9 Securing your microservices

Now that we already have a robust microservices architecture, the task of covering security vulnerabilities becomes more and more urgent and essential. In this chapter, security and vulnerability are two topics that go by the hand. We'll define vulnerability as a weakness or flaw presented in an application. Of course, all systems have vulnerabilities, but the big difference lies in whether or not these vulnerabilities are exploited to cause harm. On the other hand, security, the mention of this word, will often cause an involuntary groan from the developer who hears it. Sometimes among developers, we have heard comments such as "It's obtuse, hard to understand, and even harder to debug." Yet we won't find any developer (except maybe for inexperienced developers) say that that they don't worry about security.

Before we start it is essential to highlight that securing a microservices architecture is a complex and laborious task and it involves multiple layers of protection, including:

9.1   Introduction to OAuth2

9.2   Starting small: using Spring and OAuth2 to protect a single endpoint

9.2.1   Setting up the Ostock OAuth2 authentication service

9.2.2   Registering client applications with the OAuth2 service

9.2.3   Configuring Ostock users

9.2.4   Authenticating the user

9.3   Protecting the organization service using OAuth2

9.3.1   Adding the Spring Security and OAuth2 jars to the individual services

9.3.2   Configuring the service to point to our OAuth2 authentication service

9.3.3   Defining who and what can access the service

9.3.4   Propagating the OAuth2 access token

9.4   JSON Web Tokens and OAuth2

9.4.1   Modifying the authentication service to issue JWT

9.4.2   Consuming JWT in our microservices

9.4.3   Parsing a custom filed out of a JWT

9.5   Some closing thoughts on microservice security

9.6   Summary