Episode 044: 09‐03‐2024 Securing identity and context in microservices - GluuFederation/identerati-office-hours GitHub Wiki
Title: Securing identity and context in microservices
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Atul Tulshibagwale, CTO SGNL
Description
Defending against privileged user compromise and software supply chain attacks requires newer standards that can reduce the trust in non-human (or machine) identities used by services to communicate with each other. Transaction tokens is a new proposed standard in the IETF which can effectively defend against these attacks. Learn all about it in this episode with Atul Tulshibagwale, CTO of SGNL, the inventor of CAEP and an Okta Identity 25 Listee.
Homework
Extra Credit
- Securing Identity and Context in Microservices with Tratteria Open Source 23 min
- Secure Identity and Context in Microservices with Tratteria
- OAuth TX Token Draft
- OAuth 2.0 Rich Authorization Requests
Slides
Takeaways
-
Transaction Tokens are complimentary to SPIFFE and MTLS, which you could say help to secure the transport layer and a base level of which service should be able to "talk to each other".
-
While you could include any claims for authorization details in an OAuth access token, transaction tokens help to standardize how this information is conveyed. Defining a new JWT token gives domains more granularity for deployment of the technology, for example shorter expiration times.
-
There is some overlap with the WIMSE Working Group's efforts, although Transaction Tokens pre-dates that effort, and will be ready for deployment sooner, hopefully we'll see an RFC in 2025.
-
SGNL has released a new Open Source framework called Tratteria ("TraT" is shorthand for "transaction token"). The framework consists of a TraTs issuance service, a Kubernetes custom controller for configuration management, and sidecar agents for verifying TraTs.
-
Janssen Auth Server also supports transaction tokens. See Jans docs