3

@here, please help me understanding microservice authentication with API Gateway.

Let's take an example - I have 10 different independent deployed microservices and I have implemented the API Gateway for all of them meaning all the request will be passed through that gateway, also instead of adding authorization/JWt in every microservice I added in API Gateway with this approach all is working fine, but my doubt and question is

1 What if an end user has the URL of deployed microservice and he tries to connect it without gateway (as I don't have the authorization place here, how do I stop this, do I need to add same authorization logic in every microservice as well but that would end in duplicating the code, then what is the use of API gateway.

let me know if any other input required, hoping I explained my problem correctly.

Thanks
CP Variyani

Chandra Prakash Variyani
  • 182
  • 6

2 Answers2

5

Generally speaking: your microservice(s) will either be internal or public. In other words, they either are or are not reachable by the outside world. If they are internal, you can opt to leave them unprotected, since the protection is basically coming from your firewall. If they are public, then they should require authentication, regardless of whether they are used directly or not.

However, it's often best to just require authentication always, even if they are internal-only. It's easy enough to employ client auth and scopes to ensure that only your application(s) can access the service(s). Then, if there is some sort of misconfiguration where the service(s) are leaked to the external network (i.e. Internet at large) or a hole is opened in the firewall, you're still protected.

Chris Pratt
  • 232,153
  • 36
  • 385
  • 444
  • thanks Chris completely agree with your point but that answer brings me again the same confusion - if I have to put the authentication in all services then I guess there is no need of putting authentication in api gateway at all as every service already have that in place.. – Chandra Prakash Variyani Feb 11 '19 at 16:08
  • Not necessarily. Each service could only be scoped to your gateway, the gateway client auths to each service and your app(s) auth to the gateway. That effectively prevents apps from even using the services directly. – Chris Pratt Feb 11 '19 at 16:18
2

API gateway is used to handle cross cutting concerns like "Authorziation", TLS etc and also Single point of entry to your services.

Coming to your question, If your API services are exposed for public access then you have to secure them. Normally API gateway is the only point exposed to public , rest of the services are behind firewall (virtual network) that can only be accessed by API gateway , unless you have some reason to expose your services publicly.

e.g. if you are using Kubernetes for your services deployment, your can set your services to be accessible only inside the cluster (services have private IPs) , and the only way to access them is API gateway. You don't need to do anything special then. However if your services are exposed publicly (have public IPs) for any reason then you have to secure them. So in short it depends how you have deployed them and if they have public IP associated with them.

Based on your comments below. You should do the authentication in your API gateway and pass the token in your request to your services. Your services will only authenticate the token not redo the whole authentication. This way if you want to update/change the authentication provider or flow , it's easier to do if you keep it in API gateway.

Imran Arshad
  • 3,794
  • 2
  • 22
  • 27