Alvaro Sanchez-Mariscal, profile picture
Uploaded byAlvaro Sanchez-Mariscal
PDF, PPTX61,319 views

Stateless authentication for microservices

The document discusses stateless authentication for microservices, focusing on the differences between monolithic applications and microservices, as well as introducing OAuth 2.0 and implementing statelessness with JWT. It outlines the roles within OAuth 2.0, various grant types, the importance of securely handling tokens, and the benefits of JSON Web Tokens. The presentation also emphasizes the need for a secure and efficient authentication mechanism in modern application architectures.

Software
In this document
Powered by AI

Overview of stateless authentication for microservices by Álvaro Sánchez-Mariscal. Introduction to the presenter.

Presentation agenda covering topics related to authentication in monolithic apps, OAuth 2.0, JWT, and Q&A sessions.

Discussion on stateful authentication challenges in REST APIs when transitioning from monolithic to microservices.

Explanation of user authentication and authorization tailored for microservices architecture.

Description of OAuth 2.0 including its roles: Resource Owner, Resource Server, Authorization Server, Client.

Step-by-step flow of OAuth 2.0 demonstrating the interaction between clients, servers, and obtaining access tokens.

Different OAuth 2.0 grant types including Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.

Introduction to JSON Web Tokens (JWT) as means to achieve stateless access for authentication in microservices.

Overview of the Spring Security REST plugin development progress, current status, and roadmap for future improvements.

Final remarks and invitation for questions, concluding the presentation on authentication methodologies.

