简体繁体 English

微服务到微服务安全通信

[英]Microservices to microservices communication securely

原文 2020-03-04 06:44:29 8 2 java/ spring/ jwt/ microservices/ communication

I wants to communicate between different microservices, but the problem that is arising is microservices are secured with jwt token and I am not able to find a way to send a secured call to the other microservice from first microservice.我想在不同的微服务之间进行通信，但出现的问题是微服务使用 jwt 令牌进行保护，我无法找到一种方法从第一个微服务向另一个微服务发送安全调用。 Is there is a way I can communicate with the service method directly because if I make my api open it will be misused.有没有一种方法可以直接与服务方法通信，因为如果我打开我的 api，它将被滥用。

Or I have to go through api gateway to send every request through api gate way and make a secure communication from there.或者我必须通过 api 网关通过 api 网关发送每个请求并从那里进行安全通信。

2 个解决方案

It all depends on what are the exact requirements of your project.这一切都取决于您的项目的确切要求是什么。

Gateway API usually is used to hide the complexity of microservice from external users that usually have 1 endpoint to talk to.网关 API 通常用于向外部用户隐藏微服务的复杂性，这些用户通常有 1 个端点可以与之通信。

Also the gateway can handle the security and Authenticate the user (which many companies do indeed).网关还可以处理安全性和验证用户（许多公司确实这样做）。

Now when you pass the gateway and your authenticated request reaches the client, usually you already have a user identity on the request (what was put onto the request by the gateway).现在，当您通过网关并且经过身份验证的请求到达客户端时，通常您已经在请求中拥有了用户身份（网关放置在请求上的内容）。

So you know that user "John Smith" has triggered the request.所以你知道用户“John Smith”触发了请求。

And now if you need to call another microservice you should decide (and again its your decision):现在，如果您需要调用另一个微服务，您应该做出决定（再次由您决定）：

Whether you need an authentication at all there (maybe internal communication doesn't have to be secured between microservices(您是否需要在那里进行身份验证（也许不必在微服务之间保护内部通信（
If you do need an authentication between microservices, who authenticates the request?如果您确实需要在微服务之间进行身份验证，谁来对请求进行身份验证？ If its a gateway, all authentication logic is there, but you have to make an additional hop for each request that might be costy Alternatively If its a direct call, each microservice must implement an authenticat logic.如果是网关，则所有身份验证逻辑都在那里，但是您必须为每个请求进行额外的跳跃，这可能会很昂贵或者如果是直接调用，则每个微服务都必须实现身份验证逻辑。 Sure, there is stuff like spring security, other languages/ecosystem have similar solutions, but in general this can be difficult to implement.当然，有像 spring security 这样的东西，其他语言/生态系统也有类似的解决方案，但总的来说这可能很难实现。
If you do make an authenticated call from microservice A to microservice B and the flow was originated by user John Smith that triggered a request to service A, you should decide whether the semantics of the call is:如果您确实从微服务 A 到微服务 B 进行了经过身份验证的调用，并且该流是由触发对服务 A 的请求的用户 John Smith 发起的，则您应该确定调用的语义是否为：
- User "John Smith" contacts the service B, or...用户“John Smith”联系服务 B，或...
- Service A contacts Service B on behalf of user John Smith.服务 A 代表用户 John Smith 联系服务 B。 This is really important for authorization if you have any kind of permissions system.如果您有任何类型的权限系统，这对于授权非常重要。
In term of technical implementation usually you can add a JWT header to the request with the required token.在技术实现方面，通常您可以使用所需的令牌向请求添加 JWT 标头。 If the request was already authenticated and you need to generate user identity, you can merely put a couple of headers on the request.如果请求已经过身份验证并且您需要生成用户身份，则只需在请求中放置几个标头即可。

You can have two api gateway:你可以有两个api网关：

one exposed outside一个暴露在外面
and another one for microservices communication within container.另一个用于容器内的微服务通信。

The one which is exposed outside does the validation of tokens and send claims to the microservices where those claims are used for validation of route protection.暴露在外面的那个会验证令牌并将声明发送到微服务，这些声明用于验证路由保护。

Between microservices communication, send claims that you already have with the second gateway.在微服务通信之间，使用第二个网关发送您已经拥有的声明。 Hope this helps.希望这可以帮助。 If you have found any alternative way let us know.如果您找到任何替代方法，请告诉我们。