Just looking for someone to double check my work. Is the below an effective way to secure microservices?
Breaking up our monolithic application and monolithic Partner API into microservices oriented around specific business functions. They'll most likely be small expressjs applications running in a docker container, on elastic beanstalk, who knows. They'll live somewhere :)
I'm looking into either standing up Kong as my API Gateway or using AWS API Gateway to encapsulate the details of my microservices. Also, it just feels good.
The JWT plugin for Kong will verify the signature of the JWT and then pass the customer_id along in the header to the microservice. I should also mention that we have 3rd party developers that will be partaking in the integration fun as well. Here's a basic sketch of what I see happening:
- Generate "consumers" for each platform and 3rd party developer we have. (Web app, mobile app, and the current integration partners we have. Note: I'm not looking to create consumers for every user that logs in. While certainly more secure, this adds a lot of work. Also, if you figure out how to get the secret out of my API Gateway I clearly have other issues)
- Let Kong verify the request for me. Kind of like a bouncer at the door, there's no authorization, just authentication.
- I don't need to know that the token is valid once it gets to the microservice, I can just use some middleware to decode it and use custom logic to decide if this user really should be doing whatever is they're trying to do.