[英]How do I use an API Gateway in conjunction with microservices and JWTs?
Afternoon y'all, 下午你们都
Just looking for someone to double check my work. 只是想找人来仔细检查我的工作。 Is the below an effective way to secure microservices? 以下是保护微服务的有效方法吗?
Breaking up our monolithic application and monolithic Partner API into microservices oriented around specific business functions. 将我们的单片应用程序和单一的Partner API分解为面向特定业务功能的微服务。 They'll most likely be small expressjs applications running in a docker container, on elastic beanstalk, who knows. 它们很可能是在docker容器中运行的小型expressjs应用程序,在弹性beanstalk上,谁知道。 They'll live somewhere :) 他们会住在某个地方:)
I'm looking into either standing up Kong as my API Gateway or using AWS API Gateway to encapsulate the details of my microservices. 我正在研究将Kong作为我的API网关或使用AWS API Gateway来封装我的微服务的细节。 Also, it just feels good. 而且,它感觉很好。
The JWT plugin for Kong will verify the signature of the JWT and then pass the customer_id
along in the header to the microservice. Kong的JWT插件将验证JWT的签名,然后将header_中的customer_id
传递给微服务。 I should also mention that we have 3rd party developers that will be partaking in the integration fun as well. 我还要提一下,我们的第三方开发人员也将参与集成乐趣。 Here's a basic sketch of what I see happening: 这是我看到的事情的基本草图:
There's a nice access control plugin for Kong. Kong有一个很好的访问控制插件。 Our application and mobile app would run with "God" privileges, but I could definitely lock down the developers to specific routes and methods. 我们的应用程序和移动应用程序将以“上帝”权限运行,但我绝对可以将开发人员锁定到特定的路由和方法。
Revoking 3rd party access will be easy, revoking end users access won't be so simple unless I'm willing to invalidate all JWTs at once by generating a new secret. 撤销第三方访问将很容易,撤销最终用户访问将不会那么简单,除非我愿意通过生成新秘密立即使所有JWT无效。 Perhaps I can limit token time to 10 minutes or so and make our applications check if they're expired, get a new token, and then get on with the original request. 也许我可以将令牌时间限制在10分钟左右,并让我们的应用程序检查它们是否已过期,获取新令牌,然后继续处理原始请求。 This way I can "flag" them in the database or something and not let the JWT be generated. 这样我就可以在数据库或其他东西中“标记”它们,而不是让JWT生成。
SSL used everywhere, JWT is stored in an SSL only cookie in the web browser and there's no sensitive information stored in any of the claims. 在任何地方都使用SSL,JWT存储在Web浏览器中仅限SSL的cookie中,并且在任何声明中都没有存储敏感信息。
Thanks guys. 多谢你们。
I recently worked on a solution to this very question and premise, refactoring a large monolith into multiple services in an AWS architecture. 我最近致力于解决这个问题和前提,在AWS架构中将大型整体重构为多个服务。
There is no right, wrong or definitive how to this question. 对于这个问题,没有正确,错误或明确的方法 。
However, we did implement a solution very similar to the one described in the question above. 但是,我们确实实现了与上述问题中描述的解决方案非常相似的解决方案。
I hope this answer can deliver a good sense of direction for someone who's looking at this for the first time. 我希望这个答案可以为第一次看到这个的人提供一个良好的方向感。
This is how we went about it... 这就是我们如何去做...
pros 利弊
cons 缺点
pros 利弊
cons 缺点
We decided to go with Kong. 我们决定和孔一起去。
The major issue with the hosted solution was the inability to route traffic to our private network, where we also host a private DNS zone. 托管解决方案的主要问题是无法将流量路由到我们的私有网络,我们还在其中托管私有DNS区域。
Additionally, the extensible nature of Kong allowed us to create custom plugins with logic that is relevant to our solutions. 此外,Kong的可扩展性使我们能够创建与我们的解决方案相关的逻辑的自定义插件 。
We work with an ALB to round robin between multiple instances of Kong in different AZs in order to achieve redundancy and high availability. 我们使用ALB在不同AZ中的多个Kong实例之间进行循环,以实现冗余和高可用性。
The API configuration is saved on a Postgres RDS which is also internal and multi AZ. API配置保存在Postgres RDS上,后者也是内部和多个AZ。
Flow 流
Other 其他
Schema: 架构:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.