Embed presentation

Download as PDF, PPTX
Stateless authentication for microservices Álvaro Sánchez-Mariscal Web Architect - @alvaro_sanchez
@alvaro_sanchez About me ● Passionate Software Developer. ● Worked at IBM BCS, BEA Systems and Sun Microsystems. ● Founded Salenda and Escuela de Groovy. ● Working now at as a Web Architect. ● Living between Madrid and Gibraltar.
@alvaro_sanchez About ● HTML5 games platform. ● We provide game developers a Javascript SDK. ● Server side logic and maths are handled by our industry certified game engines. ● Seamless integration with several casinos. ● Check out play.odobo.com and play for free!
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
Authentication in monolithic apps ● Historically, authentication has always been a stateful service. ● When moving to Single-Page Applications, and/or having mobile clients, it becomes an issue. ● If you are build a REST and stateless API, your authentication should be that way too. @alvaro_sanchez
Microservices by http://martinfowler.com/articles/microservices. @alvaro_sanchez html
Microservices by http://martinfowler.com/articles/microservices. @alvaro_sanchez html
Monolithic vs Microservices Monolithic Microservices @alvaro_sanchez
Authentication and microservices ● Authentication: to verify the identity of the user given the credentials received. ● Authorization: to determine if the user should be granted access to a particular resource. ● In a microservices context: ○ Authentication can be a microservice itself. ○ Authorization is a common functionality in all of them. @alvaro_sanchez
Authentication and microservices Authentication Service @alvaro_sanchez Javascript front-end UI Mobile app Shopping cart Service Catalog Service Orders Service Shipping Service User repository Catalog DB Invoicing DB Shipping partners Web Backend Mobile Backend
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
Introducing OAuth 2.0 An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. @alvaro_sanchez
OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
OAuth 2.0: protocol flow I want to see a list of games @alvaro_sanchez
OAuth 2.0: protocol flow Hey, backend, could you please give me a list of games? @alvaro_sanchez
OAuth 2.0: protocol flow Sorry mate, this is a protected resource. You will need to present me an access token @alvaro_sanchez
OAuth 2.0: protocol flow Hi Google, can I get an access token please? Backend is asking @alvaro_sanchez
OAuth 2.0: protocol flow Sure thing sir. I just need to ask a few details to @alvaro_sanchez the user first
OAuth 2.0: protocol flow Hi, could you please provide me your credentials? I need to verify your identity @alvaro_sanchez
OAuth 2.0: protocol flow That’s no problem at all. I am bob@gmail.com and my password is secret. @alvaro_sanchez
OAuth 2.0: protocol flow The user is who claims to be. Here is your access token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa @alvaro_sanchez
OAuth 2.0: protocol flow Hi Backend, this is my token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa @alvaro_sanchez
OAuth 2.0: protocol flow Hi, I’ve been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa. Could you please tell me who it belongs to? @alvaro_sanchez
OAuth 2.0: protocol flow Of course. That token is still valid and it belongs to @alvaro_sanchez bob@gmail.com.
OAuth 2.0: protocol flow Everything is allright. This is the list of games. @alvaro_sanchez Enjoy!
OAuth 2.0: protocol flow Here you are the list of games.Thank you for your business and have a good day! @alvaro_sanchez
OAuth 2.0: protocol flow OAuth 2.0 is a delegation protocol, as this guy has no idea about the credentials of this guy @alvaro_sanchez
OAuth 2.0: grant types ● Authorization code: for web server applications. ● Implicit: for JS front-ends and mobile apps. ● Resource Owner Password Credentials: for trusted clients. ● Client credentials: for service authentication. @alvaro_sanchez
Authorization code grant ● For server-based applications, where the client ID and secret are securely stored. ● It’s a redirect flow, so it’s for web server apps. ● The client (web server app) redirects the user to the authorization server to get a code. ● Then, using the code and its client credentials asks for an access token. @alvaro_sanchez
Authorization code grant http://myServerApp.com @alvaro_sanchez
Authorization code grant https://facebook.com/dialog/oauth ?response_type=code &client_id=YOUR_CLIENT_ID &redirect_uri= http://myServerApp.com/oauth &scope=email,public_profile @alvaro_sanchez
Authorization code grant hhttttpp::////fmacyeSbeorvoekr.Acopmp.com @alvaro_sanchez
Authorization code grant hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com @alvaro_sanchez
Authorization code grant https://myServerApp.com/oauth?code=CODE Finishing authentication... @alvaro_sanchez
Authorization code grant Server-side POST request to: https://graph. facebook.com/oauth/access_token With this body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=http://myServerApp.com &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
Authorization code grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
@alvaro_sanchez Implicit grant ● For web applications running on the browser (eg: AngularJS, etc) or mobile apps. ● Client credentials confidentiality cannot be guaranteed. ● Similar to the code grant, but in this case, the client gets an access token directly.
@alvaro_sanchez Implicit grant http://myFrontendApp.com/#/home
@alvaro_sanchez Implicit grant https://facebook.com/dialog/oauth ?response_type=token &client_id=YOUR_CLIENT_ID &redirect_uri= http://myFrontendApp.com/#/cb &scope=email,public_profile
@alvaro_sanchez Implicit grant hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com
