0

In Microservice architecture, public clients & confidential clients are there as per API Gateway Pattern, Public clients connecting from Browser to backend reaches it via API Gateway

  • API Gateway does Authentication / Authorization and reaches backend point

  • Depending on the client [ OAUTH2 Grants type are used].

Question is, If there are multiple microservice A, B, C

  • A is microservice - invovked from a Browser app [ Angular or SPA] , A has to invoke B for some purpose B microservice is not exposed directly to outside world , it is a internal

A Reaches B via HTTP as a service

  • Apart from Mutual TLS, what is security to be adopted
  • Do all microservice [ internal] to be registed in API Gateway and Microservie A has to reach B only via API Gateway, If Not, What kind of authentication and authorization to be used as practise
  • Most of the places [ AUthentication & Authorization are coming out of box with API Gateway backed with Key Managers]
  • If we by pass API Gateway, Should Authentication and authorization has to be implemented custom way?
Karthik_Rajendiran
  • 1
  • 1

1 Answers1

1

The rule is that a request coming from B to A should provide the same authorization context as if it came from the API Gateway. The details depend on the implementation.

  1. If all the authentication and authorization is handled at the gateway, and only authorized requests can reach the back end services, B has nothing special to provide: A will answer without wondering about authorization

  2. If the gateway only handles authentication and passes roles to the backend microservices that are used to control the permissions parts, then B has to provide the roles it received in the request it submits to A

  3. ... you mileage may vary...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84