Page tree
Skip to end of metadata
Go to start of metadata

Session by Victor Ake and Robert Wapshott

Microservices represent a melting pot of different technologies

But ultimate aim - quick delivery of features


  • complexity of proliferation of microservices
  • security - attack surface as more and more entry points are exposed. 

How to protect?

  • for monolithic app - put gatekeeper to authenticate and require a token on each request
  • for micro service - same but also requires authentication on communication between services, using
    • - token
    • - certificates
    • - co-locate to reduce attack surface
  • Stateful - central service issues and validate tokens -> high volume
  • Stateless tokens though, defers responsibility to client
    • but leads to new problem of key management
      • token signed and encrypted - JWT
      • so to validate, need public key or shared secret
    • how do we distribute secrets or keys
      • JWT gives you capability of signing with private key, then validating in client with public key of signing authority
    • we can provide a service to get public key, but shared secrets are a problem!
  • Question of delegation - id token only to be consumed by client (the first micro service): it shouldn’t be passed on  
    • Solution maybe lies in new in draft of oauth2 spec 7
      • oauth2 token exchange - combined token with elements of originating id, for a different audience: maybe all internal services
  • No labels