Securing Microservices using API Gateway | Authentication & Authorisation in Microservices

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome friends after watching today's video you will be able to clearly understand how authentication and authorization works and what are the intricacies involved in the context of microservices so authentication and authorization is very critical for a set of micro services so authentication is like trying to validate who the user is so example if i'm saying i'm bob whether i'm really bob or i'm someone who's trying to disguise as bob that part is called authentication whereas authorization is like once the system has identified me as bob now which all resources am i allowed to access or in the context of microservices which all services i am allowed to access it might be that i am allowed to access some services whereas i am not allowed to access some services so this part is called authorization now microservices are developed generally as rest apis and rest apis are inherently stateless which means they will not be able to maintain an identity of the calling client in the form of sessions and another challenge is that microservices are deployed in a distributed environment with automatic upscaling and downscaling configured which means a request from a client might go to for example one instance of a customer service and second time request from the same client might go to some other instance of the customer service so because of these two reasons it is not possible to do the authentication and authorization at the service level so for authentication and authorization we need a strong and robust solution and we need to sit between the clients and the services hence we have the api token security pattern it does the required authentication and authorization for us and it also maintains the sessions for us so we are actually will our so-called api token security pattern deployed and the answer is that it will be deployed at the api gateway level for people who don't know what is an api gateway it is actually a door through which we are able to access our micro services for a more detailed understanding of the api gateway feel free to watch a complete video on api gateway link for which is given at the top of the screen so if a client wants to access a particular microservice first it gets itself authenticated by calling the authentication server and passing the id and password and it gets a access token in return so this is where the client is authenticated now the client get needs to get itself authorized to access the service for which it will head the api gateway and pass the access token this request is then forwarded to the authorization server which takes the access token and checks whatever resources this particular user is allowed to access and returns a api token in return so using this api token now the calling client can access the resources that it wants so it will pass the api token as part of a request header along with the address of the resource which it wants to hit for example if it wants to hit the customer service so it will use the url of the customer service and the api token in the header now this request goes to the api gateway and then it is passed to the customer service now customer service needs to assure whether this user is a authorized user or not for which it passes the api token to the authorization server and verifies whether this is a valid token and should i allow the access and not and once the authorization server is returns a successful response or says okay you can verify you can allow the access then it returns a successful response to the calling client another important use case of token security is when there are more than one microservices involved suppose a user wants to fetch all my orders so he will send the get customer orders request to the api gateway which will go to from the api gateway to the actual service and then the actual service first verifies the api token from the authorization server and when it receives a successful response for validating the api token it then is able to send a successful response back to the user but for getting the order details of the customer the customer service might have to call the order service so it will while calling the order service pass the api token as a header to the order service as well and then the order service will again re-verify whether this api token has proper authorization to use the order service or not and once the authorization service allows the access then only order service will be able to send back the orders for that particular customer back to the customer service and then the customer service collates the responses which is you know the customer details with all his orders and returns to the end user so basically when communicating between microservices the token is passed as a header to all the microservices and at at every request level it is re-verified with the authorization server so friends i hope you must have liked this video if you did don't forget to give it a thumbs up and also don't forget to subscribe to our channel and press the bell icon for the latest updates and we thank you a lot for watching this video

Info

Channel: SPS Tech

Views: 17,437

Rating: undefined out of 5

Keywords: securing microservices using api gateway, Authentication & Authorisation Microservices, token security microservices, token security authentication, microservices security, microservices security spring boot, microservices security architecture, microservices security with oauth2, microservices security patterns, api gateway microservices security, authentication in microservices, Authentication and authorization in microservices, securing microservices useing api gateway

Id: tS4tc9qgWbA

Channel Id: undefined

Length: 5min 57sec (357 seconds)

Published: Sun Feb 13 2022