Official Website: https://ldclakmal.me/ballerina-security

The one-stop place to learn/experience the examples, use-cases, demonstrations, and resources related to microservices security patterns with Ballerina, which is an open-source programming language for the cloud that makes it easier to use, combine, and create network services.

Summary

Ballerina is an open-source programming language for the cloud that makes it easier to use, combine, and create network services. Ballerina has first-class support for a whole bunch of security features from transport layer security like SSL/TLS, mTLS to application layer security like Basic Auth, JWT Auth, OAuth2, etc.

Ballerina standard library has Auth, JWT, and OAuth2 packages which provide the authentication and authorization framework to secure the APIs of microservices written with HTTP, WebSocket, GraphQL, gRPC, and WebSub protocols. The Crypto package facilitates APIs to perform cryptographic operations like hashing, HMAC generation, checksum generation, encryption, decryption, signing data digitally, verifying digitally signed data, etc., with different cryptographic algorithms. The URL module facilitates APIs to encode and decode a URL or part of a URL. The Kafka, RabbitMQ, NATS, STAN, Email, FTP, TCP, and UDP packages have their ways of securing APIs which are protocol-dependent.

This website is the latest deployed version of this Ballerina Security GitHub Repository, which contains all the examples, use-cases, demonstrations, and resources related to Ballerina Security in one place. So, this is the one-stop place to learn/experience Ballerina Security.

Dashboard

Security Packages Status

This section demonstrates the current status of the security-specific packages of the Ballerina Platform. All of these repositories are categorized under the Ballerina Standard Library packages.

Package	Latest Release	Package Status	Test Status	Bugs	Open PRs	API Docs & Package
auth
jwt
oauth2
crypto
url

Release Compatibility Status

This section demonstrates the current status of the Ballerina programs that are executed against the latest (pre-release/release) Ballerina version which is configurable with individual GitHub actions. Mostly, these actions are used to test the compatibility of existing programs during the RC period of a release.

Ballerina by Examples (BBEs)

This section demonstrates the security related Ballerina by examples (BBEs).

Note These examples are validated against the provided latest Ballerina version with an automated test-suite.

Category
REST API Security	Service - SSL/TLS Service - Mutual SSL Service - Basic Auth File User Store Service - Basic Auth LDAP User Store Service - JWT Auth Service - OAuth2 Client - SSL/TLS Client - Mutual SSL Client - Basic Auth Client - Bearer Token Auth Client - Self Signed JWT Auth Client - OAuth2 Client Credentials Grant Type Client - OAuth2 Password Grant Type Client - OAuth2 Refresh Token Grant Type Client - OAuth2 JWT Bearer Grant Type
WebSocket Security	Service - SSL/TLS Service - Mutual SSL Service - Basic Auth File User Store Service - Basic Auth LDAP User Store Service - JWT Auth Service - OAuth2 Client - SSL/TLS Client - Mutual SSL Client - Basic Auth Client - Bearer Token Auth Client - Self Signed JWT Auth Client - OAuth2 Client Credentials Grant Type Client - OAuth2 Password Grant Type Client - OAuth2 Refresh Token Grant Type Client - OAuth2 JWT Bearer Grant Type
GraphQL Security	Service - SSL/TLS Service - Mutual SSL Service - Basic Auth File User Store Service - Basic Auth LDAP User Store Service - JWT Auth Service - OAuth2
gRPC Security	Service - SSL/TLS Service - Mutual SSL Service - Basic Auth File User Store Service - Basic Auth LDAP User Store Service - JWT Auth Service - OAuth2 Client - SSL/TLS Client - Mutual SSL Client - Basic Auth Client - Bearer Token Auth Client - Self Signed JWT Auth Client - OAuth2 Client Credentials Grant Type Client - OAuth2 Password Grant Type Client - OAuth2 Refresh Token Grant Type Client - OAuth2 JWT Bearer Grant Type
Kafka Security	SASL Authentication - Consumer SASL Authentication - Producer
RabbitMQ Security	Secured Connection - Producer & Consumer
NATS Security	Secured Connection - Publisher & Subscriber
STAN Security	Secured Connection - Publisher & Subscriber
FTP Security	Listener - SFTP Client - SFTP
TCP Security	TCP Transport Security
Security	Cryptographic Operations JWT Issue & Validate
URL	URL Encode & Decode

Examples

This section demonstrates the security examples with authentication and authorization for different protocols supported by Ballerina.

Note These examples are validated against the provided latest Ballerina version with an automated test-suite.

1. HTTP
2. WebSocket
3. GraphQL
4. gRPC
5. WebSub
6. Kafka
7. RabbitMQ
8. NATS
9. STAN
10. Email
11. FTP
12. TCP
13. UDP (Pending)

Scenarios

This section demonstrates the real-world scenarios which have authentication and authorization requirements and how that can be supported with Ballerina.

