6. Securing a microservice system
1. Secure each micro frontend
2. Secure each REST API micro service
3. Secure async messaging flows
4. Don’t affect performance
5. Don’t leak micro service architecture to the user
10. OAuth2 (RFC 6749)
• Industry-standard protocol for authorization
• Supersedes the work done on the original
OAuth protocol created in 2006
• Multiple flows (‘grants’)
• Clients are issued ID and Secret
11. Bearer Tokens (RFC 6750)
• Sent to downstream REST APIs via Authorization header
• Can be opaque or JWT
• Provides for session-less APIs
12. JWT (RFC 7519)
• JSON Web Token
• Encoded, digitally signed, self-describing
• Can be validated programmatically
13. JWK (RF 7517)
• JSON Web Keys
• Provides for asymmetric signing of JWT
• Thou shalt never useth symmetric signing (promise!)
15. Identity provider
• Assists with OAuth2 authorization_code grant
• Challenges with user and password
• Optionally provides 2-factor auth
• Optionally federates with other systems using SAML
• Mints bearer tokens from authorization codes
20. UI endpoint middleware
router.use(“/mypath", authHandler.checkAuth, mypathController);
• Redirects to login if not authenticated
• Synchronizes with other leaders
• Refreshes bearer token if expired
31. Securing a microservice system
1. Secure each micro frontend
2. Secure each REST API micro service
3. Secure async messaging flows (MQ and web sockets)
4. Don’t affect performance
5. Don’t leak micro service architecture to the user