Securing Microservice Endpoints

off.the.walls · 09-04-2018 10:54pm #1

Hey everyone,

Currently working on a project that consists of 4 separated services.

The one part i'm stuck at, and can't seem to find any good documentation on is securing the endpoints with a JWT auth service. Or any auth service.

Has anyone dealt with this before and could point me to the right direction?

Thanks.

Talisman · 10-04-2018 2:02am

What technology stack are you using on the server side?

off.the.walls · 10-04-2018 9:08am

Hey,

The stack is:

Database: MongoDB
API: NodeJS + ExpressJS
Client: Angular 5

Thanks,

John_Mc · 10-04-2018 10:08am

off.the.walls wrote: »

Hey everyone,

Currently working on a project that consists of 4 separated services.

The one part i'm stuck at, and can't seem to find any good documentation on is securing the endpoints with a JWT auth service. Or any auth service.

Has anyone dealt with this before and could point me to the right direction?

Thanks.

You would generally have a Gateway API which handles authentication & authorisation and then orchestrates calls to your microservices.

The microservices could be open but would be locked down to only accept calls from the Gateway.

Microservice endpoints should generally be small enough in function and reusable, and this makes them difficult to authorise against a users role as they could be used for a load of different functions.

Talisman · 10-04-2018 11:16am

Angular Security - Authentication With JSON Web Tokens (JWT): The Complete Guide

The blog post will pretty much walk you through a possible setup. You need to implement a JWT validation middleware on your Express routes.

JWT.io is a great resource by Auth0, be sure to grab the free ebook they provide because it will explain the inner workings of the JWT and also the security pitfalls.

counterpointaud · 10-04-2018 11:43am

John_Mc wrote: »

You would generally have a Gateway API which handles authentication & authorisation and then orchestrates calls to your microservices.

The microservices could be open but would be locked down to only accept calls from the Gateway.

Microservice endpoints should generally be small enough in function and reusable, and this makes them difficult to authorise against a users role as they could be used for a load of different functions.

This is pretty much the standard way I've seen it done. You would tend not have the microservices accessible from the internet or VPC directly, only through the gateway.

GreeBo · 10-04-2018 2:45pm

Are the 4 services totally independent or will you be chaining/orchestrating between them?

John_Mc · 10-04-2018 2:51pm

counterpointaud wrote: »

This is pretty much the standard way I've seen it done. You would tend not have the microservices accessible from the internet or VPC directly, only through the gateway.

Yeah I've worked in two different places who were transitioning to MSA and that's the way they were doing it.

You can pass the JWT token from Gateway to internal microservices so that you can still know who the requester is, just leave the authorisation to the gateway.

off.the.walls · 10-04-2018 3:42pm

GreeBo wrote: »

Are the 4 services totally independent or will you be chaining/orchestrating between them?

They do their own things 2 communicate via an events bus.

off.the.walls · 11-04-2018 5:10pm

So I managed this!

Step 1: Login - > checks user DB in the users services and generates a JWT depending on the result.
Step 2: JWT is sent on a request and contains some user data + a scope field, I'm then using expressJwtAuthz and Passport JWT strategy in order to verify it.
Step 3: On other services (no access to user db) i'm checking for some secret fields and the scope

Anyone any ideas how to secure it even more?

John_Mc · 11-04-2018 5:13pm

You obviously need everything to be running on SSL as per OAuth2 spec.

Not sure what secret fields you're verifying in #3. A JWT can easily be decoded and inspected so you should always be aware of that and put nothing sensitive in them.

Talisman · 12-04-2018 8:27am

off.the.walls wrote: »

Anyone any ideas how to secure it even more?

If you are paranoid use public key encryption within the payload. Service #1 encrypts the payload element with a private key. Service #2 has access to the public key so it can decrypt the content. Without the public key, the client has no clue what the content is.

Colonel Panic · 12-04-2018 9:39am

TLS for the transport coupled with a HMAC token as a header for verification of both sender and message.

Jim2007 · 13-04-2018 12:58pm

Micro services tend to work best if delivered in some kind of container environment such as Docker. Take a look at their security model, you only need to lock down the points you expose to the public from the container environment. Locking down every micro service hits performance and adds complexity when you want to deploy a micro service as a component of some other solution down the line.

Giblet · 19-04-2018 4:16pm

API Gateway as public API, orchestrating internal calls to underlying Microservices.

I would use Resource Owner flow with OAuth and Reference Tokens if Token introspection is needed, JWT isn't 100% going to be secure, and cannot be revoked easily.

Securing Microservice Endpoints

Comments