Chapter 10. Securing microservice-to-microservice communication

This chapter covers

  • Determining where to perform user authentication and authorization in a microservice system
  • Deciding on the level of trust in your microservice system
  • Using IdentityServer to authenticate users
  • Authorizing microservice-to-microservice requests

Up to this point in the book, we’ve ignored security; but for most systems, security is an important concern that needs careful attention. This chapter discusses how to address security concerns in a microservice system. In a monolith, the monolith does user authentication and authorization—there is, after all, only the monolith to do those things. In a microservice system, several microservices are involved in answering most user requests; the question is this: which ones are responsible for authentication, and which ones are responsibility for authorization? You must also ask how much the microservices can trust each other:

  • If one microservice authenticates a user, can other microservices trust that user?
  • Are all microservices allowed to call each other?

The answers vary from system to system. The first part of this chapter discusses how to address these questions, and the second part dives into an implementation of one set of answers.

10.1. Microservice security concerns

10.2. Implementing secure microservice-to-microservice communication

10.3. Summary