12

I know this may be not a good question.

I was asked a question: do we really need authentication among microservices. And I have no idea the answer. I did read some tutorials on SOA, microservices, and how to add authentication among the services. But I did not have too many ideas why we need authentication/authorization between microservices? Any use cases where they are required? Any use cases where they are not required? Any potential risk without authentication/authorization?

Any comments welcomed. It is better to give some practical examples. Thanks

Jang-Vijay Singh
  • 732
  • 3
  • 11
BAE
  • 8,550
  • 22
  • 88
  • 171
  • Although the answer that your individual functional requirements should dictate the decision of whether to perform auth between microservices is correct, there's a security concern to take into account (I guess it'd be a part of the requirements): if a malicious user compromised even a single service, they've got them all. – عمان Mar 14 '18 at 22:42

3 Answers3

11

Whether a microservice that you design and develop requires authentication is up to your functional requirements and the way you design it.

A common technique used is to not have authentication on each individual microservice but to group them together behind a common fascade (such as an API Manager). You can then apply authentication and other policies at one place - the policy enforcement point/API Manager - for "external" consumers while "internally", behind your common security boundary, your microservices remain lightweight and can call each other without authentication (if that makes sense for your usecase/requirements/architecture etc. etc.)

To sum up - it's a design decision that involves multiple tradeoffs. Clearly, if you have a critical business service fetching or updating sensitive data, you might want only authorised callers to access it. But you might not want many internal callers (could be other microservices) running within your organisation's "trusted" network to be burdened with unnecessary policy enforcement. But then, there might be situations where even internal callers need to authenticate properly (e.g. if it is a payment service)

Jang-Vijay Singh
  • 732
  • 3
  • 11
  • No idea how to `to group them together behind a common fascade`, any examples? Thanks – BAE Aug 11 '17 at 15:14
  • Search "API Manager" or "API Gateway" or "API management". The idea is you govern your "interfaces" via a single policy enforcement point (including authentication) and behind the scenes, your implementations can be multiple, standalone, lightweight microservices – Jang-Vijay Singh Aug 11 '17 at 15:18
  • 1
    There is another aspect worth mentioning from a design perspective: You might want to avoid too many (or any) cross-dependencies between microservices (before you know it, you could end up with a hard to manage spagetti). Microservices are meant to be standalone units - both in code and deployment – Jang-Vijay Singh Aug 15 '17 at 18:54
3

Authentication/authorization in most cases is needed for microservices that provide public API, as they are available/visible for the World.

Why? Cause when someone from the World calls the API method, we (in most cases) want to know who the client is (do Authentication) and decide what client is allowed to do (do Authorization).

On the other hand, for internal microservices (in most cases) the client's are well-known as they are other internal microservices. So until you don't need to provide different restrictions of use for different internal microservices there is no need for authorization. Note that I assume that internal components only available within the organization.

java-addict301
  • 3,220
  • 2
  • 25
  • 37
Set
  • 47,577
  • 22
  • 132
  • 150
  • Is it necessary to assume that all services will be public in the future? – BAE Aug 11 '17 at 13:11
  • @BAE Not at all. There is a common scenario, when you have only a Gateway API as a public service, and all other components are hiden and not accessible from outside – Set Aug 11 '17 at 13:28
2

If your organization is considered with internal threats (and why wouldn't they be?), then yes all microservices need to be protected from malicious use.

David Medinets
  • 5,160
  • 3
  • 29
  • 42