Building a secure microservice authentication system with Go, JWTs and Doppler

As a Cloud Security Engineer with a deep drive to understand the intricacies of building secure and scalable systems, I have consistently sought out opportunities to push past my current understanding of cloud computing. My unwavering commitment to exploring innovation solutions has led me to create my own personal cloud, which I have aptly named ‘Oxide.’

Oxide represents a culmination of my current expertise as I set out to create an internal cloud platform that seamlessly combines the power of a multi-node Kubernetes cluster with the ability to host sophisticated AI models locally. To bring this idea to fruition, I have built a set of M4 Mac Mini Pros, which serve at the foundation for this endeavor. However, the true cornerstone of Oxide lies in its designed inter-service authentication system. Recognizing the paramount importance of security in any cloud-based platform, I have made it my mission to develop an authentication mechanism that is not only highly effective but also seamlessly integrates with the entire Oxide ecosystem.

To achieve this goal, I have leveraged the unparalleled capabilities of Doppler Secrets Manager, a state-of-the-art solution that provides secure, centralized storage and management of secrets across multiple environments. By harnessing the power of Doppler, I have been able to infuse Oxide with an unrivaled level of security, ensuring that all inter-service communication is protected by a robust and reliable authentication system.

Through the integration of Doppler Secrets Manager as the foundation of Oxide, I have the beginnings of a platform that not only pushes the boundaries of my current knowledge of computing but will also act as a pivotal system that I leverage to grow even further in my career.

The Need for Service-To-Service Authentication

In a microservice architecture, the importance of establishing and maintaining secure communication between the various services cannot be understated. It is essential that each individual service possesses the capability to verify both the identity and the permissions of every other service it interacts with. This verification process is critical to ensuring that data remains secure and that only authorized services can access or manipulate that data. To effectively address this need, I chose to implement JSON Web Tokens (JWTs) as the authentication and authorization solution. JWTs offer a stateless, compact, and lightweight mechanism that is particularly well-suited for microservices, allowing for seamless and efficient communication. Their stateless nature means that there is no requirement for a centralized authentication service, which can often become a bottleneck in system performance. Instead, each service can independently validate the tokens, ensuring both security and scalability in the architecture.

Designing the service

The heart of the authentication system is the ⁠AuthService, responsible for generating and validating JWTs. The service comprises five key components:

1. ⁠ServiceClaims: A struct representing the custom claims in the JWT, such as Service ID, Service Name, and Permissions.
2. ⁠ServiceConfig: A struct holding the ⁠AuthService configuration options, including the signing key, token duration, and issuer.
3. ⁠GenerateServiceToken: A method that creates a new JWT for a given service, including specified claims and expiration time.
4. ⁠ValidateServiceToken: A method that validates a JWT and returns its claims if the token is valid.
5. ⁠HasPermission: A helper method to check if a service has a specific permission based on its JWT claims.

The ⁠AuthService is part of a larger distributed system called ⁠edge-guard-core, which serves as the foundation for Oxide's authentication and authorization system.

Core authentication logic

The ⁠GenerateServiceToken method creates new JWTs for a given service. It takes the Service ID, Service Name, and a list of permissions, validates the input parameters, and creates a ⁠ServiceClaims instance populated with the provided service details and standard claims. The method then signs the token using a signing key retrieved from Doppler Secrets Manager and the HS256 signing algorithm. Finally, the generated token and its metadata are returned to the caller.

The ⁠ValidateServiceToken method, on the other hand, is responsible for validating a JWT and returning its claims if the token is valid. It parses the token using the ⁠jwt.ParseWithClaims function, verifies the token's signature and standard claims, extracts the custom service claims, and returns them if the token is valid.

Doppler plays a crucial role in securely storing and managing the signing keys used by the ⁠AuthService. By leveraging Doppler as the centralized secrets store, we ensure that signing keys are never exposed in the codebase or configuration files, and services can securely retrieve them at runtime.

Signing key management with Edge-Guard-Keygen

To streamline the management of signing keys, I developed a separate utility called ⁠edge-guard-keygen. This tool is responsible for generating strong, cryptographically secure signing keys, rotating them regularly to limit the impact of potential key compromises, and securely storing them in Doppler Secrets Manager.

By decoupling the key management process from the authentication service, we achieve a more modular and maintainable system. Edge-guard-keygen ensures consistent key generation and rotation across all environments, reducing the risk of key exposure and simplifying the overall security management process.

Edge-Guard-Core

The Edge-Guard-Core project serves as the foundation for Oxide's authentication and authorization system, providing a set of reusable components that can be integrated into various services across the platform. Its capabilities include JWT-based authentication, middleware for easy integration into service endpoints, client libraries, and extensibility.

By centralizing authentication and authorization logic in Edge-Guard-Core, we maintain consistency and security across all Oxide-managed services using a standardized pattern.

Future enhancements and Doppler's continued role

Implementing the inter-service authentication system is a significant milestone in Oxide's development, but it is just the beginning. As I continue to expand the platform, I plan to explore additional security measures and leverage Doppler's capabilities to secure these distributed systems further.

One area of particular interest is rate limiting. By integrating rate limiting into the authentication middleware and storing throttling thresholds and per-service limits in Doppler, we can protect the platform from abuse and ensure fair resource usage.

Additionally, I will heavily rely on Doppler's audit logging capabilities to gain visibility into key usage patterns and develop detection mechanisms to identify anomalous behavior. This proactive security monitoring and incident response approach will help maintain the platform's integrity and security.

Conclusion

Developing a secure inter-service authentication system is crucial for any microservice-based platform. By combining Go, JWTs, and a dedicated key management utility, I have created a robust and scalable solution for Oxide. However, the true power of this system lies in its seamless integration with Doppler Secrets Manager.

Doppler's extensive features and ease of use have enhanced Oxide's security posture and simplified the adoption and management of security controls. As I continue to work on this project, I am excited to explore new ways to leverage Doppler's capabilities to further strengthen the platform's security and functionality.

From dynamic secrets management to secure configuration distribution, Doppler opens up a world of possibilities for building secure and scalable systems, both on-premises and in the cloud. With Doppler by my side, I am confident in Oxide's ability to evolve and meet the ever-growing demands of modern cloud computing.

Try a demo to learn more about how Doppler can complement your secret scanning efforts and help you achieve a robust security posture.