@alvaro_sanchez Implicit grant https://myFrontendApp.com/#/cb?token=TOKEN Finishing authentication...
Password credentials grant ● In this case, client collects username and password to get an access token directly. ● Viable solution only for trusted clients: ○ The official website consumer of your API. ○ The official mobile app consuming your API. ○ Etc. @alvaro_sanchez
Password credentials grant @alvaro_sanchez
Password credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=password &username=USERNAME&password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
Password credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
Client credentials grant ● Service-to-service authentication, without a particular user being involved. ○ Eg: the Orders microservice making a request to the Invoicing microservice. ● The application authenticates itself using its client ID and client secret. @alvaro_sanchez
Client credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
Client credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
Accessing the protected resource Once the client has an access token, it can request a protected resource: GET /games HTTP/1.1 Host: api.example.org Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia @alvaro_sanchez
Token expiration and refresh ● If the Authorization Server issues expiring tokens, they can be paired with refresh tokens. ● When the access token has expired, the refresh token can be used to get a new access token. @alvaro_sanchez
Tips for a front-end application ● Use the implicit grant. ○ Already supported for 3rd party providers like Google, @alvaro_sanchez Facebook. ○ If you hold your own users, have your backend to implement the OAuth 2.0 Authorization Server role. ● Use HTML5’s localStorage for access and refresh tokens.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
Stateful vs. Stateless ● Authorization Servers are often stateful services. ○ They store issued access tokens in databases for future @alvaro_sanchez checking. ● How can we achieve statelessness? ○ Issuing JWT tokens as access tokens.
Introducing JWT JSON Web Token is a compact URL-safe means of representing claims to be transferred between two parties. The claims are encoded as a JSON object that is digitally signed by hashing it using a shared secret between the parties. @alvaro_sanchez
Introducing JWT... in Plain English A secure way to encapsulate arbitrary data that can be sent over unsecure URL’s. @alvaro_sanchez
When can JWT be useful? ● When generating “one click” action emails. ○ Eg: “delete this comment”, “add this to favorites”. ● To achieve Single Sign-On. ○ Sharing the JWT between different applications. ● Whenever you need to securely send a payload. ○ Eg: to “obscure” URL parameters or POST bodies. @alvaro_sanchez
How does a JWT look like? Header Claims eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InV zZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYX V0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfV VNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhLTRjNWUt YmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJ teS1jbGllbnQtd2l0aC1zZWNyZXQifQ. AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY @alvaro_sanchez Signature
@alvaro_sanchez JWT Header { "alg": "HS256", "typ": "JWT" }
@alvaro_sanchez JWT Claims { "exp": 1416471934, "user_name": "user", "scope": [ "read", "write" ], "authorities": [ "ROLE_ADMIN", "ROLE_USER" ], "jti": "9bc92a44-0b1a-4c5e-be70-da52075b9a84", "client_id": "my-client-with-secret" }
@alvaro_sanchez Signature HMACSHA256( base64(header) + "." + base64(payload), "secret" )
Sample access token response @alvaro_sanchez { "access_token": "eyJhbGciOiJIUzI1NiJ9. eyJleHAiOjE0MTY0NzEwNTUsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZS I6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1J TiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIzZGJjODE4Yi0wMjAyLTRiYzItYT djZi1mMmZlNjY4MjAyMmEiLCJjbGllbnRfaWQiOiJteS1jbGllbnQtd2l0 aC1zZWNyZXQifQ. Wao_6hLnOeMHS4HEel1UGWt1g86ad9N0qCexr1IL7IM", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "3dbc818b-0202-4bc2-a7cf-f2fe6682022a" }
Achieving statelessness ● Instead of storing the access token / principal relationship in a stateful way, do it on a JWT. ● Access tokens with the JWT-encoded principal can be securely stored on the client’s browser. ● That way you are achieving one of the basic principles of REST: State Transfer. @alvaro_sanchez
Tips for using JWT ● JWT claims are just signed by default (JWS - JSON Web Signature). ○ It prevents the content to be tampered. ● Use encryption to make it bomb proof. ○ Use any algorithm supported by JWE - JSON Web @alvaro_sanchez Encryption.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
It all started here, one year ago @alvaro_sanchez
@alvaro_sanchez One year later ● Spring Security REST plugin. ○ 16 contributors. ○ 34 pull requests. ○ 59 stars on GitHub. ○ 16 releases. ○ http://bit.ly/spring-security-rest
Happy users == happy author @alvaro_sanchez
Current status ● Latest release: 1.4.0. ● Compatibility layer over Spring Security Core. ○ Login and logout REST endpoints. ○ Token validation filter. ○ Memcached, GORM and Grails Cache token storages. ○ Partial implicit grant support through 3rd party @alvaro_sanchez providers. ○ Partial RFC 6750 Bearer Token support.
@alvaro_sanchez Roadmap ● Upcoming release: 1.4.1. ○ Complete RFC 6750 Bearer Token support. ○ Due in few days. ● Next release: 2.0. ○ Complete RFC 6749 OAuth 2.0 support. ○ ETA: Q1 2015.
@alvaro_sanchez Agenda 1. Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Demo. 5. Q&A.
@alvaro_sanchez Thanks! Álvaro Sánchez-Mariscal Web Architect - Images courtesy of @alvaro_sanchez

