11

I am fairly new to the concept of microservices and api gateways in general. I am trying to understand the role that an api gateway plays in a modern web application using many microservices. I have been reading the documentation and tutorials of express-gateway but am a bit confused on how a web application would perform authentication with an api gateway set up like express-gateway.

My web app would have multiple microservices that it would talk to. I thought that putting an API gateway in front of all my microservices would make it so that each microservice would not need to worry about whether a user/request is authenticated or not, because if the microservice was being talked to it meant that the api gateway had verified the request was a valid user. Is my understanding of this correct?

Assuming that my thought of the api gateway serving as a gatekeeper to other microservices is correct, my follow up question is with the specifics of how it is performed.

Does this mean that all user creation and authentication is performed by the api gateway? Meaning that I would have no custom user creation/login microservices? Or would I have a publically reachable through the api gateway custom user creation microservice which upon creation would itself create the user accounts within the api gateway? Is user information now duplicated by my microservice in a database somewhere and the express-gateway's own storage? I guess my general confusion is around does an api gateway take the role of authentication/user creation entirely away from a web app's own microservices, or do you still need both parts?

I thought that my own authentication microservice would first validate a user then work with the api gateway to generate a valid short lived token, but reading about creating user or app accounts for authentication in express-gateway has made me confused on the roles each play.

Dont9889
  • 133
  • 1
  • 4

1 Answers1

6

to have an overview of the role of an API Gateway in a microservice based solution, I suggest you to have a look to this presentation I did couple of months ago. That should clarify the things a little bit.

Is my understanding of this correct?

Yes, you got it. If you have a look to the video, you can actually see that concept in practice as well.

For the storage, that kind of depends.

Express Gateway offers a subset of identity services such as users, applications and credentials. They're good enough for most application usages but you might find yourself with the needs of using an external service, such as Auth0.

Now, features aside — where you store the data, it's up to you. You can keep some of the data in Express Gateway and some of it in your own database — or entirely in Express Gateway. There's not a good or bad strategy here.

Sushrit Pasupuleti
  • 145
  • 1
  • 15
Vincenzo
  • 1,549
  • 1
  • 9
  • 17
  • Thanks! Your presentation was indeed very helpful. Would you happen to have a public repo with all the examples from your presentation? Specifically with the express-gateway configuration after you split the services in two? I found this, https://github.com/XVincentX/apigateway-playground, which seems to just be the initial repo before the split. A full example to study would be really helpful. – Dont9889 Jul 31 '18 at 11:36
  • So in terms of "where store the data", you are saying my two options roughly would be: 1. Store just username/passwords/maybe some type of unique id or foreign key in express gateway, and then use the unique id of a user from express gateway to link to my own database records of a user which might contain other things like email address etc? 2. Store all of my user information in the express-gateway database but still have some sort of unique id/foreign key used to link to my own other database records of the user? – Dont9889 Jul 31 '18 at 11:52
  • For the actual authentication flow, does the following sound valid? User logs in or creates new user, which goes exclusively to express-gateway. Express-gateway authenticates or creates user, if everything is good it sends a JWT back with the claim containing the unique id of the user which is then sent in any subsequent requests to my other microservices. If any requests reach my own microservices behind express-gateway, then that means they have a JWT with a valid claim indicating a unique id of a user that can be used to create records in my own service's databases? – Dont9889 Jul 31 '18 at 12:11
  • Check the other branches on the repo, you'll find all the steps. All your assumption make sense to me. – Vincenzo Jul 31 '18 at 18:15
  • I totally missed the other branches, thanks! I will take a look. Thanks for all the help! – Dont9889 Aug 01 '18 at 12:08
  • 1
    I want to know few things, Can I use express gate way to implement my own authentication logic but not on the micro service but actually on the gateway it-self. For example, I want to search the user from the db and make a jwt token by myself, and making that authentication process part of the gateway's flow just like auth 2.0 and others. I dont want to make apps, or users on gateway level. – Nouman Dilshad Sep 05 '18 at 11:32
  • Yes you can! All you need to do is to make your auth service to sign a token with a public/private key. You'll then supply the public key to Express Gateway which will in turn validate the JWT. No users in the Gateway required at all. – Vincenzo Oct 20 '18 at 19:17