Microservices and API security

UX image

For many years developing software meant developing one huge application containing all features. The big problem with this monolithic approach is that every new feature of deploy can have an impact on the stability of the entire application. Also when the application and its user base grows, the only way to scale is to scale the entire application and infrastructure. Microservices on the other hand are a collection of small applications, each running on their own environment that communicate through the use of an API. The big advantage of using microservices is that each part of the application can have his own development cycle and that when the need occurs to scale, it is easy to only scale the architecture of the needed microservices.

Users and permissions

In a monolithic application user and permission management is contained in the system as all other functionalities. So it is easy to check if a certain user has a specific role or permissions. With microservices on the other hand, each individual service has no notion of what the role of the current user is. Every microservice will have to validate the user against a central authentication web service to see if the current user has the correct permissions.

JSON Web Tokens

JSON Web Tokens are an open standard based on JSON to generate access tokens. JWT’s contain a JSON payload, a header and a signature. Based on the public signature you can read the content of the JSON payload. But when trying to alter data, the JWT will no longer contain valid data. And when trying to validate the JWT on the server will fail. Every microservices knows the permissions required to perform a given action. So they can read the data from the passed JWT without having to validate against any other web service.

API Gateway

To route every API request to the corresponding secured web service we use a public accessible API gateway. If we want to prevent our JWT payload to be exposed outside of our network we can have the API gateway generate unique API keys. When a user performs a request with a certain API key, the API gateway will look up the correct JWT and pass that along to the underlying microservices. This way users will never have access to the information that is contained in the token.