Authentication and Authorisation for micro-services
This is the procedure of authentication for micro-services that is often used in practice.
In step 1, client or user C sends Cid and Kc to the authentication server A.
The Cid can be the username or user id of the user C.
Kc can be the password that the user inputted.
In step 2, the authentication server A verifies the information of the user id Cid and the key Kc in the system. If the information is correct, a ticket TCS will be returned to the client C.
The client C will use the ticket TCS in the requests to access resources on the server S in the next step.
When JSON Web Tokens - JWT is used to implement the ticket TCS, the ticket TCS is formulated as a triple of header, payload, and {header, payload}K, where {header, payload}K denotes that the information of header and payload is encrypted by a secret key K.
{header, payload}K can be seen as a signature signed by the authentication server A.
In step 3, the client C sends requests to the server S. The ticket TCS is attached in each request to the server S. The server S can be a resource service or it can be a gateway server for accessing several resource services in the architecture of micro-services.
The server S needs to verify TCS to make sure that the request is authenticated before the server S performs the request from the client C.
In the process, the server S may need to ask the authentication server A to verify the ticket or it may verify the ticket itself, before the server S performs the request from C.
When JSON Web Tokens - JWT is used, the ticket TCS can be verified by using the knowledge of the secrete key K and the algorithm that we used to obtain {header, payload}K.
In step 4, the server S returns the result to the client C.
When JWT is used, the ticket is designed so that the server can verify it. There are problems with the solution.
I am the client, I have just sent you (the authentication server A) my username and password, and I have received a JWT ticket.
How do I verify that the JWT ticket I have obtained is really from you?
I assume that the ticket can be verified that it is from you. Is the ticket for me only? Can other people steal and use it? Can someone just use a ticket which they know it can be verified and send it to me so that I would use the ticket to send my important data in my requests?
I have used my username and password to log-on on different apps. Can each ticket be used only in each session on each app?
I have just sent you, the server S, a request with a ticket from you, and I have received a result.
How do I verify that the result is for the request data I have sent to S and it is not from someone else?
As mentioned above, S in the interaction model is a resource server or can be a gateway to access several resource services.
The ticket TCS is used to access any resource server or resource services in the system.
There is no design in the interaction model to say if the client can access a particular resource server or a resource service.
In practice, we may have several resource servers/services in the system. Each resource server/service manages several resources inside. Therefore, a verfication is necessary to check whether the client can access a resource service, before we conduct another check to see if the client can access a particular resource in the resource service.
In this section, I describe an interaction model to deal with the problems that I have mentioned above. I have not resolved the issues of authorisation in this proposal yet. The problem of authorisation in the model can be resolved easily and will be presented in the next section.
In step 1, the client C sends Cid, Kc, and a nounce n1 to the server A.
The Cid can be the username or user id of the user C.
Kc can be the password that the user inputted.
The nounce n1 can be a random string or a timestamp generated by the client C.
In step 2, the server A verifies Cid and KC in the system.
If it is successful, the server A generates a random key KCS for the communication between C and S.
Then the server A encrypts the key KCS and the nounce n1 together by using the key KC to obtain {KCS, n1}KC to send to the client C.
Since the client C knows the key KC, the client C can decrypt and get the key KCS and the nounce n1 in the result.
The nounce can be verified by comparing with the nounce that the client C generated and sent to A in the step 1.
Moreover, a ticket TCS for the communication between C and S is also created and returned to the client C.
In the ticket, the values t1 and t2 are to define the starting time and ending time for the validity of the ticket.
The ticket TCS is encrypted by using a secret key KS, which is known by the server S.
Therefore, the server S can decrypt the ticket TCS to get the key KCS inside the ticket in the next step.
Asymmetric cryptography can be considered to encrypt and decrypt TCS if necessary.
In step 3, the client C uses the key KCS obtained from the server A in the step 2 to encrypt Cid and a nounce n2 to have {Cid, n2}KCS.
The client C attachs {Cid, n2}KCS and the ticket TCS on each request to send to the server S.
The request data can be encrypted by using the key KCS if necessary.
Since the server S knows the key KS, it can verify and decrypt the ticket TCS to obtain the key KCS.
Then the server S uses the key KCS to decrypt {Cid, n2}KCS in each request to verify Cid and get the nounce n2 generated by the client C.
In this step, the server S performs the request to have a result.
The result can be encrypted by the key KCS if neccessary.
The server S uses the key KCS to encrypt the nounce n2 to return to the client in the result.
The client C can verify the result from the server S by using the key KCS to get the nounce n2 and compare it with the nounce that the client C generated and sent to S in the step 3.
The interaction model proposed in the previous section has not resolved the issue of authorisation yet.
In practice, the server S can be a resource service or can be a gateway to several resource services in the architecture of micro-services.
We need to verify if the client C has rights to access a resource service before the client C can send requests to perform operations on a resource service in the step 3.
More details will be added later.