I have a Microservices based architecture where Microservices are running in Cloud Foundry and expose REST interfaces. These REST interfaces are invoked by browsers.
I have a requirement that REST calls originating from browsers should be authenticated while requests made from one Microservice to another need not be authenticated.
Since I'm using OAuth2, the REST calls originating from browsers would carry JWT and the microservice is expected to verify this JWT. However, requests originating from microservices will not carry JWT and the peer microservice is expected to detect that the request is originating from within Cloud Foundry and hence allow it to pass through. We are using Spring Security filters.
How can a microservice detect if the request is originating from outside Cloud Foundry?
Related
For context, I'm very new to writing services, using Azure Relay, and Swagger, but I'm on the right track.
I have legacy WCF services that I'm writing a proxy wrapper for with ASP MVC Core, then I'm using Azure Relay hybrid connection to expose them for use to avoid firewall things.
When I run my application, Swagger shows my API's and the relevant documentation:
I have created 2 hybrid relays in Azure. One that "Requires Client Authorization" and one that does not.
The code I'm using is pictured below to switch between (1) no AZ relay, (2) AZ relay with no auth, and (3) AZ relay with auth.
When I run using the Azure relay with no auth (2), I can see the API documentation:
When I run using the Azure relay with auth (3), I just get a token required.
I know how to call the API's w/a SAS token, but is it possible to somehow view/interact with the Swagger documentation??
How do I interact with the web-front of an API when the API (not documentation) itself needs to be secure?
I am running single django project as a micro service in docker, so i am running mutiple django projects for multiple micro services in docker, and I am able to setting up auth server (oauth or jwt), user management to each micro service individually.
is this possible to create single auth server(user management, permissions) for multiple micro services in a docker.
If it is possible to create single auth server, then how API's get permissions from the auth server.
There are more ways you can do that depending on what you need and how big is the load on your apps. You can create an auth server that your client will call for authentication and your microservices will call it for authorization when a request for a resource is made.
Read this article for a more detailed view in order to see what suits you best.
https://medium.com/tech-tajawal/microservice-authentication-and-authorization-solutions-e0e5e74b248a
I've been looking into developing a microservice architecture using SpringBoot and some netflix libraries such as Eureka, Zuul, Ribbon; however, I appear to be hung up with the security design.
My goal is to use a third party web based service such as Okta.com to manage all my users and applications. Okta uses Oauth2 which I believe would make my application stateful. My goal is to keep my application stateless for load balancing purposes.
I would be using the following service module architecture,
Gateway Service
Auth Service (Authenticate against Okta)
Microservice 1 (role_admin, role_sales)
Microservice 2 (role_admin, role_employee)
My understanding is when the gateway has requested routing to Microservice 1 or Microservice 2, a token would need to be forwarded along with the request and if no token is present, a request to the Auth Service at the gateway would need to be made in order to obtain a token from Okta using Oauth2.
My next piece of understanding is while using oauth2, when the token is present and has been forwarded along to Microservice 1 or Microservice 2, the token would need to validated against okta again. The groups would be contained within the token.
My question is could Okta be used solely for the purpose of Authenticating and Authorization, but rather than passing around the stateful oauth2 tokens generated by Okta, create a stateless JWT which would contain roles and user info and pass that back to the microservices?
I'm just wondering how to use a service like Okta in a microservice architecture, but still keep my microservices stateless and I'm not sure my thought process is correct.
I use AWS Lambda as a backend service to authenticate users from my ios app. When learning about Lambda I was pointed to use the Amazon API Gateway to make the data over the network go over HTTPS:// and NOT HTTP://.
Someone recently pointed out that all calls to AWS Lambda, DynamoDB, S3, and Cognito directly from my app automatically go over HTTPS://. Is this true or not?
Unfortunately the docs are not explicit on the matter, that I could find, but inspecting the source on github:
AWSService, one of the base services used by the sdk, uses https by default, and will only switch to http if the AWSServiceConfiguration particular configuration is established with the parameter useUnsafeUrl set to true.
And AWSLambdaService, even if initialised with a configuration object, appears to set the useUnsafeUrl option to NO.
So - inspection of the source suggests that all access to the service is by default https.
This is consistent with AWS SDK defaults in other languages/frameworks as well.
-- Edited to note --
I had a thought after posting this - it's possible that the advice to use API Gateway for https was based on the common practice of exposing Lambda functions as API endpoints. If you want to do that, then API Gateway gives you a way, and if you are using API Gateway, then you do need to ensure it is configured to use https.
What is not clear from your question is - from your app, are you invoking the lambda functions via the API Gateway endpoint? Or directly via the AWS SDK? If invoking directly via the AWS SDK then there is no need to use API Gateway at all.
If you are already using the API Gateway, and issuing HTTPS web requests to invoke your lambda functions, I wouldn't necessarily stop, because it gives you a nice point of abstraction and decoupling - you could completely change your backend implementation and as long as you keep the API Gateway endpoint configuration the same, your clients will still work. Alternatively, you could start to implement other clients or expose your API to 3rd party clients who aren't in a position to use AWS SDK and they will still be able to interract with your backend via standard HTTP protocols.
I'm using Spring Boot to build a REST Api which I can secure with Oauth2 (using spring-security-oauth2).
I want to manage a separate authentication and authorization schema for the actuator management endpoints (metrics, health, etc.).
And I want the management endpoints to run on a different port (management.port=8081 in application.properties)
I've been reading quite a lot but couldn't find a way to do it.
Thanks
That's because you can't separate endpoints by port. If the actuator management endpoints and the management endpoints are on the same component, the Spring Boot container (Tomcat) will launch that whole component on one port.
What you are saying can maybe be achieved by a proxy. You would map some urls on the proxy to internally correspond with the urls on your component.