Scenario : I have 4 microservices
Gateway Service
Authentication Service
Posts Service (internally calls media service)
Media Service
I get the token from authentication service which contains user information (name, roles).
Then I call the posts API (via Gateway service) with that token. Now in posts api, I have to call media service and I need to pass the token which I got since i need roles and username in media service api. How can I do this ?
I have checked many resources but could not find how we can attach the token to the rest template.
Related
I am building an application using microservice architecture. I am using Eureka for service discovery with Spring Cloud Gateway for request routing. For authentication mechanism I am issuing JWT tokens (in auth service). What is the best practice when it comes to propagating Authentication so I can get logged user information in each service which is after the gateway?
So far I've came up/found couple of possible solutions:
In gateway add headers for relevant user information, and in each service create filter which would take said headers and create Authentication object and store it into SecurityContextHolder. The downside of this approach is I can't just plug and play services outside my application.
Pass the token coming from the client through the gateway to the each service, where I would have JWTFilter which would validate token and extract the user information. Downside I see with this approach is I have to have jwt secret shared between each service or stored on each service, and I would have to implement JWT logic, producing duplicate code.
Final solution is having something like oAuth token introspection endpoint in auth service which would be called from each service (filter) once the request reaches it.
I implemented the filter logic for validating the user token in the gateway service, but I would like to use role based authorization on each endpoint (service) differently (ie. user service has endpoint for creating users (ADMIN), and for fetching user information (ANY ROLE)).
I opted for something like your option 2 and use spring-boot to configure JWT decoder from an OIDC authorization-server (Keycloak).
Configuring OpenID resource-servers is super easy (more options in parent folder), and authorization-server JWT public signing key is retrieved automatically by spring JWT decoder.
All that is required is ensuring that Authorization header with JWT bearer is correctly propagated between services.
I have 2 secured resource microservices and 1 authentication service and another API Gateway.
Authentication service can generate JWT Token given username and password. It also can validate a JWT token.
So, I want to implement security at the API Gateway only such that on receiving a request, it will first fetch a bearer token from the authentication service and forward the request to the secured resource service. I would like to get some idea how to implement that in API Gateway. Should I make it just in an aggregate fashion, like it would be a sync call which will first make a request to auth service and next forward the request to resource service?
Now, if I want to add the support of OAuth as well, which I know the spring cloud API Gateway already has the support for this via global filters.
But, I am wondering about the legacy bearer token which is generated by the custom authentication service.. How do I ensure this?
Any suggestion would be appreciated.
Thanks in advance!
I'm developing a back-end with microservices architecture. I'm new about that architecture and for now I have developed 3 microservices (RESTful web services, with Spring Boot) each in a container.
I want to implement OAuth2 and JWT Rest Protection and a gateway.
Is it correct to implement a gateway with Authorization Server and Resource Server?
Am I doing something wrong about the architecture?
Thanks for the replies
As per the standard, should not mix gateway with authorization because both the purposes are different.
Gateway
Gateway can be differentiated in two ways - Internal and External. Purpose of gateway is to route the call from external or internal to the protected resource.
Authorization Server
Authorization server comes into the picture for identity access management. All the request coming from external or internal via gateway should be authenticated or authorized before routing call to the protected resource with JWT or access token etc.
https://medium.com/swlh/authentication-and-authorization-in-microservices-how-to-implement-it-5d01ed683d6f
Authentication and Authorization - There should be a separate service that authentication the user (like supporting OAuth0 type of protocol and providing JWT Token). Your frontend should call API Gateway.
Now question comes at what granular level you are maintaining permissions - Only small set of roles or granular level of permission set. Now API Gateway should communicate with Authorization server with JWT and get the set of roles and permission. Based on the same, API gateway should forward or block the call to Microservice.
Even if you have small set of roles and JWT can be extracted and validated by Gateway but avoid to keep the same at Gateway as there are chances that you have to extract the functionality to some other service in near future.
This could sound like a very noob question, so let me apologies first.
We have multiple lambda services (JavaScript) added that uses AWS cognito. I know that AWS cognito is majorly designed for authentication and authorisation in serverless architecture.
But now I have a microservice written in Java using spring boot which is deployed behind the AWS api gateway. The gateway is running as a proxy to the service's resources. So our client app authenticates users using cognito and used Authorization and api key to access our services which have AWS_IAM and api key authenticating every request to the service on the gateway.
To perform some tasks in the service cognitoIdentityId is required. In case of JS lambda services we receive it in the event json in its context field. But I could not find any way for the spring-boot service to receive it. Neither HttpSession nor HttpServletRequest have that info. Requests are not directly authenticated with the service so spring SecurityContext's principal is also empty/anonymous. The documentation on cognito with http services is very bleak and most of the discussions starts and ends with Lambda.
Can anyone point me to the right direction as how to get the id?
Thanks in advance.
I do not want to use feign or rest template.
My scenario is:
i need to get the JWT token from auth service then pass it to the order cancellation service. I do not want that user add the returned token rather i want to get the token in api gateway and then call other services