Questions tagged [microservices]
16 questions
3
votes
1 answer
Propagating user context between microservices secured with M2M JWT tokens
We have a current microservice architecture where we secure communication between microservices via Machine-To-Machine access tokens (these tokens are obtained using the Client Credentials grant flow).
We do this for all communications between…
Spongeboy
- 151
- 3
3
votes
1 answer
Is it necessary to protect the Oauth2 return URL
I am thinking to implement a REST service that needs to call another REST service that is protected by OAuth2.
My service is "always" called server to server by web applications.
The user interacts with the web applications using their…
Marco Altieri
- 633
- 5
- 13
2
votes
2 answers
Access Control for REST APIs - OWASP recommendation
OWASP states:
Non-public REST services must perform access control at each API
endpoint. Web services in monolithic applications implement this by
means of user authentication, authorisation logic and session
management. This has several drawbacks…
Eduardo Bueno
- 21
- 2
2
votes
0 answers
Assuming secure code practices are adhered to, is a thousand-tier/n-tier microservices application or a monolithic application more secure?
Assuming secure code practices are all adhered to for both applications, is a thousand-tier/n-tier microservices application or a monolithic application more secure?
From a monitoring, visibility standpoint, etc. I am trying to understand which…
Nathan Aw
- 1
- 7
- 12
1
vote
1 answer
Error code prefixes specific to specific micro services a vulnerability?
If your microservice architecture responds with error codes revealing which microservice had an error, doesn’t this reveal to the caller information on how your microservice architecture is designed?
Caller -> Service A -> Service B -> Service B…
visc
- 111
- 2
1
vote
1 answer
Setting httponly secure cookies in microservice architecture
I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks.
When a user goes to my website they may make an api call like so
POST…
Dan
- 13
- 3
1
vote
0 answers
A single microservice (e.g., a spring boot jar) can be dependent on more than 100 libraries - how to ensure that none of these are compromised?
It took only one DLL, the SolarWinds.Orion.Core.BusinessLayer.dll, to bring so many companies to the knees. To be more precise, just a couple lines of code in the single DLL.
In today's cloud-native application development, a single microservice…
Nathan Aw
- 1
- 7
- 12
1
vote
1 answer
Disable SSL verification between isolated microservices
I have an internet isolated EC2 instance which is a Ruby client and it is connecting with multiple EC2 servers of mine in the same network having different sub-domain names. These EC2 servers are protected with forced SSL whenever they are accessed…
Sahil
- 113
- 4
1
vote
0 answers
Generate new AccessToken each time user update his Information
im building a PWA app , where i implemented jwt token to auth users.
i have 2 main architecture problems ,but let me introduce you what im building .
i'm Building application that is all about dog lovers , this application is to post lost dogs, post…
Natanel Soussana
- 11
- 1
0
votes
0 answers
Security Risks with Event Streaming
At a high level based on the technology of event store and streaming (i.e. Apache Kafka, Amazon Kinesis, etc.) to decouple systems and make them event driven systems. I was wondering what new architectural risks this would pose such as whether there…
Rivesticles
- 644
- 3
- 13
0
votes
0 answers
Using public OAuth tokens to authorize access to internal services
Here's the deal. This might probably be a known best practice, but I haven't been able to find anything on the matter.
Suppose company X has a public facing web API server, and a public OAuth Identity Server. Its clients will get a token from the…
Ccm
- 23
- 2
0
votes
1 answer
Can the services inside the VPC be authentication less?
We have a micro-services architecture, where many microservers need to talk to each other for data.
These services are inside a VPC.
I need to understand if the HTTP APIs of these microservices need not have any authentication if they are no active…
Vamsi Pavan Mahesh
- 101
- 1
0
votes
0 answers
Authenticating/ identifying dynamic UI Client to Back-End
The title may be a bit misleading so I will try to make this as clear as possible. We have several microservices that
expose endpoints and they communicate to each other. They needed to authenticate each other so we used mTLS (Two way TLS) to
secure…
Renis1235
- 101
- 3
0
votes
1 answer
In Microservice Architecture, how to secure inter service to service
In Microservice architecture, public clients & confidential clients are there
as per API Gateway Pattern, Public clients connecting from Browser to backend reaches it via API Gateway
API Gateway does Authentication / Authorization and reaches…
0
votes
0 answers
How to prevent horizontal escalation attacks when a centralized authorization service as gateway is used?
Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer you decide to make all micro services unaware of…
Daniel Arechiga
- 101
- 1