3

How API Gateway and Micro services works.

Could anyone explain the basic flow of Micro service architecture with Gateway. I couldn't find the proper answer.

Say we have auth server and customer micro service running on separate instances and in front of all the services we have an API gateway.

My question is.

when user try to log in using username and password, the API gateway call auth server and return the access token to user.

Then user trying to access the specific url (/customers - customer micro service) that is running on separate instance. what API Gateway do ?

  1. validate the token with auth server and get the user id and pass the request to customer service with the user id ?

OR

  1. validate the token and pass the request to customer microservice with the access token ? and customer microservice responsible is to the check the user id (Make an HTTP call to auth server) ?
Karesh A
  • 1,731
  • 3
  • 22
  • 47

2 Answers2

1

I think that the most common approach is to use API gateway also as a security gateway, which means that API gateway is responsible for SSL termination and token validation. If token validation is successfully you can put user ID or user API key as a header and forward the request to microservice. Moreover you may also decide to perform not only authentication but also authorisation on the API gateway (usually with help of API management solutions).

Regarding your option #2 - I see no point in validating token 2 times. Best practise is to perform security validations on the edge, because in case of failed validation you use less resources (reject earlier)

Irek L.
  • 316
  • 1
  • 6
-3

To Answer your question , it is close to option #2 that you have mentioned . The API gateway will generally check the validity of the authentication token and then pass over the request to your micro-service . However you need to decide at design time if your micro-service will also do another level of verification of the token.

Please do note that the API gateway will not be enforcing Authorization , the authorization is something that your micro-service will have to enforce.

Soumen Mukherjee
  • 2,953
  • 3
  • 22
  • 34