Authentication for Apps and Services: Keymaster was originally presented at Lookout's Scaling for Mobile event on July 25, 2013. Ariel Salomon is a Principal Software Engineer at Lookout, Inc. Ariel's talk focused on setting up authentication between mobile apps and services. He gives a great overview of Keymaster. Lookout has grown immensely in the last year. We've doubled the size of the company—added more than 80 engineers to the team, support 45+ million users, have over 1000 machines in production, see over 125,000 QPS and more than 2.6 billion requests/month. Our analysts use Hadoop, Hive, and MySQL to interactively manipulate multibillion row tables. With that, there are bound to be some growing pains and lessons learned.
5. AUTH(ENTICATION) VS.
AUTH(ORIZATION)
• Authentication is about validating that you
are who you say you are
• Verify that a credential is correct
• Authorization is about what you are allowed
to do
• In general, Authorization is closely tied
to your application
6. SIMPLE AUTHENTICATION SCHEME
• App knows some username and password
• Every time you need to do anything, include
that in the request
8. PROBLEMS W/ SIMPLE AUTH
• The app needs to keep it’s credentials
secure
• Every request embeds the credentials; can
they be snooped?
• What happens as we scale up the system
9. • Your system is getting
more complicated
• More than one service
providing functionality
• They all need to share
authentication
• AUTHORIZATION will
vary
SCALING UP
App
Service
B
Service
A
10. • Now we scale up our
back-end: apps talks to
multiple services
• How does Service B verify
credentials?
• Options
• Ask Service A
SCALING UP
App
Service
B
Service
A
11. • Now we scale up our
back-end: apps talks to
multiple services
• How does Service B verify
credentials?
• Options
• Ask Service A
SCALING UP
App
Service
B
Service
A
Service
B
Service
B
Service
B
Service
B
Service
B
Service
B
Service
B
Service
Z
12. • Now we scale up our
back-end: apps talks to
multiple services
• How does Service B verify
credentials?
• Options
• Ask Service A
• Create yet another
service, ask it..
• Do some caching?
SCALING UP
App
Service
B
Service
A
Auth
Service
13. A BETTER WAY
• Signed tokens verify that authentication has
happened
• One service knows how to authenticate for
apps, and provides tokens
• Any service can receive the tokens and
verify a client without any other network
traffic
14. • App gets a long-lasting
token
• Services don’t take a
network hit to handle
authentication
SCALING UP WITH TOKENS
App
Service
B
Service
A
Auth
Service
15. KEYMASTER TOKENS
• Signed tokens based on Java Web Token
(JWT) standard [in process at IETF]
• Each token contains claims:
• sub: Subject, the device or account
being identified
• iss: The token Issuer
• exp: Expiration date-time
• From the device (app) perspective, they are
opaque
16. KEYMASTER
• To validate tokens, a service must know
public keys for other services
• Keymaster service can provide this:
• Use the issuer embedded in the token
to identify the key
• Ask Keymaster for a public key
• cache this for a long time
17. KEYMASTER BETWEEN SERVICES
• Any service can generate tokens
• Can include information in the tokens that
should be signed, encrypted
18. Keep in touch with
@lookout
/mylookout
blog.lookout.com
contact@lookout.com
http://bit.ly/scaling-for-mobile