This could sound like a very noob question, so let me apologies first.
We have multiple lambda services (JavaScript) added that uses AWS cognito. I know that AWS cognito is majorly designed for authentication and authorisation in serverless architecture.
But now I have a microservice written in Java using spring boot which is deployed behind the AWS api gateway. The gateway is running as a proxy to the service's resources. So our client app authenticates users using cognito and used Authorization and api key to access our services which have AWS_IAM and api key authenticating every request to the service on the gateway.
To perform some tasks in the service cognitoIdentityId is required. In case of JS lambda services we receive it in the event json in its context field. But I could not find any way for the spring-boot service to receive it. Neither HttpSession nor HttpServletRequest have that info. Requests are not directly authenticated with the service so spring SecurityContext's principal is also empty/anonymous. The documentation on cognito with http services is very bleak and most of the discussions starts and ends with Lambda.
Can anyone point me to the right direction as how to get the id?
Thanks in advance.
Related
I have 2 secured resource microservices and 1 authentication service and another API Gateway.
Authentication service can generate JWT Token given username and password. It also can validate a JWT token.
So, I want to implement security at the API Gateway only such that on receiving a request, it will first fetch a bearer token from the authentication service and forward the request to the secured resource service. I would like to get some idea how to implement that in API Gateway. Should I make it just in an aggregate fashion, like it would be a sync call which will first make a request to auth service and next forward the request to resource service?
Now, if I want to add the support of OAuth as well, which I know the spring cloud API Gateway already has the support for this via global filters.
But, I am wondering about the legacy bearer token which is generated by the custom authentication service.. How do I ensure this?
Any suggestion would be appreciated.
Thanks in advance!
I am new to spring microservice world. As I am in learning phase, I tried and implemented the following things.
Authentication/Authorization as a separate microservice
Routing (Able to route using Spring cloud gateway)
Load balancing (Netflix Eureka)
Rate Limit and Circuit Breaker (Resilience4j)
I just need certain clarification and suggestion on what to do in these situations:
As I already had created Authentication/Authorization as a separate microservice centralized.
Now how can I implement such that every request must contain jwt token and pass-through API gateway to call other microservice also it should check which user has permission to access API in other microservice
If some has same good source so that I can learn please do share or if someone has a basic skeleton on GitHub.
Requests from outside your cluster should be intercepted/validated by Zuul (example) will be your gatekeeper which will pass the request to the request checker in this case would be your authentication service where the acquired token will be validated (this should exists at the header of the request). One tokens are validated, the request will be routed to the authorization service to check if the user has access to particular endpoint based on your rules defined for access.
Here is the authorization service. It has endpoints to login and receive a JWT using either a custom username/password or social OAuth (Facebook, GitHub etc.).
I have a Eureka server setup and Zuul gateway service. From what I understand, there are two ways to go about implementing secure microservices. You either proxy requests through the auth service, or you send requests to the requested service (Ex. Service A) and service A authorizes using the auth service.
I would like to use the second way, however I'm having trouble implementing it. Is my understanding correct? Is there a way to setup service A somehow so that certain paths (configured using Ant matchers) will have to authorize using the auth service, which will set the SecurityContext appropriately and inject a UserPrincipal into the request. If anyone can point me to a good guide for this that would be much appreciated.
All of my Micro Services, checking client access token validation using Rest API call to against my Authorization micro service which make a coupling between all the services to the Authorization Micro Service. The problem is that the token located only on the Authorization service Database. Is there a better way to do it instead of rest api?
Usually i prefer amqp over Rest API to avoid coupling but i can't see other option. Could someone help with that?
I'm wondering what to do with an API Endpoint when using a API Gateway. For example when you following the tutorial here: https://wiredcraft.com/blog/securing-components-in-a-microservice-context
You are using keycloak and kong (api-gateway) to secure the api. With kong you're getting an new Endpoint under http://localhost:8000/data. But the "original" express Server is still listening on http://localhost:3001/data.
That means that when a user/attacker knows the url of the "orignal" service and doesn't use the kong url (port 8000) he/she can still work with the api.
So my question is about the strategy and what to do with the original api? How could that be secured. Shall we implement the keycloak request on the api as well? But where are the benefits of kong then?
Your API gateway gives you a single entrypoint that simplifies how client applications access your services. You could add keycloak security on the gateway and not on the services behind - perhaps if you've a setup where you can block network access for clients to any services except the gateway. But even then you might still want the gateway and keycloak on the services behind.
The reason you might put keycloak on the services behind is because they are likely to need to know the identity of the user making the request. If they are going to read the token anyway then it might be most straightforward to add keycloak to them. And you'd still want the gateway to simplify life for clients. You'd then also want the gateway to forward the token to the services behind the gateway. (We're using keycloak and spring cloud gateway on the Activiti Cloud project and this is essentially how we decided to secure the services themselves with keycloak and have the gateway forward the token to them.)