2

I have multiple micro-services. which can be called by client through API gateway and also micro-services can communicate each other.

Ideally request will come from API gateway from user which will have all permissions. here i am trying to assign only required role to user for example if user(browser) need data from micro-service A then only that role will be given to user and if internally micro-service A needs data from B(rest call) then that role should not be assigned to user.

Requirement: how to restrict/authorize internal communication between micro-services so that only authorized micro-service can make call to others.

Options:

  1. Assign all roles to user, even for internal communication(passing same token in all communications).

  2. Assign only user facing micro-services role to user if internal communication is require then each micro-services will act as a user itself to other micro-service and generate there own token before call.

  3. Do not allow micro-service to communicate internally rather fetch all data from all micro-services and process at client.

What option will be best using above or any other?

Ashish Sharma
  • 847
  • 1
  • 12
  • 23
  • Possible duplicate of [Propagate HTTP header (JWT Token) over services using spring rest template](https://stackoverflow.com/questions/46729203/propagate-http-header-jwt-token-over-services-using-spring-rest-template) –  Jun 20 '19 at 12:35
  • Offcource passing token is one option but then use require all roles. – Ashish Sharma Jun 20 '19 at 13:08

2 Answers2

2

I'd go with option number 2. For intra-service communication, backend services (applications) will act as a client and would request a token first (/oauth/token). To validate these tokens all services will need a mechanism to verify these tokens (/oauth/check_token). You can use Client Credentials Grant type for this. These /oauth/** endpoints are provided by Spring. For making REST request from one service to another, use OAuth2RestTemplate and its not thread-safe.

In each application, you'd need to define security protection rules for various endpoints. Something like this:

<sec:filter-security-metadata-source id="securityMetadataSource"
                                         request-matcher="ant"
                                         use-expressions="true">
        <sec:intercept-url pattern="/accounts/**" access="isFullyAuthenticated() and hasRole('PRIVATE_SERVICE')"/>
        <sec:intercept-url pattern="/members/member-details" method="GET" access="isFullyAuthenticated() and hasRole('PORTAL_USER')"/>

For more restriction, you issue self-signed certificate per application (not per application instance). Add public key of all applications in a single truststore. During application startup, let all application download this truststore. With this application will talk to only those applications it trust.

Community
  • 1
  • 1
Vijay Nandwana
  • 2,476
  • 4
  • 25
  • 42
  • Thanks, can we use a common jar for token validation. Rather then adding same code in all micro services? – Ashish Sharma Jun 21 '19 at 12:28
  • In this specific case, token validation will happen via [CheckTokenEndpoint](https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.html). Spring exposes this endpoint `/oauth/check_token`. Each application will have there own unique client ID (so [RemoteTokenServices](https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/RemoteTokenServices.html) configuration would differ) and each would have different endpoints (so security config would differ), nothing seems common here. – Vijay Nandwana Jun 25 '19 at 06:00
1

We are using a mix of option 1 and 2.

In case User calls an API , then If first gateway calls Service A and then Service A calls Service B then A pass the same JWT token to Service B.

In case of a Timer Job in Service A which periodically gets some data from Service B, Service A also has its JWT token through which it makes call to Service B.

techagrammer
  • 1,291
  • 8
  • 19