3

I have this simple design:

                   ---------               -------------
----> Queries ----> Gateway ---- RPC ----> Microservices
                   ---------               -------------

I am thinking of having the gateway handle authentication and authorization leaving my microservices to completely trust the gateway (aka if the gateway says user x should be deleted, don't double check that auth token, just do it). The microservices will not be exposed to the world and they will establish a secure connection (VPN maybe) to the Gateway.

Is this a good idea? Or should I take the more streamline solution and check the auth token with each request both on the gateway AND the microsevice? What can go wrong?

dFrancisco
  • 2,691
  • 1
  • 13
  • 26
Rad'Val
  • 131
  • 3

2 Answers2

4

How are your microservices locked down?

If an attacker is internal or finds a weakness somewhere else within your organization and attacks your microservices are they completely segergated so only requests come through the gateway?

Do any of your microservices perform any actions that are considered more privelged that the rest? Example several services generate page content while another processed payments?

My view is you should be passing an auth token to all your services after authenticating at your gateway but this is going depend on your system threat model.

McMatty
  • 3,192
  • 1
  • 7
  • 16
2

It is not necessarily a bad idea but I believe it is a little bit over complicated. From the information you have given us, I do not understand the need for the gateway at all.

First off, I will assume you have a separate service/server acting as an authentication server, consuming user credentials and spitting out (lets say) signed JWT tokens that vouch for the role and authenticity of each user. Then when the client wants to access run a query on one of the micro-services, it can fetch a JWT token from the authentication server if it does not already have one, then pass this JWT token in the authentication header in a request directly to the micro-service.

The micro-service can then verify the signature on the JWT token with the same algorithm used to sign it (for example the HMAC-SHA256 algorithm). If the signature is valid, then the micro-service checks the role supplied in the JWT token and either fulfills the request or rejects it.

The issue with your method is the possibility of circumventing the gateway and making requests directly to the micro-service. For example:

                   ---------               -------------
----> Queries ----> Gateway ---- RPC ----> Microservices
                   ---------               -------------
                                              ^
                                              |
----> Attacker Query -------------------------

Where the attacker passes no JWT token and the micro-service will still fulfill the request.

The only good reason to use a gateway as you explained is if there is no way for the person forming the query to know where this micro-service resides and it/they must use the gateway to direct their query to the micro-service. In which case, unless you can absolutely guarantee that no request except requests from the gateway can reach the micro-services, you will need to check tokens on both the micro-services and the gateway.

Hope it helps!

dFrancisco
  • 2,691
  • 1
  • 13
  • 26
  • Thank you for the answer and edit. Yes, what you're saying is completely true. However, what I'm wondering is, can I **absolutely guarantee that no request except requests from the gateway can reach the micro-services**. There are a couple of ways to do it, like VPNs or shh tunnels, but how vulnerable that would, what vectors of attack can an attacker take. – Rad'Val Jan 18 '18 at 21:08
  • But overall, I think you might be right, I have to give it a serious thinking before going that way. – Rad'Val Jan 18 '18 at 21:09
  • @ValentinRadu in my opinion, there is no good enough way to guarantee to an extent I would consider secure. Generally the best bet is always to stick to industry standards so in this case, validate the token on the micro-service. – dFrancisco Jan 18 '18 at 21:13
  • 1
    @ValentinRadu depends. If you are going serverless in the cloud use ip whitelists on the microservices so only known parties can connect to them. If this is on perm and you have a single host for the microservices set up IP whitelisting so only the gateway can communicate. The assumption is you have ARP spoofing protection configured. – McMatty Jan 18 '18 at 21:31