Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication between microservice approach

I am currently building an API based around a microservices architecture.

I am using JWT to authenticate users. I understand that when a user sends a login request a JWT containing the users identity and their roles/permissions etc is returned. This token is then sent with the users subsequent requests to tell the server who is sending the request. I think this is the correct understanding.

In a normal monolithic architecture this works well as explained. How can I transfer this to a microservices architecture to establish trust between microservices.

I could forward the users JWT to downstream microservices simply but this doesn't allow the downstream microservice to know who/which upstream microservice is sending the request.

An example would be I have a location microservice. I want to allow the restaurant microservice to make calls to the location microservice. But I also have a product microservice that I do not want to be able to call the location microservice.

Obviously I could just not code the product microservice to call the location microservice but this doesn't stop someone else from doing so.

Any suggestions?

like image 989
mwild Avatar asked Aug 10 '17 14:08

mwild


People also ask

How do you securely communicate between microservices?

Developers may feel free to allow microservices to message each other since the firewalls can provide a basic protection against data leakage or bad actors. An added layer of security can be implemented relatively easily by using a virtual private network to secure all communications between microservices.


2 Answers

You can make the communication between microservices secure atleast by following two methodologies :

  1. JWt token : Let assume micro service A wants to communicate with micro service B, then the token issued by A and the audience of the token is B. In that case the token is signed by micro service A with its private key. The aud field in JWT will represents the audience, it can be a single service or a set of services. The value of aud parameter should be a pre agreed value between the services. In micro services you can use the regular expression to validate the audience. For example aud can be *.samplemicroservice.com. Audience service B can check whether token is intended for it or not by checking the aud field. Once confirmed it can use issuer's public key to verify it.

  2. Mutual SSL : The straight forward way to achieve it is to use mutual ssl between services. Each service should have SSL enabled and should presents its certificate to the the other service and other service should check the validity of the certificate with a trust store. This should be validated at both microservice A and microservice B to reach a mutual agreement. A self signed certificate can be used as root CA for all services certificates and can be accessed through a trust store.

There can be many variations of these mechanism. Specifically in case of JWT token. For example, You can delegate the token issuing responsibility to one service and can validate token in each of the service using public key of issuer service.

like image 90
AjayLohani Avatar answered Oct 13 '22 05:10

AjayLohani


Here you have two different problems to solve!

1) User authentication/authorization:

Yours downstream services services should pass the user JWT token to services upstream (dowstream depends on upstream, the downstream is more near of the frontend). This way all services can validate the JWT token, and we can garantee that the token is unchanged.

2) Micro services authorizarion:

This is the second scenario you have, you need to garantee the trust relation between microservices and the authorizations to access a resource. In this case, ever microservices do you have shoul be a client (act as user), in a auth service (key cloak, Authservice...) and before send a request to any upstream dependecy, it should be authenticated, and send his own JWT token, in this way the destination microserveice (the called one) can validate and alow or not alow the caller to access the resource, and later, check the end user credentials.

This kind of approuch can be achieved using the client credentias autorization flow (https://oauth.net/2/grant-types/client-credentials).

See this article: https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot

like image 26
Ibson Machado Avatar answered Oct 13 '22 05:10

Ibson Machado