More Related Content

PDF
Password hashing, salting, bycrpt
byAhmad karawash
 
PDF
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
PDF
Swagger
byNexThoughts Technologies
 
PDF
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
byFIWARE
 
PDF
The Architecture of an API Platform
byJohannes Ridderstedt
 
PDF
OAuth
byIván Fernández Perea
 
PDF
Implementing OAuth
byleahculver
 
PPTX
Api types
bySarah Maddox
 
Password hashing, salting, bycrpt
byAhmad karawash
 
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
Swagger
byNexThoughts Technologies
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
byFIWARE
 
The Architecture of an API Platform
byJohannes Ridderstedt
 
OAuth
byIván Fernández Perea
 
Implementing OAuth
byleahculver
 
Api types
bySarah Maddox
 

What's hot

PPTX
Rest API
byRohana K Amarakoon
 
PPTX
API
byMasters Academy
 
PDF
Neo4j Generative AI workshop at GraphSummit London 14 Nov 2023.pdf
byNeo4j
 
PPTX
OAuth 2
byChrisWood262
 
PPTX
Architecture for the API-enterprise
byApigee | Google Cloud
 
PPTX
API Strategy Introduction
byDoug Gregory
 
PPTX
REST API Design & Development
byAshok Pundit
 
PDF
JFokus: Cubes, Hexagons, Triangles, and More: Understanding Microservices
byChris Richardson
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PDF
API Management
byMicropole Group
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PDF
Integrating Fiware Orion, Keyrock and Wilma
byDalton Valadares
 
PDF
How to build a chat application with react js, nodejs, and socket.io
byKaty Slemon
 
PPTX
FIDO Masterclass
byFIDO Alliance
 
PDF
Getting Started with FIDO2
byFIDO Alliance
 
PPTX
Kerberos for Distributed System Security - Omal Perera
byOmal Perera
 
PDF
Complete open source IAM solution
byRadovan Semancik
 
PDF
Apache Kafka Architecture & Fundamentals Explained
byconfluent
 
PDF
How Secure Are Your APIs?
byApigee | Google Cloud
 
PDF
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
byFIWARE
 
Rest API
byRohana K Amarakoon
 
API
byMasters Academy
 
Neo4j Generative AI workshop at GraphSummit London 14 Nov 2023.pdf
byNeo4j
 
OAuth 2
byChrisWood262
 
Architecture for the API-enterprise
byApigee | Google Cloud
 
API Strategy Introduction
byDoug Gregory
 
REST API Design & Development
byAshok Pundit
 
JFokus: Cubes, Hexagons, Triangles, and More: Understanding Microservices
byChris Richardson
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
API Management
byMicropole Group
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
Integrating Fiware Orion, Keyrock and Wilma
byDalton Valadares
 
How to build a chat application with react js, nodejs, and socket.io
byKaty Slemon
 
FIDO Masterclass
byFIDO Alliance
 
Getting Started with FIDO2
byFIDO Alliance
 
Kerberos for Distributed System Security - Omal Perera
byOmal Perera
 
Complete open source IAM solution
byRadovan Semancik
 
Apache Kafka Architecture & Fundamentals Explained
byconfluent
 
How Secure Are Your APIs?
byApigee | Google Cloud
 
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
byFIWARE
 

Similar to Stateless authentication for microservices

PDF
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices - Greach 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless token-based authentication for pure front-end applications
byAlvaro Sanchez-Mariscal
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
OAuth
byTom Elrod
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
Spring4 security oauth2
bySang Shin
 
PDF
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
byapidays
 
PDF
Spring4 security oauth2
byaxykim00
 
PDF
When and Why Would I use Oauth2?
byDave Syer
 
PDF
OAuth2
bySPARK MEDIA
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PDF
Spring security oauth2
byaxykim00
 
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
Stateless token-based authentication for pure front-end applications
byAlvaro Sanchez-Mariscal
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
OAuth and why you should use it
bySergey Podgornyy
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Stateless Auth using OAUTH2 & JWT
byMobiliya
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
OAuth
byTom Elrod
 
Demystifying OAuth 2.0
byKarl McGuinness
 
Spring4 security oauth2
bySang Shin
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
byapidays
 
Spring4 security oauth2
byaxykim00
 
When and Why Would I use Oauth2?
byDave Syer
 
OAuth2
bySPARK MEDIA
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
Spring security oauth2
byaxykim00
 

More from Alvaro Sanchez-Mariscal

PDF
Serverless functions with Micronaut
byAlvaro Sanchez-Mariscal
 
PDF
Asynchronous and event-driven Grails applications
byAlvaro Sanchez-Mariscal
 
PDF
6 things you need to know about GORM 6
byAlvaro Sanchez-Mariscal
 
PDF
Reactive microservices with Micronaut - GR8Conf EU 2018
byAlvaro Sanchez-Mariscal
 
PDF
Reactive microservices with Micronaut - Greach 2018
byAlvaro Sanchez-Mariscal
 
