I need to use activemq to communicate between micro-service and the system has access control to limit the user action. I already check the user from restful endpoint by spring security. After authentication, I send message to queue. Do I need to verify the user again? If yes, how can I pass the user credential by activemq.
If it is microservices architecture already. And as what you said you have an authentication/Authorization micro-service then there is no point duplicating the checks all over again.
The best approach is to let the Gateway-Service do the authentication/authorization thing.
Usually it is bound to the Zuul implementing service. So that all calls to specific service URL got intercepted by that gateway and apply whatever security policies you have
Related
One can define an OAUTH2 server easily based on the quarkus documentation.
quarkus.oauth2.client-id=XXXX
quarkus.oauth2.client-secret=YYYY
quarkus.oauth2.introspection-url=https://example.com/oauth2/...
How should I configure quarkus if I have to give the option to the users to choose their own OAUTH2 provider (github, gitlab, whatever)?
One solution can be running separate Quarkus instances for each OAuth2 provider.
If you need to have all requests to be sent to same path and port, a mediator instance can be created for handling requests and sending them to appropriate instance with chosen OAuth2 provider.
I have currently a doubt about how are people doing this the right way.
As of today I have a Spring Cloud Gateway microservice and behind it I have other two microservices, the security microservice is tasked in registering clients, log in, logout and validate JWT, the other microservice is one that I have mainly for CRUDS.
My problem is that I had the idea that in my Spring Cloud Gateway I was going to redirect first EVERY request to the /token endpoint in my security microservice to validate the JWT and if it's successful, reroute the request back to where it initially was requested for example "/clients".
My gateway doesn't handle anything about security or tokens that is just tasked on the other security microservice. How are people doing it these days? If i wanna go these route is it possible?
I have been looking to implement my idea but haven't found something like this or if this idea is actually bad and I should migrate my security microservice to be in the gateway somehow.
I am new to spring microservice world. As I am in learning phase, I tried and implemented the following things.
Authentication/Authorization as a separate microservice
Routing (Able to route using Spring cloud gateway)
Load balancing (Netflix Eureka)
Rate Limit and Circuit Breaker (Resilience4j)
I just need certain clarification and suggestion on what to do in these situations:
As I already had created Authentication/Authorization as a separate microservice centralized.
Now how can I implement such that every request must contain jwt token and pass-through API gateway to call other microservice also it should check which user has permission to access API in other microservice
If some has same good source so that I can learn please do share or if someone has a basic skeleton on GitHub.
Requests from outside your cluster should be intercepted/validated by Zuul (example) will be your gatekeeper which will pass the request to the request checker in this case would be your authentication service where the acquired token will be validated (this should exists at the header of the request). One tokens are validated, the request will be routed to the authorization service to check if the user has access to particular endpoint based on your rules defined for access.
I'm developing a back-end with microservices architecture. I'm new about that architecture and for now I have developed 3 microservices (RESTful web services, with Spring Boot) each in a container.
I want to implement OAuth2 and JWT Rest Protection and a gateway.
Is it correct to implement a gateway with Authorization Server and Resource Server?
Am I doing something wrong about the architecture?
Thanks for the replies
As per the standard, should not mix gateway with authorization because both the purposes are different.
Gateway
Gateway can be differentiated in two ways - Internal and External. Purpose of gateway is to route the call from external or internal to the protected resource.
Authorization Server
Authorization server comes into the picture for identity access management. All the request coming from external or internal via gateway should be authenticated or authorized before routing call to the protected resource with JWT or access token etc.
https://medium.com/swlh/authentication-and-authorization-in-microservices-how-to-implement-it-5d01ed683d6f
Authentication and Authorization - There should be a separate service that authentication the user (like supporting OAuth0 type of protocol and providing JWT Token). Your frontend should call API Gateway.
Now question comes at what granular level you are maintaining permissions - Only small set of roles or granular level of permission set. Now API Gateway should communicate with Authorization server with JWT and get the set of roles and permission. Based on the same, API gateway should forward or block the call to Microservice.
Even if you have small set of roles and JWT can be extracted and validated by Gateway but avoid to keep the same at Gateway as there are chances that you have to extract the functionality to some other service in near future.
Here is the authorization service. It has endpoints to login and receive a JWT using either a custom username/password or social OAuth (Facebook, GitHub etc.).
I have a Eureka server setup and Zuul gateway service. From what I understand, there are two ways to go about implementing secure microservices. You either proxy requests through the auth service, or you send requests to the requested service (Ex. Service A) and service A authorizes using the auth service.
I would like to use the second way, however I'm having trouble implementing it. Is my understanding correct? Is there a way to setup service A somehow so that certain paths (configured using Ant matchers) will have to authorize using the auth service, which will set the SecurityContext appropriately and inject a UserPrincipal into the request. If anyone can point me to a good guide for this that would be much appreciated.