How to Authorize micro-services internal communication?

1
votes

I have multiple micro-services. which can be called by client through API gateway and also micro-services can communicate each other.

Ideally request will come from API gateway from user which will have all permissions. here i am trying to assign only required role to user for example if user(browser) need data from micro-service A then only that role will be given to user and if internally micro-service A needs data from B(rest call) then that role should not be assigned to user.

Requirement: how to restrict/authorize internal communication between micro-services so that only authorized micro-service can make call to others.

Options:

  1. Assign all roles to user, even for internal communication(passing same token in all communications).

  2. Assign only user facing micro-services role to user if internal communication is require then each micro-services will act as a user itself to other micro-service and generate there own token before call.

  3. Do not allow micro-service to communicate internally rather fetch all data from all micro-services and process at client.

What option will be best using above or any other?

2
spring-securityjwtmicroservicesspring-security-oauth2spring-security-rest
Possible duplicate of Propagate HTTP header (JWT Token) over services using spring rest template - user11044402
Offcource passing token is one option but then use require all roles. - Ashish Sharma

2 Answers

2
votes

I'd go with option number 2. For intra-service communication, backend services (applications) will act as a client and would request a token first (/oauth/token). To validate these tokens all services will need a mechanism to verify these tokens (/oauth/check_token). You can use Client Credentials Grant type for this. These /oauth/** endpoints are provided by Spring. For making REST request from one service to another, use OAuth2RestTemplate and its not thread-safe.

In each application, you'd need to define security protection rules for various endpoints. Something like this:

<sec:filter-security-metadata-source id="securityMetadataSource"
                                         request-matcher="ant"
                                         use-expressions="true">
        <sec:intercept-url pattern="/accounts/**" access="isFullyAuthenticated() and hasRole('PRIVATE_SERVICE')"/>
        <sec:intercept-url pattern="/members/member-details" method="GET" access="isFullyAuthenticated() and hasRole('PORTAL_USER')"/>

For more restriction, you issue self-signed certificate per application (not per application instance). Add public key of all applications in a single truststore. During application startup, let all application download this truststore. With this application will talk to only those applications it trust.

0
votes

We are using a mix of option 1 and 2.

In case User calls an API , then If first gateway calls Service A and then Service A calls Service B then A pass the same JWT token to Service B.

In case of a Timer Job in Service A which periodically gets some data from Service B, Service A also has its JWT token through which it makes call to Service B.