1

We are planning to build a new custom API component using spring boot which acts an API gateway. The custom API acts as a REST client and fetches the information from multiple REST API sources. The authentication should be done with one of the 3rd party application using REST API call and use the same authentication with the other 3rd party APIs. The 3rd party REST api only supports basic authentication. So The custom API component needs to pass either jsessionId or basic authentication details to fetch the information using the REST APIs. My questions

  1. Is it secure to pass the sessionToken to the clients (mobile) after successful authentication with the 3rd party? As the mobile apps needs to pass the token back to the custom api component for the REST calls after authentication?
  2. Or use JWT authentication for the custom api component and store the jsessionid and jwt in database and manage the sessions?
  3. Or always pass basic authentication?
  4. Can I use Spring Cloud Gateway Architecture for developing custom API component

I hope my queries are not clear. Also please suggest any suggestions for the architecture

Nagesh
  • 344
  • 6
  • 16
  • Take a look to the following link: https://stackoverflow.com/questions/59786338/how-to-implement-role-based-security-in-microservices-architecture/63140731#63140731 on it you will see a use case that matches with several of your requirements. – doctore Sep 13 '20 at 07:26

0 Answers0