This chapter covers:
- Where to perform user authentication and authorization in a microservice system
- Deciding on the level of trust in your microservice system
- Limiting microservice-to-microservice requests
- Using an API gateway to authenticate users
- Using Kubernetes network policies to limit microservice-to-microservice requests
Up to this point in the book, we’ve ignored security; but for most systems, security is an important concern that needs careful attention. This chapter discusses how to address security concerns in a microservice system. In a monolith, the monolith does user authentication and authorization—there is, after all, only the monolith to do those things. In a microservice system, several microservices are involved in answering most user requests; the question is this: which ones are responsible for authentication, and which ones are responsibility for authorization? You must also ask how much the microservices can trust each other:
- If one microservice authenticates a user, can other microservices trust that user?
- Are all microservices allowed to call each other?
The answers vary from system to system. The first part of this chapter discusses how to address these questions. The second part of the chapter outlines an implementation of one possible answer to the first question and shows a full implementation of an answer to the second question.