PDF
Practical Spring Cloud
byAlvaro Sanchez-Mariscal
 
PDF
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
byAlvaro Sanchez-Mariscal
 
PDF
Mastering Grails 3 Plugins - G3 Summit 2016
byAlvaro Sanchez-Mariscal
 
PDF
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
byAlvaro Sanchez-Mariscal
 
PDF
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
byAlvaro Sanchez-Mariscal
 
PDF
Mastering Grails 3 Plugins - GR8Conf US 2016
byAlvaro Sanchez-Mariscal
 
PDF
Mastering Grails 3 Plugins - GR8Conf EU 2016
byAlvaro Sanchez-Mariscal
 
PDF
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
byAlvaro Sanchez-Mariscal
 
PDF
Mastering Grails 3 Plugins - Greach 2016
byAlvaro Sanchez-Mariscal
 
PDF
Creating applications with Grails, Angular JS and Spring Security
byAlvaro Sanchez-Mariscal
 
PDF
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
byAlvaro Sanchez-Mariscal
 
PDF
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
byAlvaro Sanchez-Mariscal
 
PDF
Ratpack 101 - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
PDF
Ratpack 101 - GeeCON 2015
byAlvaro Sanchez-Mariscal
 
PDF
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
byAlvaro Sanchez-Mariscal
 
Serverless functions with Micronaut
byAlvaro Sanchez-Mariscal
 
Asynchronous and event-driven Grails applications
byAlvaro Sanchez-Mariscal
 
6 things you need to know about GORM 6
byAlvaro Sanchez-Mariscal
 
Reactive microservices with Micronaut - GR8Conf EU 2018
byAlvaro Sanchez-Mariscal
 
Reactive microservices with Micronaut - Greach 2018
byAlvaro Sanchez-Mariscal
 
Practical Spring Cloud
byAlvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security - G3 Summit...
byAlvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - G3 Summit 2016
byAlvaro Sanchez-Mariscal
 
Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security
byAlvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...
byAlvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - GR8Conf US 2016
byAlvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - GR8Conf EU 2016
byAlvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...
byAlvaro Sanchez-Mariscal
 
Mastering Grails 3 Plugins - Greach 2016
byAlvaro Sanchez-Mariscal
 
Creating applications with Grails, Angular JS and Spring Security
byAlvaro Sanchez-Mariscal
 
Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016
byAlvaro Sanchez-Mariscal
 
Efficient HTTP applications on the JVM with Ratpack - JDD 2015
byAlvaro Sanchez-Mariscal
 
Ratpack 101 - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
Ratpack 101 - GeeCON 2015
byAlvaro Sanchez-Mariscal
 
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
byAlvaro Sanchez-Mariscal
 

Recently uploaded

PDF
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PPTX
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PDF
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
PPTX
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
PPTX
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
PPTX
Streamline Your Production Process with ERP Solutions
byNestorBird
 
PDF
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
PDF
AI-Powered Alert Analysis with ClickHouse Cloud Databases.pdf
byAlkin Tezuysal
 
PDF
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PPTX
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
PPTX
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
PPTX
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
PDF
From Chatbot to AI Agent: A Practical Comparison
byShiv Technolabs Pvt. Ltd.
 
PDF
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
PDF
Effortless MBOX Conversion — Fast, Secure, and Compatible with SysInfo MBOX C...
bySysInfo Tools
 
PDF
How to Get Premium Capacity Power BI.pdf
byinfodobbsdataconsult
 
PPTX
Communicating Software Architecture using Arc42
byAshraf Fouad
 
PPTX
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
Streamline Your Production Process with ERP Solutions
byNestorBird
 
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
AI-Powered Alert Analysis with ClickHouse Cloud Databases.pdf
byAlkin Tezuysal
 
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
From Chatbot to AI Agent: A Practical Comparison
byShiv Technolabs Pvt. Ltd.
 
