Session by Victor Ake and Robert Wapshott
Microservices represent a melting pot of different technologies
But ultimate aim - quick delivery of features
- complexity of proliferation of microservices
- security - attack surface as more and more entry points are exposed.
How to protect?
- for monolithic app - put gatekeeper to authenticate and require a token on each request
- for micro service - same but also requires authentication on communication between services, using
- - token
- - certificates
- - co-locate to reduce attack surface
- Stateful - central service issues and validate tokens -> high volume
- Stateless tokens though, defers responsibility to client
- but leads to new problem of key management
- token signed and encrypted - JWT
- so to validate, need public key or shared secret
- how do we distribute secrets or keys
- JWT gives you capability of signing with private key, then validating in client with public key of signing authority
- we can provide a service to get public key, but shared secrets are a problem!
- Question of delegation - id token only to be consumed by client (the first micro service): it shouldn’t be passed on
- Solution maybe lies in new in draft of oauth2 spec 7
- oauth2 token exchange - combined token with elements of originating id, for a different audience: maybe all internal services