Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Securing Microservice Endpoints

  • 09-04-2018 9:54pm
    #1
    Registered Users, Registered Users 2 Posts: 1,298 ✭✭✭


    Hey everyone,

    Currently working on a project that consists of 4 separated services.

    The one part i'm stuck at, and can't seem to find any good documentation on is securing the endpoints with a JWT auth service. Or any auth service.

    Has anyone dealt with this before and could point me to the right direction?

    Thanks.


Comments

  • Registered Users, Registered Users 2 Posts: 6,289 ✭✭✭Talisman


    What technology stack are you using on the server side?


  • Registered Users, Registered Users 2 Posts: 1,298 ✭✭✭off.the.walls


    Hey,

    The stack is:

    Database: MongoDB
    API: NodeJS + ExpressJS
    Client: Angular 5

    Thanks,


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    Hey everyone,

    Currently working on a project that consists of 4 separated services.

    The one part i'm stuck at, and can't seem to find any good documentation on is securing the endpoints with a JWT auth service. Or any auth service.

    Has anyone dealt with this before and could point me to the right direction?

    Thanks.

    You would generally have a Gateway API which handles authentication & authorisation and then orchestrates calls to your microservices.

    The microservices could be open but would be locked down to only accept calls from the Gateway.

    Microservice endpoints should generally be small enough in function and reusable, and this makes them difficult to authorise against a users role as they could be used for a load of different functions.


  • Registered Users, Registered Users 2 Posts: 6,289 ✭✭✭Talisman


    Angular Security - Authentication With JSON Web Tokens (JWT): The Complete Guide

    The blog post will pretty much walk you through a possible setup. You need to implement a JWT validation middleware on your Express routes.

    JWT.io is a great resource by Auth0, be sure to grab the free ebook they provide because it will explain the inner workings of the JWT and also the security pitfalls.


  • Registered Users, Registered Users 2 Posts: 403 ✭✭counterpointaud


    John_Mc wrote: »
    You would generally have a Gateway API which handles authentication & authorisation and then orchestrates calls to your microservices.

    The microservices could be open but would be locked down to only accept calls from the Gateway.

    Microservice endpoints should generally be small enough in function and reusable, and this makes them difficult to authorise against a users role as they could be used for a load of different functions.

    This is pretty much the standard way I've seen it done. You would tend not have the microservices accessible from the internet or VPC directly, only through the gateway.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 27,370 ✭✭✭✭GreeBo


    Are the 4 services totally independent or will you be chaining/orchestrating between them?


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    This is pretty much the standard way I've seen it done. You would tend not have the microservices accessible from the internet or VPC directly, only through the gateway.

    Yeah I've worked in two different places who were transitioning to MSA and that's the way they were doing it.

    You can pass the JWT token from Gateway to internal microservices so that you can still know who the requester is, just leave the authorisation to the gateway.


  • Registered Users, Registered Users 2 Posts: 1,298 ✭✭✭off.the.walls


    GreeBo wrote: »
    Are the 4 services totally independent or will you be chaining/orchestrating between them?

    They do their own things 2 communicate via an events bus.


  • Registered Users, Registered Users 2 Posts: 1,298 ✭✭✭off.the.walls


    So I managed this!

    Step 1: Login - > checks user DB in the users services and generates a JWT depending on the result.
    Step 2: JWT is sent on a request and contains some user data + a scope field, I'm then using expressJwtAuthz and Passport JWT strategy in order to verify it.
    Step 3: On other services (no access to user db) i'm checking for some secret fields and the scope :)

    Anyone any ideas how to secure it even more?


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    You obviously need everything to be running on SSL as per OAuth2 spec.

    Not sure what secret fields you're verifying in #3. A JWT can easily be decoded and inspected so you should always be aware of that and put nothing sensitive in them.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,289 ✭✭✭Talisman


    Anyone any ideas how to secure it even more?
    If you are paranoid use public key encryption within the payload. Service #1 encrypts the payload element with a private key. Service #2 has access to the public key so it can decrypt the content. Without the public key, the client has no clue what the content is.


  • Registered Users, Registered Users 2 Posts: 2,040 ✭✭✭Colonel Panic


    TLS for the transport coupled with a HMAC token as a header for verification of both sender and message.


  • Moderators, Business & Finance Moderators Posts: 10,613 Mod ✭✭✭✭Jim2007


    Micro services tend to work best if delivered in some kind of container environment such as Docker. Take a look at their security model, you only need to lock down the points you expose to the public from the container environment. Locking down every micro service hits performance and adds complexity when you want to deploy a micro service as a component of some other solution down the line.


  • Registered Users, Registered Users 2 Posts: 11,990 ✭✭✭✭Giblet


    API Gateway as public API, orchestrating internal calls to underlying Microservices.

    I would use Resource Owner flow with OAuth and Reference Tokens if Token introspection is needed, JWT isn't 100% going to be secure, and cannot be revoked easily.


Advertisement