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
Effortless MBOX Conversion — Fast, Secure, and Compatible with SysInfo MBOX C...
bySysInfo Tools
 
How to Get Premium Capacity Power BI.pdf
byinfodobbsdataconsult
 
Communicating Software Architecture using Arc42
byAshraf Fouad
 
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 

Stateless authentication for microservices

  • 1.
    Stateless authentication for microservices Álvaro Sánchez-Mariscal Web Architect - @alvaro_sanchez
  • 2.
    @alvaro_sanchez About me ● Passionate Software Developer. ● Worked at IBM BCS, BEA Systems and Sun Microsystems. ● Founded Salenda and Escuela de Groovy. ● Working now at as a Web Architect. ● Living between Madrid and Gibraltar.
  • 3.
    @alvaro_sanchez About ●HTML5 games platform. ● We provide game developers a Javascript SDK. ● Server side logic and maths are handled by our industry certified game engines. ● Seamless integration with several casinos. ● Check out play.odobo.com and play for free!
  • 4.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 5.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 6.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 7.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 8.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 9.
    Authentication in monolithicapps ● Historically, authentication has always been a stateful service. ● When moving to Single-Page Applications, and/or having mobile clients, it becomes an issue. ● If you are build a REST and stateless API, your authentication should be that way too. @alvaro_sanchez
  • 10.
  • 11.
  • 12.
    Monolithic vs Microservices Monolithic Microservices @alvaro_sanchez
  • 13.
    Authentication and microservices ● Authentication: to verify the identity of the user given the credentials received. ● Authorization: to determine if the user should be granted access to a particular resource. ● In a microservices context: ○ Authentication can be a microservice itself. ○ Authorization is a common functionality in all of them. @alvaro_sanchez
  • 14.
    Authentication and microservices Authentication Service @alvaro_sanchez Javascript front-end UI Mobile app Shopping cart Service Catalog Service Orders Service Shipping Service User repository Catalog DB Invoicing DB Shipping partners Web Backend Mobile Backend
  • 15.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 16.
    Introducing OAuth 2.0 An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. @alvaro_sanchez
  • 17.
    OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 18.
    OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 19.
    OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 20.
    OAuth 2.0: roles Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to the RS on behalf of the RO. @alvaro_sanchez
  • 21.
    OAuth 2.0: protocolflow I want to see a list of games @alvaro_sanchez
  • 22.
    OAuth 2.0: protocolflow Hey, backend, could you please give me a list of games? @alvaro_sanchez
  • 23.
    OAuth 2.0: protocolflow Sorry mate, this is a protected resource. You will need to present me an access token @alvaro_sanchez
  • 24.
    OAuth 2.0: protocolflow Hi Google, can I get an access token please? Backend is asking @alvaro_sanchez
  • 25.
    OAuth 2.0: protocolflow Sure thing sir. I just need to ask a few details to @alvaro_sanchez the user first
  • 26.
    OAuth 2.0: protocolflow Hi, could you please provide me your credentials? I need to verify your identity @alvaro_sanchez
  • 27.
    OAuth 2.0: protocolflow That’s no problem at all. I am bob@gmail.com and my password is secret. @alvaro_sanchez
  • 28.
    OAuth 2.0: protocolflow The user is who claims to be. Here is your access token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa @alvaro_sanchez
  • 29.
    OAuth 2.0: protocolflow Hi Backend, this is my token: qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa @alvaro_sanchez
  • 30.
    OAuth 2.0: protocolflow Hi, I’ve been given qfE2KhvKggluHqe7IpTBqZ4qziTQQbKa. Could you please tell me who it belongs to? @alvaro_sanchez
  • 31.
    OAuth 2.0: protocolflow Of course. That token is still valid and it belongs to @alvaro_sanchez bob@gmail.com.
  • 32.
    OAuth 2.0: protocolflow Everything is allright. This is the list of games. @alvaro_sanchez Enjoy!
  • 33.
