2 First steps in securing microservices

You build applications as a collection of smaller/modular services or components when you adhere to architectural principles of microservices. A system by itself, or a system on behalf of a human user or another system, can invoke a microservice. In all three cases, we need to properly authenticate and authorize all the requests that reach the microservice. A microservice may also consume one or more other microservices in order to cater to a request. In such cases, it is also necessary to propagate user context (from downstream services or client applications) to upstream microservices.

In this chapter, we explain how the security validation of the incoming requests happens, and in chapter 3, we discuss how to propagate the user context to upstream microservices. The focus of this chapter is to get you started with a straightforward deployment. The design of the samples presented in this chapter is far from a production deployment. As we proceed in the book, we explain how to fill the gaps and how to build a production-grade microservices security design step by step.

2.1 Building your first microservice

2.1.1 Downloading and installing the required software

2.1.2 Clone samples repository

2.1.3 Compiling the Order Processing microservice

2.1.4 Accessing the Order Processing microservice

2.1.5 What is inside the source code directory?

2.1.6 Understanding the source code of the microservice

2.2 Setting up an OAuth 2.0 server

2.2.1 The interactions with an authorization server

2.2.2 Running the OAuth 2.0 authorization server

2.2.3 Getting an access token from the OAuth 2.0 authorization server

2.2.4 Understanding the access token response

2.3 Securing a microservice with OAuth 2.0

2.3.1 Security based on OAuth 2.0

2.3.2 Running the sample

2.4 Invoking a secured microservice from a client application

2.5 Performing service-level authorization with OAuth 2.0 scopes

Summary