This is my small project at college.
I do all the work on this project, if you have any questions or feedback on this project please contact me.
- API Gateway: This is the main component of the system, responsible for routing requests from customers and users to back-end services. The API Gateway also handles non-business functions such as authentication, authorization, and access control. Typically, an API gateway provides REST/HTTP access APIs to clients and users.
- Client application: This is software developed to access services through API gateway. The client application can be a web application, mobile application or desktop application.
- Self-service platform support: This is the support platform to manage and deploy back-end services. The platform provides features such as service registration, user management, session management, key management, and access rights management.
- ABC Company has a software system with many APIs deployed on API Gateway. There are many client applications that use these APIs, and each has its own users.
- The first security problem is how to correctly determine the identity of each user, that is the issue of authentication. API Gateway supports multiple authentication methods such as password, JWT, SAML, etc. This helps prevent unknown attackers from accessing the system.
- The next problem is how to control the access rights of each authenticated user. Each user should only be allowed access to certain APIs, it's a matter of authorization. API Gateway allows access control policies to be applied based on user roles, user groups, or other factors.
- As such, authentication and authorization in API Gateway helps secure the system by preventing attackers, and strictly controls authorized users' access to the APIs.
Figure 1: Company doesn't have any access control.
- Customers.
- Cloud servers.
- Admin: are individuals who are responsible for managing and controlling user accounts and APIs on ABC company's system.
- Employees: are individuals who work for ABC company, have access to resources and data on the system.
- Adversaries.
- Customer Data.
- Company Sensitive Data.
- Confidentiality: Ensuring that information is accessed only by those with access rights and not disclosed to those who do not have access.
- Integrity: Ensuring that information has not been altered, deleted or added in an unauthorized manner.
- Availability: Ensuring that information is available and accessible by those who have access when needed.
- External attacks including DDoS attacks, password intrusion attacks, etc. These attacks can cause service interruption or unauthorized access to resources and services in the system.
-
Currently, most of the methods used fall into three categories: AppKeys, OAuth2, and JWT. These authentication methods have their own characteristics and advantages.
-
And in this article the authentication method used is JWT because:
• JWT (JSON Web Token) is an open standard defined in RFC 7519 that provides a mechanism for secure communication between two parties: the token issuer and the token user.
• Each JWT token consists of three main parts: Header, Payload and Signature. The header contains information about the token type and the encryption algorithm used to generate the signature. Payload contains specific information about the request sent to the API, such as username, access, and token expiration time. Signature is generated by digitally signing the Header and Payload using a secret key, so the consumer can verify the authenticity of the token.
-
The JSON web token is basically a long encrypted string of text. This string consists of three smaller parts, separated by periods. These parts are:
• The header; • A payload or body; • A signature; -
Thus, our token will look like this:
o header.payload.signature
Figure 2: Algorithm JWT.
- The RBAC (Role-Based Access Control) system is used to assign access rights in the software system. The RBAC process includes the following steps:
- Users log into the system, user information will be evaluated to get the role group that needs to be assigned. The role group will be attached to the generated tokens.
- API Gateway validates user token and calls API Gateway. The API Gateway will have a local cache containing a map of the groups of roles and associated permissions. This cache will be periodically refreshed by contacting the Authentication Server in the background.
- API Gateway looks up user tokens, extracts user details and specified role groups. It then derives the relevant permissions from the cached data and sends those permissions down to the microservices part of the additional request headers.
- All microservices can use a common library to evaluate whether "READ" or "EXECUTE" permission is available to perform a certain action. Whether or not permission is present controls the response behavior of the API.
- Customers can store a list of permissions available to the user to control user interface behavior and handling.\
Reasons to choose RBAC for API Gateway:
- Simplify management: When implementing Microservices architecture, there will be many services working together. RBAC uses roles to decentralize access, which simplifies management and reduces security risks. Administrators only need to manage roles, and these roles can be assigned to many different services.
- Flexibility: RBAC provides great flexibility for access decentralization. Administrators can easily add or remove roles to change user access rights. With Microservices architecture, when services are added or removed, RBAC allows to change access rights in each service easily.
- Minimize security risks: RBAC can help reduce security risks in Microservices architecture. With RBAC, users can only access resources if they have a role assigned to that resource. This helps ensure that users can only access resources they are authorized to access.