    OAuth 2.0: protocolflow Here you are the list of games.Thank you for your business and have a good day! @alvaro_sanchez
  • 34.
    OAuth 2.0: protocolflow OAuth 2.0 is a delegation protocol, as this guy has no idea about the credentials of this guy @alvaro_sanchez
  • 35.
    OAuth 2.0: granttypes ● Authorization code: for web server applications. ● Implicit: for JS front-ends and mobile apps. ● Resource Owner Password Credentials: for trusted clients. ● Client credentials: for service authentication. @alvaro_sanchez
  • 36.
    Authorization code grant ● For server-based applications, where the client ID and secret are securely stored. ● It’s a redirect flow, so it’s for web server apps. ● The client (web server app) redirects the user to the authorization server to get a code. ● Then, using the code and its client credentials asks for an access token. @alvaro_sanchez
  • 37.
    Authorization code grant http://myServerApp.com @alvaro_sanchez
  • 38.
    Authorization code grant https://facebook.com/dialog/oauth ?response_type=code &client_id=YOUR_CLIENT_ID &redirect_uri= http://myServerApp.com/oauth &scope=email,public_profile @alvaro_sanchez
  • 39.
    Authorization code grant hhttttpp::////fmacyeSbeorvoekr.Acopmp.com @alvaro_sanchez
  • 40.
    Authorization code grant hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com @alvaro_sanchez
  • 41.
    Authorization code grant https://myServerApp.com/oauth?code=CODE Finishing authentication... @alvaro_sanchez
  • 42.
    Authorization code grant Server-side POST request to: https://graph. facebook.com/oauth/access_token With this body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=http://myServerApp.com &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
  • 43.
    Authorization code grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
  • 44.
    @alvaro_sanchez Implicit grant ● For web applications running on the browser (eg: AngularJS, etc) or mobile apps. ● Client credentials confidentiality cannot be guaranteed. ● Similar to the code grant, but in this case, the client gets an access token directly.
  • 45.
    @alvaro_sanchez Implicit grant http://myFrontendApp.com/#/home
  • 46.
    @alvaro_sanchez Implicit grant https://facebook.com/dialog/oauth ?response_type=token &client_id=YOUR_CLIENT_ID &redirect_uri= http://myFrontendApp.com/#/cb &scope=email,public_profile
  • 47.
    @alvaro_sanchez Implicit grant hhttttpp:s/://m/faycSeebrvoeorkA.cpopm.com
  • 48.
    @alvaro_sanchez Implicit grant https://myFrontendApp.com/#/cb?token=TOKEN Finishing authentication...
  • 49.
    Password credentials grant ● In this case, client collects username and password to get an access token directly. ● Viable solution only for trusted clients: ○ The official website consumer of your API. ○ The official mobile app consuming your API. ○ Etc. @alvaro_sanchez
  • 50.
  • 51.
    Password credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=password &username=USERNAME&password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
  • 52.
    Password credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
  • 53.
    Client credentials grant ● Service-to-service authentication, without a particular user being involved. ○ Eg: the Orders microservice making a request to the Invoicing microservice. ● The application authenticates itself using its client ID and client secret. @alvaro_sanchez
  • 54.
    Client credentials grant POST request to: https://api.example. org/oauth/access_token With this body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET @alvaro_sanchez
  • 55.
    Client credentials grant Example response: { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "e1qoXg7Ik2RRua48lXIV" @alvaro_sanchez }
  • 56.
    Accessing the protectedresource Once the client has an access token, it can request a protected resource: GET /games HTTP/1.1 Host: api.example.org Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia @alvaro_sanchez
  • 57.
    Token expiration andrefresh ● If the Authorization Server issues expiring tokens, they can be paired with refresh tokens. ● When the access token has expired, the refresh token can be used to get a new access token. @alvaro_sanchez
  • 58.
    Tips for afront-end application ● Use the implicit grant. ○ Already supported for 3rd party providers like Google, @alvaro_sanchez Facebook. ○ If you hold your own users, have your backend to implement the OAuth 2.0 Authorization Server role. ● Use HTML5’s localStorage for access and refresh tokens.
