chapter two

2 Hello World microservices security

 

This chapter covers

  • Developing a microservice in Spring Boot/Java, running and testing it with curl
  • Securing a microservice at the edge with OAuth 2.0
  • Enforcing authorization at the service-level with OAuth 2.0 scopes

When you follow microservices architecture, you build the applications as a collection of smaller/modular services or components. A system by itself or a system on behalf of a human user or another system can invoke a microservice. In all three cases we need to properly authenticate and authorize all the requests that reach the microservice. A microservice may also consume one or more other microservices in order to cater a request. In such cases it is also necessary to propagate user context (from upstream services or client applications) to downstream microservices. In this chapter, we explain how the validation of the incoming requests happens and later in the book in chapter 3, we discuss how to propagate the user context to downstream microservices. The focus of this chapter is to get you started with a quite straightforward deployment. The design of the samples presented in this chapter is far from a production deployment. As we proceed in the book, we explain how to fill the gaps and in step by step to build a production grade microservices security design.

2.1      Your first microservice

2.1.1  Downloading and installing the required software

2.1.2  Clone samples repository

2.1.3  Compiling the Order Processing microservice

2.1.4  Accessing the Order Processing microservice

2.1.5  What is inside the source code directory?

2.1.6  Understanding the source code of the microservice

2.2      Setting up an OAuth 2.0 server

2.2.1  The interactions with an authorization server

2.2.2  Running the OAuth2.0 authorization server

2.2.3  Getting an access token from the OAuth2.0 authorization server

2.2.4  Understanding the access token response

2.3      Securing a microservice with OAuth2.0

2.3.1  Security based on OAuth2.0

2.3.2  Running the sample

2.4      Invoking a secured microservice from a client application

2.5      Service-level authorization with OAuth 2.0 scopes

2.5.1  Obtaining a scoped access token from the authorization server

2.5.2  Protecting access to a microservice with OAuth 2.0 scopes

2.6      Summary