
if
you
belong
to
the
rule
protected,
you
are
allowed
to
to
access
this.
If
not
and
you
will
be
forbidden
so
the
other
things
I
mentioned
earlier,
you
can
inject
a
particular
claim.
So
here
I
inject
a
customer
value
and
then
use
a
type
of
claim
value
directly
like
a
get
hold
of
customer
custom
or
get
value.
So
this
is
the
back
end.
So
let
me
show
you
the
front
hand.
A
A
A
Dwtos
dwr,
os
and
created
what
I
created
look
at
is
that
I
use
the
rs256
is
the
algorithm
encoding
algorithm
and
also
I
use
the
private
key
to
create
a
gwt,
so
what's
inside,
the
gwti
can
set
all
the
claims.
So
two
very
important
claims
is
that
upn
and
the
other
one
the
groups.
So
here
I
said
groups
it
belong
to
protected
and
also
the
european
jesse,
and
they
need
to
make
sure
issue.
This
one
is
mandatory
as
well.
So
I
showed
you
earlier.
A
I
added
a
digital
claim
customer
value
here
and
hopefully
the
back
end
will
be
able
to
find
this
cast
custom
claim,
as
the
is
showing
here
so
trying
to
get
a
hold
of
the
jw
jays
json
web
token
and
directly
this
custom
value,
so
they
are
all
running
in
the
background
already
so
here
is
here
is
the
invocation,
so
you
may
think.
Oh,
it
is
really
true
or
not
so
like.
A
Let
me
change
this
one
to
be
a
super
like
only
super
allowed
to
access
it
and
then
it's
automatically
built
see
you
will
see
forbidden.
So
if
I
change
it
back
here,
protect
it.
A
Save
it
so
this
is
the
dev
mode
directly
pick
up
the
change,
so
you
can
see
see
this
as
well,
so
just
like
make
sure
actually
open
liberty
also
have
this
protected,
open
everyday.
Has
this
damn
mode?
If
I
change
here
to
be
a
for
example
and
in
the
client,
if
I
go
back
here,
see
the
four
bed
forbidden,
because
openable
here
also
has
this
damn
motor,
so
it'll
pick
up
the
changes
straight
away
away
yeah.
So
if
I
continue
to
be
protected,
it
will
work
again.
A
Yeah,
so
that's
kind
of
the
pretty
pretty
much
I
want
to
cover
today.
Oh
no,
let
me
quickly
have
a
spin
on
one
more
minute,
so
this
is
a
like
upcoming
release
in
the
macro
profile.
Dwt102.
It
supports,
in
addition
to
iso
256,
including
algorithm,
also
add
the
yes
to
five.
Six
and
a
previously
only
supported
dws
now
is
a
support.
A
Gw
tw
as
well,
and
also
you
can
specify
where
to
put
the
where
the
key
is
to
be
able
to
decrypt
this,
like
a
gw
e,
so
that's
kind
of
pretty
much.
This
is
a
really
useful
links
about
dwt
and
microprofile
dwt
and
also
openability
has
a
guide
to
teach
you
how
to
use
a
macro
profile,
dwt
and
also
there's
a
two
really
good
blogs
for
you
to
get
started
using
keyclock
or
using
autocad
as
an
open
id
connector
provider.
A
So
I
have
like
a
two
minutes,
so
I
will
try
to
also
can
you
create
the
gwt
uni
micro
profile?
No,
you
can't.
Actually
it's
a
very
interesting.
Actually.
I
read
through
this
issue
on
the
micro
profile,
like
the
community
gwt
micropropagator
github.
Now
you
at
the
moment,
there's
no
apis
yet
so,
hopefully
like
we'll
try
to
get
that
covered
in
the
future
releases.
So
at
the
moment,
like
some
app
server,
give
you
api
for
you
to
create
a
dwt
token,
like
open
library.
A
Also,
I
showed
you
I
used
like
kick,
uses
the
vertex
and
etc
to
create
some
dwt
token,
so
the
other
one
any
plan
to
losing
the
requirement
gwt
must
contain
the
groups
claim
yeah.
We
already
have
like
in
the
macro
profile
1.2.
We
all.
We
already
made
the
groups
to
be
optional,
so
we
have
a
different
provider.
A
So
we
currently
can't
use
this
one.
You
group,
yes,
it
is.
The
group's
claim
is
optional
in
the
microprofile
dwt
102
to
be
released,
hopefully
in
november
time,
so
stay
tuned.
So
it's
kind
of
the
things
are
nearly
ready.
We
have
a
release
candidate.
Actually,
you
can
try
it
out.
Try
the
open
liberty
2012
dash
beta.
It
has
microprofile
gwt,
1.2
yin8,
so
give
us
any
feedback
you
have
so
that
pretty
much
concluded
today's
talk.
I
hope
you,
you
learned
something,
welcome
any
feedback.
Thank
you.