2

I am developing app using Microservice Architecture. Need to implement Security.

So I am planning to achieve this using 3 services.

  1. API Gateway
  2. Users Service
  3. Orders Service

Step1: client sends username and password to API Gateway to get token. API Gateway should call Users Service to validate the creds, if creds are valid API Gateway creates a token and sends it to the client.

Step2: Client tries to access order service using the token (which API Gateway sent in Step1), so API Gateway has to call Users Service to authenticate the token.

I am thinking to have all Authorization and Authentication logic in my API Gateway microservice. So for that when I get a JWT token from consumer at API Gateway I should call Users Service to validate it against the username and password, because I stored all user related data in Users Service.

I believe this would be the one of the better ways to implement security for microservice architecture.

Please suggest if there is any more elegant way.

Thanks In Advance.

Improve this question
2
  • Could you please clarify what do you mean by "when I get a JWT token from consumer at API Gateway I should call Users Service to validate it against the username and password"? You won't get a JWT and username/password at the same time, right? Commented Mar 6, 2021 at 9:14
  • @DenizAcay, I edited the question please let me still if you have any doubts. Commented Mar 6, 2021 at 9:40

1 Answer 1

Reset to default
2

I think you are on the right path. But depending on User Service for every operation makes User Service a possible single point of failure and availability of other services would depend on the User Service.

Please read more about the Service Fuse anti-pattern: https://akfpartners.com/growth-blog/microservice-anti-pattern-service-fuse

For the first authentication call, delegating authentication with username and password to User Service makes sense. But for other calls, you can just verify the JWT on the API Gateway.

I would suggest using public key cryptography for signing JWTs, so you can sign JWT with private keys on User Service and deploy public keys to API Gateway for verification. This way, API Gateway or any other service will be able to verify tokens without requiring a sensitive shared secret.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

In this case 1. Users Service is authentication server right (Kind Of), and 2. we can have method level security in Order Service right?
Yes, but since clients need to communicate with API Gateway to access Order Service, you can also verify JWT tokens in the API Gateway before allowing access to Order Service.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.