The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

471613 (1) [Avatar] Offline
#1
Hey John Carnell,

first of all thank you very much for this great book. I am really enjoying reading it.
I am currently looking into the security aspects of a microservice-architecture.
I stumbled upon your Figure 7.13 on page 225, which looks like a pretty good idea.
To bad that you didn’t go to deep into the example. It would have been great if your code example on github
would reflect the public private api pattern.
I would like to implement your approach but I am not sure if I quite understood how you would do it.
The question I have is about the private gateway and authentication service, how do the public api services
authenticate against the private authentication service. Is every private service getting is own key?
And how do you pass the user permissions, stored in the public authentication service, to the private services so the can do authorization?

Sorry if i totally misunderstood your approach, it would be nice if you could elaborate a bit more on how you would implement figure 7.13.

Regards
Micah
John C Carnell (44) [Avatar] Offline
#2
Hi Mica,

Usually you have a public and private API gateway. With the public gateway individuals calling your service usually have to authenticate via something like OAuth. Then when the public gateway talks to the private gateway it will have a trust relationship established (e.g. the public gateway is the only server(s) allowed to talk with the private gateway. The private gateway will then pass along the OAuth token that was received so that downstream services can validate the token when they received it.

Hope that helps.

Thanks,
John