Chapter 3. Securing north/south traffic with an API gateway
Chapter 3 from Microservices Security in Action by Prabath Siriwardena and Nuwan Dias
This chapter covers
- The role an API gateway in a microservices deployment
- The deficiencies in the architecture we followed in chapter 2 in securing a microservice, and how to improve
- Why OAuth 2.0 is the de facto standard for securing microservices at the edge
- How to deploy a microservice behind the Zuul API gateway and secure it with OAuth 2.0
In chapter 2, we discussed how to secure microservices at the edge with OAuth 2.0. The focus of chapter 2 was to get things started with a quite straightforward deployment. The samples there were far from production ready. Each microservice had to connect to an OAuth authorization server for token validation and decide which OAuth authorization server it wanted to trust. This is not a scalable model when you have hundreds of microservices and too much responsibility on the microservices developer. Please note that, when we say just OAuth, we in fact mean OAuth 2.0 – and if you are not familiar with OAuth, we recommend you go through the appendix D first.