9 Securing your microservices

This chapter covers

Learning why security matters in a microservice environment
Understanding OAuth2 and OpenID
Setting up and configuring Keycloak
Performing authentication and authorization with Keycloak
Protecting your Spring microservice with Keycloak
Propagating access tokens between services

Now that we have a robust microservices architecture, the task of covering security vulnerabilities becomes more and more essential. In this chapter, security and vulnerability go hand in hand. We’ll define vulnerability as a weakness or flaw presented in an application. Of course, all systems have vulnerabilities, but the big difference lies in whether these vulnerabilities are exploited and cause harm.

Mentioning security often causes an involuntary groan from developers. Among developers, we hear comments such as, “It’s obtuse, hard to understand, and even harder to debug.” Yet, we won’t find any developer (except for maybe an inexperienced developer) who says that they don’t worry about security. Securing a microservices architecture is a complex and laborious task that involves multiple layers of protection, including these:

9.1 What is OAuth2?

9.2 Introduction to Keycloak

9.3 Starting small: Using Spring and Keycloak to protect a single endpoint

9.3.1 Adding Keycloak to Docker

9.3.2 Setting up Keycloak

9.3.3 Registering a client application

9.3.4 Configuring O-stock users

9.3.5 Authenticating our O-stock users

9.4 Protecting the organization service using Keycloak

9.4.1 Adding the Spring Security and Keycloak JARs to the individual services

9.4.2 Configuring the service to point to our Keycloak server

9.4.3 Defining who and what can access the service

9.4.4 Propagating the access token

9.4.5 Parsing a custom field in a JWT

9.5 Some closing thoughts on microservice security

9.5.1 Use HTTPS secure sockets layer (SSL) for all service communication

Summary