We can use an open source implementation of an Identity Server which follows OAuth2 and OpenID protocols to secure our microservices.
Client can make a call to the identity server sending user credentials. Then the identity server can verify the user and send response containing authentication token. The client can then make a call to microservice by sending this authentication token. The microservice in turn can verify if the authentication token is correct by sending a request to Identity Server and based upon success can send proper response to client.
Below pic illustrates the same point.
This just takes care of authentication. There are few other simple things that we ought to do in order to get a good handle at microservices security.
First thing is to use Transport Layer Security. Typically HTTP requested are unencrypted, hence a hacker over the network can get access to your request data. Good idea is to use TLS, that implies send requests via HTTPS.There the request is encrypted and hence secure over the network.
Even when a user is authenticated (we have identified who is the user), we need to check if the user has required roles, or privileges’ or permissions to perform a certain action, call a certain microservice API, etc. And when this microservice calls another microservice, it is a good idea to send the original access token of the user to next microservice. This would help microservice to decide weather to allow action or send error.
In the end we should use DID approach (Defence in Depth) which simply means we should use multiple mechanisms for securing our microservice such as below.
- Authentication (Using an Identity Server)
- Authorization (User user roles and permissions)
- Using HTTPS (TLS) over HTTP to secure requests over network
- Virtual Networks (Microservices talk to each other but don’t interact with external world outside of virtual network)
- WhiteListing of IP Addresses (Only allow certain IP Addresses to access)
- API Gateways (Adding Multiple checks at API Gateways)
Also a good idea is to do extensive penetration testing in order to identify and fix security holes. And have an alerting and logging mechanisms to identify and take action on attacks. If you have taken care of all this, congratulations, you have built an amazingly secure microservice.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?