Spring Cloud Gateway for Stateless Microservice Authorization
Рет қаралды 42,385
4 жыл бұрынImproving and maintaining tech agility, time to market, and application modernization is challenging as the number of microservices we own and manage grows. How do you track who uses your applications? How can you establish and enforce common policies or flows to authenticate and authorize permissible use? How can you ensure effective governance?
In this talk, we'll share the approach at TD Ameritrade to solve these cross-cutting functions in an efficient and effective way. We'll discuss why and how we decided on API Gateway using Spring Cloud Gateway; the different use cases we're solving; our implementation for authentication and authorization leveraging IDP, OAuth2, and JSON web tokens; and how we brought the whole solution together for microservices running on Pivotal Platform.
Architects and developers attending this talk will see how the API Gateway pattern can help to successfully modernize web platforms with greater tech agility and faster time to market.
Speakers: Saravanan Paramasivam; Software Engineer, TD Ameritrade; Chris Jackson; Senior Developer, TD Ameritrade; Taher Saif; Sr. Manager, TD Ameritrade
Filmed at SpringOne Platform 2019
Slides: www.slideshare.net/SpringCent...
@qwarlockz8017 4 жыл бұрын
Def great vid. Thanks for the clear and clean explanations.
@ChinmayaDas 4 жыл бұрын
Could you please share a sample code implementation of the example of external IDP and token exchange?
@qinlingzhou8815 3 жыл бұрын
JWT is one of the best choices for Microservice AuthZ per my dev experience so far.
@guillermopereira2132 4 жыл бұрын
Where can I find some example of your gateway api? Did you use and authorization code for the first token and client credentials for the second?
@khajalieubarrie5088 Жыл бұрын
Just those of us watching this now. Monolithic Architecture is not old school. It’s in fact should be the de-facto standard to start writing your application using a “Modular”approach until you find the need to migrate to “Microservices”.
@ogyct 3 жыл бұрын
I'd like to get more information, on how access token between FE and gateway acts. What if IDP doesn't support that?
@cookies4techies992 3 жыл бұрын
How does each microservice verify the JWT token it receives is the valid one. Even if it verifies that it is valid by calculating decoding and decrypting how it identify this user request is authorized one.
@Quester82 Жыл бұрын
Each service has mechanism to decode JWT token addressed to it and after extracting roles contained within JWT decides what to do with the request. Basically - every service has it's authorisation mechanism.
@venkateswaran8752 4 жыл бұрын
please share sample code
@princegovind 4 жыл бұрын
Can some one post Github link for this
@kellyfj 4 жыл бұрын
FWIW JWT tokens standard says Encryption is optional
@thanhlongtruong2713 4 жыл бұрын
Hi! Why do we need to forward JWT token to microservices? Is it used to provide user information?
@valour.se47 4 жыл бұрын
I can be wrong but what i understand is that Jwt token have three parts in it, one is to hold user information so when you have roles set to users that role information will be in the token so that services can decide if they allow or deny the request.
@alexisgc19 4 жыл бұрын
In short, yes.. It provides user information (id, roles..) to the services behind gateway
@alexisgc19 4 жыл бұрын
At 24:40 "All the information needed to complete a particular request is sent along with JWT in the Authorization header"
@mikedqin 4 жыл бұрын
My understanding: 1) JWT token self-contained and it's signed, when Resource Server receives it, it can verify the JWT token is valid, and no need to contact Authorization Server. 2) JWT token can contains claims for authorization purpose and not limited to UserInfo claim, so in a scenario where Authorization Server receives the JWT token (not in this video), it can make decision if the request should be granted or not. 3) Token Exchange in the video above, the main purpose I guess is for point 1), Resource Server gets what it needs, it can validate the token, and no need to validate it with Authorization Server - no additional call is needed. 4) API Gateway acts as the Authorization Client - such as OAuth2 Client. 5) Alternatively Authentication Server can generates a JWT token with UserInfo claim. The client can pass the token to Authorization Server for authorizing the request. In this case, there is no Token Exchange.
@myobpro8516 3 жыл бұрын
But how do you want to protect you microservices from unauthorized access ?
@kellyfj 4 жыл бұрын
Also 29:01 FYI Signing is not the same as encryption
@massiveblackwood 3 жыл бұрын
Code example?
@adityabansal4033 4 жыл бұрын
How will microservices verify that jwt is valid or not?
@andresmtz98 3 жыл бұрын
It's the IDP's responsability, I think
@pradhyumnakandamuru 11 ай бұрын
It could have been great if there was a practical example of the implementation. That could have really helped
@noimah 3 жыл бұрын
Aggregating Data on the Gateway can be problematic, would not recommend that. Don't put business logic on the gateway.
@kenmagg 4 жыл бұрын
Why offload something as important as identity to a third party? That seems like a security issue...
@kellyfj 4 жыл бұрын
Why offload your infrastructure to the cloud? Wouldn't that be a security issue too.
@kenmagg 4 жыл бұрын
@@kellyfj there's on prem or Colo vs cloud... Different levels of security for different things.. Login/auth you'd think would be high security..
@shubitoxX 3 жыл бұрын
Whether it is a 3rd party or not is completely up to you
TheSoul Music Jam
Рет қаралды 22 МЛН
SpringDeveloper
Рет қаралды 38 М.
SpringDeveloper
Рет қаралды 13 М.
Reboort_uzb
Рет қаралды 712 М.
PRO Hi-Tech
Рет қаралды 63 М.