Note These scenarios are validated against the provided latest Ballerina version with an automated test-suite.

1. Ballerina Secure Token Service (STS)
2. E-Commerce system
3. Secured Order Management Service with JWT Auth
4. Secured Order Management Service with OAuth2

---

References

This section has a collection of important resources which were created/referred for the design and implementation of the current Ballerina Security architecture and its related components. All the resources are open source and publicly available.

Specifications

• Specification: Ballerina Auth Library
• Specification: Ballerina JWT Library
• Specification: Ballerina OAuth2 Library

IETF RFCs

• RFC 8693 - OAuth 2.0 Token Exchange
• RFC 7662 - OAuth 2.0 Token Introspection
• RFC 7519 - JSON Web Token (JWT)
• RFC 7518 - JSON Web Algorithms (JWA)
• RFC 7517 - JSON Web Key (JWK)
• RFC 7516 - JSON Web Encryption (JWE)
• RFC 7515 - JSON Web Signature (JWS)
• RFC 6749 - The OAuth 2.0 Authorization Framework
• RFC 7617 - The 'Basic' HTTP Authentication Scheme

Blogs

• 2022 Feb - Securing Microservices with OAuth2
• 2021 Oct - Securing Microservices with JWT
• 2021 Aug - Microservices Security with Ballerina
• 2021 Aug - HTTP Security in Ballerina

Research & Design

• 2021 Sep - [Design] Ballerina GraphQL Authentication and Authorization
• 2021 Apr - [Review] Ballerina Security APIs of StdLib Protocol Connector Module
• 2021 Feb - [Re-Design] Ballerina SecureSocket API
• 2020 Nov - [Design] Ballerina Authentication & Authorization Framework
• 2020 Oct - [Research] Comparison on Ballerina Security Features/APIs with Programming Languages

GitHub Pull Requests

• 2021 Aug - Add JWT bearer grant support for OAuth2
• 2021 Aug - Add HMAC signature support for JWT
• 2021 Jun - Implement declarative auth design for WebSocket upgrade service
• 2021 May - Implement declarative auth design for GraphQL service
• 2021 Mar - Redesign HTTP listener/client SecureSocket API
• 2021 Mar - Add cert file and mTLS support for JDK11 client of OAuth2 module
• 2021 Mar - Add cert file and mTLS support for JDK11 client of JWT module
• 2021 Feb - Extend private key/public cert support for JWT signature generation/validation
• 2021 Feb - Add support to decode private/public keys from key/cert files
• 2021 Jan - Implement Declarative Auth Design
• 2021 Jan - Implement Imperative Auth Design
• 2021 Jan - Read custom fields of OAuth2 introspection response
• 2021 Jan - Send optional parameters to introspection endpoint
• 2021 Jan - Send custom parameters to introspection endpoint
• 2020 Apr - Implement JWT signature validation with JWKs
• 2020 Apr - Add API to generate public key from JWKs parameters
• 2019 Aug - Remove redundant APIs and replace usages of Encoding module
• 2019 Jun - Refactor outbound authentication with custom providers and handlers
• 2019 Jun - Implement OAuth2 Inbound Authentication
• 2019 Jun - Refactor Modules for Inbound Authentication
• 2019 May - Introduce Configuration Pattern for Authn Handlers and Scopes
• 2019 May - Improve HTTP secure client for OAuth2 grant types
• 2019 May - Refactor inbound authentication with custom provider and handlers

YouTube Videos

• 2021 Mar - How Netflix Scales Its API with GraphQL Federation at QCon Plus 2021
• 2020 Aug - How to Auth: Secure a GraphQL API with Confidence at Apollo GraphQL Summit
• 2020 Apr - What's New With OAuth and OIDC? at OktaDev
• 2018 Feb - OAuth 2.0 and OpenID Connect at OktaDev
• 2017 Nov - Handling Authentication and Authorization in GraphQL at GraphQL Summit 2017

Books

• Advanced API Security: OAuth 2.0 and Beyond - 2nd Edition by Prabath Siriwardena
• Microservices Security in Action by Prabath Siriwardena and Nuwan Dias

Guides

• Ballerina HTTP Listener Auth
• Ballerina HTTP Client Auth
• How to obtain Google OAuth2.0 Credentials
• How to obtain Twilio Credentials
• How to Start OpenLDAP Server with User Data
• Cryptography

Policies

• Ballerina Security Policy
• Scope of the Ballerina Security Domain

[Internal]

• Security Vulnerability Management Process
• Open Issues/Tasks

---

About me - https://ldclakmal.me