Authentication and Authorization Design in Microservice Architecture

1
votes

I am developing app using Microservice Architecture. Need to implement Security.

So I am planning to achieve this using 3 services.

  1. API Gateway
  2. Users Service
  3. Orders Service

Step1: client sends username and password to API Gateway to get token. API Gateway should call Users Service to validate the creds, if creds are valid API Gateway creates a token and sends it to the client.

Step2: Client tries to access order service using the token (which API Gateway sent in Step1), so API Gateway has to call Users Service to authenticate the token.

I am thinking to have all Authorization and Authentication logic in my API Gateway microservice. So for that when I get a JWT token from consumer at API Gateway I should call Users Service to validate it against the username and password, because I stored all user related data in Users Service.

I believe this would be the one of the better ways to implement security for microservice architecture.

Please suggest if there is any more elegant way.

Thanks In Advance.

1
spring-securitymicroservicesapi-gateway
Could you please clarify what do you mean by "when I get a JWT token from consumer at API Gateway I should call Users Service to validate it against the username and password"? You won't get a JWT and username/password at the same time, right?Deniz Acay
@DenizAcay, I edited the question please let me still if you have any doubts.Abdul

1 Answers

1
votes

I think you are on the right path. But depending on User Service for every operation makes User Service a possible single point of failure and availability of other services would depend on the User Service.

Please read more about the Service Fuse anti-pattern: https://akfpartners.com/growth-blog/microservice-anti-pattern-service-fuse

For the first authentication call, delegating authentication with username and password to User Service makes sense. But for other calls, you can just verify the JWT on the API Gateway.

I would suggest using public key cryptography for signing JWTs, so you can sign JWT with private keys on User Service and deploy public keys to API Gateway for verification. This way, API Gateway or any other service will be able to verify tokens without requiring a sensitive shared secret.