Microservices Architecture: Security of API

1.0) Background: Monolithic vs Microservices Architecture

1.1) Monolithic: Since long in IT industry, developing software meant developing one huge application containing all features.

The big problem of monolithic:

i) Issues by New Feature: Every new feature of deploy can have an impact on the stability of the entire application.

ii) Issues of Scale: When the application and its user base grows, the only way to scale is to scale the entire application and infrastructure.

1.2) Microservices: On the other hand Microservices are a collection of small applications, each running on their own environment that communicate through the use of an API.

The big advantage of using microservices is that each part of the application can have his own development cycle and that when the need occurs to scale, it is easy to only scale the architecture of the needed microservices.

2.0) Security of API:

2.1) Users and Permissions:

In a monolithic approaches user and permission management is contained in the system as all other functionalities. So it is easy to check if a certain user has a specific role or permissions.

In microservices approaches each individual service has no notion of what the role of the current user is. Every microservice will have to validate the user against a central authentication web service to see if the current user has the correct permissions.

2.2) Security solution in microservices appraoch:

2.2.1) JWT (JSON Web Tokens)

JWTs are an open standard based on JSON to generate access tokens. JWT’s contain a JSON payload, a header and a signature.

Based on the public signature somebody can read the content of the JSON payload. But when trying to alter data, the JWT will no longer contain valid data. And when trying to validate the JWT on the server will fail.

Every microservices knows the permissions required to perform a given action. So they can read the data from the passed JWT without having to validate against any other web service.

2.2.2) API Gateway + API Key + JWT

If we want to prevent our JWT payload to be exposed outside of our network we use the "API Gateway+ API Key + JWT".

How (API Gateway+ API Key + JWT) working:

Step-1: API Gateway: To route every API request to the corresponding secured web service we use a public accessible API gateway.

Step-2: API keys: We can have the API gateway generate unique API keys.

Step-3: Mapping of API Key and JWT: When a user performs a request with a certain API key, the API gateway will look up the correct JWT and pass that along to the underlying microservices. This way users will never have access to the information that is contained in the token.