  • 59.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 60.
    Stateful vs. Stateless ● Authorization Servers are often stateful services. ○ They store issued access tokens in databases for future @alvaro_sanchez checking. ● How can we achieve statelessness? ○ Issuing JWT tokens as access tokens.
  • 61.
    Introducing JWT JSONWeb Token is a compact URL-safe means of representing claims to be transferred between two parties. The claims are encoded as a JSON object that is digitally signed by hashing it using a shared secret between the parties. @alvaro_sanchez
  • 62.
    Introducing JWT... inPlain English A secure way to encapsulate arbitrary data that can be sent over unsecure URL’s. @alvaro_sanchez
  • 63.
    When can JWTbe useful? ● When generating “one click” action emails. ○ Eg: “delete this comment”, “add this to favorites”. ● To achieve Single Sign-On. ○ Sharing the JWT between different applications. ● Whenever you need to securely send a payload. ○ Eg: to “obscure” URL parameters or POST bodies. @alvaro_sanchez
  • 64.
    How does aJWT look like? Header Claims eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJleHAiOjE0MTY0NzE5MzQsInVzZXJfbmFtZSI6InV zZXIiLCJzY29wZSI6WyJyZWFkIiwid3JpdGUiXSwiYX V0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfV VNFUiJdLCJqdGkiOiI5YmM5MmE0NC0wYjFhLTRjNWUt YmU3MC1kYTUyMDc1YjlhODQiLCJjbGllbnRfaWQiOiJ teS1jbGllbnQtd2l0aC1zZWNyZXQifQ. AZCTD_fiCcnrQR5X7rJBQ5rO-2Qedc5_3qJJf-ZCvVY @alvaro_sanchez Signature
  • 65.
    @alvaro_sanchez JWT Header { "alg": "HS256", "typ": "JWT" }
  • 66.
    @alvaro_sanchez JWT Claims { "exp": 1416471934, "user_name": "user", "scope": [ "read", "write" ], "authorities": [ "ROLE_ADMIN", "ROLE_USER" ], "jti": "9bc92a44-0b1a-4c5e-be70-da52075b9a84", "client_id": "my-client-with-secret" }
  • 67.
    @alvaro_sanchez Signature HMACSHA256( base64(header) + "." + base64(payload), "secret" )
  • 68.
    Sample access tokenresponse @alvaro_sanchez { "access_token": "eyJhbGciOiJIUzI1NiJ9. eyJleHAiOjE0MTY0NzEwNTUsInVzZXJfbmFtZSI6InVzZXIiLCJzY29wZS I6WyJyZWFkIiwid3JpdGUiXSwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1J TiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIzZGJjODE4Yi0wMjAyLTRiYzItYT djZi1mMmZlNjY4MjAyMmEiLCJjbGllbnRfaWQiOiJteS1jbGllbnQtd2l0 aC1zZWNyZXQifQ. Wao_6hLnOeMHS4HEel1UGWt1g86ad9N0qCexr1IL7IM", "token_type": "bearer", "expires_in": 43199, "scope": "read write", "jti": "3dbc818b-0202-4bc2-a7cf-f2fe6682022a" }
  • 69.
    Achieving statelessness ●Instead of storing the access token / principal relationship in a stateful way, do it on a JWT. ● Access tokens with the JWT-encoded principal can be securely stored on the client’s browser. ● That way you are achieving one of the basic principles of REST: State Transfer. @alvaro_sanchez
  • 70.
    Tips for usingJWT ● JWT claims are just signed by default (JWS - JSON Web Signature). ○ It prevents the content to be tampered. ● Use encryption to make it bomb proof. ○ Use any algorithm supported by JWE - JSON Web @alvaro_sanchez Encryption.
  • 71.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. The Grails plugin. 5. Q&A.
  • 72.
    It all startedhere, one year ago @alvaro_sanchez
  • 73.
    @alvaro_sanchez One yearlater ● Spring Security REST plugin. ○ 16 contributors. ○ 34 pull requests. ○ 59 stars on GitHub. ○ 16 releases. ○ http://bit.ly/spring-security-rest
  • 74.
    Happy users ==happy author @alvaro_sanchez
  • 75.
    Current status ●Latest release: 1.4.0. ● Compatibility layer over Spring Security Core. ○ Login and logout REST endpoints. ○ Token validation filter. ○ Memcached, GORM and Grails Cache token storages. ○ Partial implicit grant support through 3rd party @alvaro_sanchez providers. ○ Partial RFC 6750 Bearer Token support.
  • 76.
    @alvaro_sanchez Roadmap ●Upcoming release: 1.4.1. ○ Complete RFC 6750 Bearer Token support. ○ Due in few days. ● Next release: 2.0. ○ Complete RFC 6749 OAuth 2.0 support. ○ ETA: Q1 2015.
  • 77.
    @alvaro_sanchez Agenda 1.Authentication in monolithic applications vs microservices. 2. Introduction to OAuth 2.0. 3. Achieving statelessness with JWT. 4. Demo. 5. Q&A.
  • 78.
    @alvaro_sanchez Thanks! ÁlvaroSánchez-Mariscal Web Architect - Images courtesy of @alvaro_sanchez