Spring Cloud Gateway for Stateless Microservice Authorization
Vložit
- čas přidán 15. 10. 2019
- Improving and maintaining tech agility, time to market, and application modernization is challenging as the number of microservices we own and manage grows. How do you track who uses your applications? How can you establish and enforce common policies or flows to authenticate and authorize permissible use? How can you ensure effective governance?
In this talk, we'll share the approach at TD Ameritrade to solve these cross-cutting functions in an efficient and effective way. We'll discuss why and how we decided on API Gateway using Spring Cloud Gateway; the different use cases we're solving; our implementation for authentication and authorization leveraging IDP, OAuth2, and JSON web tokens; and how we brought the whole solution together for microservices running on Pivotal Platform.
Architects and developers attending this talk will see how the API Gateway pattern can help to successfully modernize web platforms with greater tech agility and faster time to market.
Speakers: Saravanan Paramasivam; Software Engineer, TD Ameritrade; Chris Jackson; Senior Developer, TD Ameritrade; Taher Saif; Sr. Manager, TD Ameritrade
Filmed at SpringOne Platform 2019
Slides: www.slideshare.net/SpringCent... - Věda a technologie
Def great vid. Thanks for the clear and clean explanations.
Could you please share a sample code implementation of the example of external IDP and token exchange?
JWT is one of the best choices for Microservice AuthZ per my dev experience so far.
Where can I find some example of your gateway api? Did you use and authorization code for the first token and client credentials for the second?
Just those of us watching this now. Monolithic Architecture is not old school. It’s in fact should be the de-facto standard to start writing your application using a “Modular”approach until you find the need to migrate to “Microservices”.
I'd like to get more information, on how access token between FE and gateway acts. What if IDP doesn't support that?
How does each microservice verify the JWT token it receives is the valid one. Even if it verifies that it is valid by calculating decoding and decrypting how it identify this user request is authorized one.
Each service has mechanism to decode JWT token addressed to it and after extracting roles contained within JWT decides what to do with the request. Basically - every service has it's authorisation mechanism.
Hi! Why do we need to forward JWT token to microservices? Is it used to provide user information?
I can be wrong but what i understand is that Jwt token have three parts in it, one is to hold user information so when you have roles set to users that role information will be in the token so that services can decide if they allow or deny the request.
In short, yes.. It provides user information (id, roles..) to the services behind gateway
At 24:40 "All the information needed to complete a particular request is sent along with JWT in the Authorization header"
My understanding: 1) JWT token self-contained and it's signed, when Resource Server receives it, it can verify the JWT token is valid, and no need to contact Authorization Server. 2) JWT token can contains claims for authorization purpose and not limited to UserInfo claim, so in a scenario where Authorization Server receives the JWT token (not in this video), it can make decision if the request should be granted or not. 3) Token Exchange in the video above, the main purpose I guess is for point 1), Resource Server gets what it needs, it can validate the token, and no need to validate it with Authorization Server - no additional call is needed. 4) API Gateway acts as the Authorization Client - such as OAuth2 Client. 5) Alternatively Authentication Server can generates a JWT token with UserInfo claim. The client can pass the token to Authorization Server for authorizing the request. In this case, there is no Token Exchange.
But how do you want to protect you microservices from unauthorized access ?
please share sample code
Can some one post Github link for this
FWIW JWT tokens standard says Encryption is optional
How will microservices verify that jwt is valid or not?
It's the IDP's responsability, I think
Also 29:01 FYI Signing is not the same as encryption
It could have been great if there was a practical example of the implementation. That could have really helped
Code example?
Aggregating Data on the Gateway can be problematic, would not recommend that. Don't put business logic on the gateway.
Why offload something as important as identity to a third party?
That seems like a security issue...
Why offload your infrastructure to the cloud? Wouldn't that be a security issue too.
@@kellyfj there's on prem or Colo vs cloud... Different levels of security for different things..
Login/auth you'd think would be high security..
Whether it is a 3rd party or not is completely up to you