Using an API Gateway in conjunction with microservices and JWTs?

0 votes

Just looking for someone to double check my work. Is the below an effective way to secure microservices?

Premise

Breaking up our monolithic application and monolithic Partner API into microservices oriented around specific business functions. They'll most likely be small expressjs applications running in a docker container, on elastic beanstalk, who knows. They'll live somewhere :)

I'm looking into either standing up Kong as my API Gateway or using AWS API Gateway to encapsulate the details of my microservices. Also, it just feels good.

The JWT plugin for Kong will verify the signature of the JWT and then pass the customer_id along in the header to the microservice. I should also mention that we have 3rd party developers that will be partaking in the integration fun as well. Here's a basic sketch of what I see happening:

Implementation

  1. Generate "consumers" for each platform and 3rd party developer we have. (Web app, mobile app, and the current integration partners we have. Note: I'm not looking to create consumers for every user that logs in. While certainly more secure, this adds a lot of work. Also, if you figure out how to get the secret out of my API Gateway I clearly have other issues)
  2. Let Kong verify the request for me. Kind of like a bouncer at the door, there's no authorization, just authentication.
  3. I don't need to know that the token is valid once it gets to the microservice, I can just use some middleware to decode it and use custom logic to decide if this user really should be doing whatever is they're trying to do.
Oct 17, 2018 in AWS by findingbugs
• 4,750 points
119 views

Extra Stuff

  • There's a nice access control plugin for Kong. Our application and mobile app would run with "God" privileges, but I could definitely lock down the developers to specific routes and methods.

  • Revoking 3rd party access will be easy, revoking end users access won't be so simple unless I'm willing to invalidate all JWTs at once by generating a new secret. Perhaps I can limit token time to 10 minutes or so and make our applications check if they're expired, get a new token, and then get on with the original request. This way I can "flag" them in the database or something and not let the JWT be generated.

  • SSL used everywhere, JWT is stored in an SSL only cookie in the web browser and there's no sensitive information stored in any of the claims.

Thanks guys.

1 answer to this question.

0 votes

This is how we went about it...

What do we need from an API gateway?

  1. Highly available
  2. Secure
  3. Performant
  4. Authoritative
  5. Scalable

Solution 1: AWS API Gateway

pros

  1. Highly available managed solution.
  2. Don't need to worry about scalability.
  3. Supports SSL and custom domains.
  4. Authoritative through lambda and IAM.
  5. Plays nice with other AWS services.
  6. Supports API versioning out of the box.
  7. Easy monitoring with CloudWatch.

cons

  1. Traffic can't be routed directly into an internal network (private VPC segment), meaning an additional gateway would be required.
    Edit: Amazon API Gateway Supports Endpoint Integrations with Private VPCs. Thanks @Red for mentioning this.
  2. Slow, our benchmark showed each request through API Gateway added 100-150 ms latency.

Solution 2: Kong

pros

  1. Scalable, but needs to implemented and managed on our end.
  2. Supports SSL and custom domains.
  3. Authoritative through plugins, with solutions for JWT and OAUTH2 already packaged.
  4. RESTful API for easy integration with our authentication server.
  5. Extensible, in case we need some custom logic.
  6. Fast, our benchmark showed each request through Kong added 20-30 ms latency.

cons

  1. Requires management on our end (upgrades, deployment, maintenance).
  2. In order to achieve HA, requires an additional endpoint, in the form of a load balancer to route traffic to the actual GW(s). 
     

Implementation

We decided to go with Kong.
The major issue with the hosted solution was the inability to route traffic to our private network, where we also host a private DNS zone.
Additionally, the extensible nature of Kong allowed us to create custom plugins with logic that is relevant to our solutions.
We work with an ALB to round robin between multiple instances of Kong in different AZs in order to achieve redundancy and high availability. 
The API configuration is saved on a Postgres RDS which is also internal and multi AZ.

Flow

  1. Client authenticates against our authentication server. The authentication server is a micro service behind the Kong GW with a publicly exposed upstream.
  2. Authentication server creates a consumer with a JWT for the individual client.
  3. Authentication server replies with the JWT.
  4. Client requests access from an API with the JWT, traffic routed via Kong.
  5. Kong verifies the JWT and routes the request to the micro service with information about the consumer.
  6. Micro service responds to the client.

Other

  1. Revoking user access is as easy as deleting the token.
  2. No sensitive information is stored in the JWT claims.
  3. All services know about each other through a private DNS zone
answered Oct 17, 2018 by Priyaj
• 56,900 points

Related Questions In AWS

0 votes
2 answers
0 votes
1 answer
0 votes
1 answer

Pass account id of an AWS sub account using a variable as an argument in CloudWatch Alarm Actions with python (boto3)?

Python String and Integer concatenation >>> print("arn:aws:swf:us-east-2:{0}:action/actions/AWS_EC2.InstanceId.Stop/1.0".format(acccnum)) arn:aws:swf:us-east-2:12312312312312:action/actions/AWS_EC2.InstanceId.Stop/1.0 >>> print("arn:aws:swf:us-east-2:" ...READ MORE

answered Oct 5, 2018 in AWS by Priyaj
• 56,900 points
161 views
0 votes
1 answer

How do I configure and attach an internet gateway for use with Elastic Load Balancing?

Follow these steps: First, create an internet gateway and ...READ MORE

answered May 16 in AWS by Archu
85 views
0 votes
1 answer

Git monorepo diff a package subtree with HEAD

 Build a makefile to look through all ...READ MORE

answered Mar 26, 2018 in DevOps and Microservices by DragonLord999
• 8,380 points
64 views
0 votes
1 answer

How do we authenticate user from http.signature.secret file?

hadoop.http.authentication.signature.secret.file: The signature secret file for signing ...READ MORE

answered Apr 24, 2018 in Big Data Hadoop by Shubham
• 13,300 points
168 views
0 votes
1 answer

Trying to call AWS API via PHP

Try using AWS SDK for PHP, Link ...READ MORE

answered Jun 6, 2018 in AWS by Cloud gunner
• 4,280 points
262 views
0 votes
1 answer

Problem with Swift API Gateway key authorizatiion Ask

Try to add all the headers that ...READ MORE

answered Jun 12, 2018 in AWS by Cloud gunner
• 4,280 points
55 views
+1 vote
2 answers

Starting with an AWS Instance with API and AUTHPARAMS

The API is usually much easier to ...READ MORE

answered Apr 17, 2018 in AWS by Cloud gunner
• 4,280 points
479 views