Should there be authentication/authorization between microservices? [closed]

Question

I know this may be not a good question.

I was asked a question: do we really need authentication among microservices. And I have no idea the answer. I did read some tutorials on SOA, microservices, and how to add authentication among the services. But I did not have too many ideas why we need authentication/authorization between microservices? Any use cases where they are required? Any use cases where they are not required? Any potential risk without authentication/authorization?

Any comments welcomed. It is better to give some practical examples. Thanks

Answer 1

If your organization is considered with internal threats (and why wouldn't they be?), then yes all microservices need to be protected from malicious use.

Answer 2

Whether a microservice that you design and develop requires authentication is up to your functional requirements and the way you design it.

A common technique used is to not have authentication on each individual microservice but to group them together behind a common fascade (such as an API Manager). You can then apply authentication and other policies at one place - the policy enforcement point/API Manager - for "external" consumers while "internally", behind your common security boundary, your microservices remain lightweight and can call each other without authentication (if that makes sense for your usecase/requirements/architecture etc. etc.)

To sum up - it's a design decision that involves multiple tradeoffs. Clearly, if you have a critical business service fetching or updating sensitive data, you might want only authorised callers to access it. But you might not want many internal callers (could be other microservices) running within your organisation's "trusted" network to be burdened with unnecessary policy enforcement. But then, there might be situations where even internal callers need to authenticate properly (e.g. if it is a payment service)

Answer 3

Authentication/authorization in most cases is needed for microservices that provide public API, as they are available/visible for the World.

Why? Cause when someone from the World calls the API method, we (in most cases) want to know who the client is (do Authentication) and decide what client is allowed to do (do Authorization).

On the other hand, for internal microservices (in most cases) the client's are well-known as they are other internal microservices. So until you don't need to provide different restrictions of use for different internal microservices there is no need for authorization. Note that I assume that internal components only available within the organization.