2

I have been working on creating a platform utilizing microservices architecture with an API Gateway. One question that I'm stuck on, is how to have the API Gateway handle both authenticated and unauthenticated endpoints.

Here is a simplified and rough diagram of the system I am thinking about

For my system, I'll be using Auth0, and I think I want to have the service check if the token is valid using the public key, instead of the gateway doing it. This gives me more flexibility if I want to make one of my services public someday. And I think I want to keep my gateway small.

But how will the gateway handle a mixture of both authenticated an unauthenticated endpoints? I.E. I want to make the GET endpoint "open", and the POST endpoint require login. Which entity should manage whether an endpoint is "open" or "requires login", the gateway or the service?

  1. Should I always have the gateway pass along the request to the service, regardless of whether the user is logged in or not, and have the service return a 401?
  2. Or should the gateway contain some logic about which endpoints require login, and return 401 if there is no token in the request? Skipping the service entirely.
Ellie Maynard
  • 21
  • 2

2 Answers2

0

Yes it is configured on the gateway you will be using. For example on AWS API gateway you can have a lambda custom gateway authorizer for access points. The authorizer function can 'authorize' by returning ok for all request to that endpoint.

More reading here

Dawit
  • 591
  • 8
  • 24
0

This is one of main responsibilities of API Gateways in my opinion. It may depend on the specific API Gateway but one elegant solution that we used was:

  • All microservices define their endpoints and if they are protected or not in a descriptor file.
  • When it is deployed (perhaps in CI) it registers these definitions in the API Gateway
  • API Gateway accepts the request and check if it is protected or not
  • API Gateway may enrich request with user info if protected
  • All requests beyond Gateway is accepted secure to be accepted by services

This way we separate the concern of authentication from business logic / features

ismet özöztürk
  • 106
  • 1
  • 5