- Compatibility: RBAC is a common access authorization method in many different software systems. So it can be integrated into Microservices architecture easily and supported by many different technologies.
However, RBAC is not perfect because RBAC cannot handle the case of permissions based on user attributes, if system requirements require attribute based access permissions. of the user.
Implement the function of user registration into the system. Use the AWS SDK to access the Amazon DynamoDB database.
If the user enters the full registration information, the code will check if the username already exists in the database. If the username already exists, the code will return an error message. Otherwise, the code encrypts the user password and stores the new user information in the DynamoDB database.
Finally, the code will return an HTTP response with a status code corresponding to the processing result.
Implement new user information storage functionality into the Amazon DynamoDB database and query user information from the database.
The getUser function queries user information from the database by login name. It uses the dynamodb.get() method to query the database and return the corresponding user information.
The saveUser function stores new user information into the database. It uses the dynamodb.put() method to save new user information to the database.
Finally, the register function uses the getUser and saveUser functions to check if the username already exists in the database and store the new user information into the database after encrypting the password. If the caching fails, the function returns an error response. If the archiving is successful, the function returns an HTTP response with a status code of 200 and the login name of the newly registered user.
- Login
When the user logs in correctly with the registration information stored on the Database, the server will return the token as above.
- Verify
- Use the jwt.sign() method to generate a JWT based on the information in userInfo. The JWT is generated using a secret key specified in the process.env.JWT_SECRET environment variable and expires in 5 minutes.
- The verifyToken function takes a username and a JWT and uses the jwt.verify() method to authenticate the JWT. If the JWT is invalid (e.g. not signed by the secret key process.env.JWT_SECRET), the function returns an object with the verified property false and an error message. If the JWT is valid, it will be decoded and the function will return an object with the verified property true and a confirmation message. The function also checks if the username in the JWT matches the provided username, and returns an error message if it doesn't.
USER_POOL_ID: User Pool ID used for user management and authentication.
CLIENT_ID: The ID of the application registered with the User Pool.
CLIENT_SECRET: The secret password used to generate the hash and authenticate requires registration or login.
Client: Object that contains configuration information to interact with Amazon Cognito User Pools.
Then implement the get_secret_hash(username) function to generate a hash that is used to authenticate the user's registration or login request. The function uses the HMAC algorithm to generate a hash from the user name and application ID.
Finally, declare constants that are used to determine the status of the registration or login request, including the ERROR error code, the SUCCESS success code, and the USER_EXISTS error code.
The initiate_auth(username, password) function is used to make user login authentication requests to Amazon Cognito User Pools. The function uses the ADMIN_NO_SRP_AUTH process to authenticate the user, an authentication method that does not use SRP (Secure Remote Password protocol) to ensure security.
Specifically, the function takes in a username and password, and then uses the admin_initiate_auth() of the client object to send a login authentication request to Amazon Cognito User Pools. The function returns the IdToken token if the authentication is successful.
The function lambda_handler(event, context) is used to handle user registration or login request. The function uses the sign_up() and initiate_auth() functions to perform login registration and authentication. If registration or authentication fails, the function returns a failure error code.
If registration or authentication is successful, the function returns an IdToken token and some other information related to the user, including the user's new registration status and the user's random ID.
In the "aud" section of the JWT, the value is "3mi9trh9budpe6ih8vh757bbbm". This is the Audience the JWT is made for, that is, the object the JWT is designed to access. In this case, the object could be a resource protected by Amazon Cognito User Pools.
When a user wants to access a resource protected by User Pools, they need to provide a JWT with a matching Audience, and the system will use the public key to authenticate the JWT and check if the user has access to it. resources or not. Therefore, the "aud" part in the JWT is an important part of authorizing user access to the resources protected by User Pools. Use the public key in the JWT header to authorize access to the user.
When a user successfully logs in and authenticates on Amazon Cognito User Pools, the system generates a JWT containing information about the user and the access rights granted to the user. The JWT header contains the public key used to authenticate the JWT's signature.
When a user wants to access a resource protected by User Pools, they provide a JWT to the system. The system will use the public key in the JWT header to validate the JWT's signature and determine if the user has access to the resource.
[1] Enhancing Microservices Security with Token-Based Access Control Method. Sensors 2023, 23, 3363. https://doi.org/10.3390/s23063363
[2] Authentication and Authorization in Microservice-Based Applications DOI: 10.18420/inf2022_19