堆栈内存溢出
  简体   繁体   English

API 网关实现的最佳实践如果后端有自己的身份验证

[英]Best practice of API Gateway implementation if the backend has its own authentication

 原文  2022-10-06 14:29:41       api/ authentication/ microservices/ backend/ api-gateway

问题描述

I know one of API Gateway offers is to provide a security layer of any backend APIs.我知道 API 网关提供的其中一项是提供任何后端 API 的安全层。 But how if the case is the backend has its own authentication already (let say api key, jwt or other)?但是,如果后端已经有自己的身份验证(比如 api 密钥、jwt 或其他)怎么办? What is the better approach / best practice:什么是更好的方法/最佳实践:

  1. Modify those backend APIs to become "plain API" (without any auth), so will rely only on API Gateway auth (OAuth2)将那些后端 API 修改为“普通 API”(没有任何身份验证),因此将仅依赖 API 网关身份验证(OAuth2)

  2. Keep the backend auth as it is, but then create a microservice that will act as wrapper API to handle that backend auth.保持后端身份验证不变,然后创建一个微服务作为包装器 API 来处理后端身份验证。

The goal is to prevent double authentication & give the same experience to the clients where they only need to pass 1 authentication which is by the API Gateway.目标是防止双重身份验证并为客户提供相同的体验,他们只需要通过 API 网关通过 1 次身份验证。 Thank you!谢谢!

1 个解决方案

解决方案1
 0 已采纳  2022-10-06 20:30:32

I would keep the backend's API security.我会保持后端的 API 安全。 There is nothing wrong with having secured communication behind an API gateway.在 API 网关后面进行安全通信没有错。 As a matter of fact, I recall this being a recommended approach.事实上,我记得这是一种推荐的方法。

To prevent double authentication, would it be a suggestion to define a public (unsecured) end-point on the API gateway to access the authentication end-point of the authentication server used by your backend services.为防止双重身份验证,是否建议在 API 网关上定义一个公共(不安全)端点以访问后端服务使用的身份验证服务器的身份验证端点。 The client receives the authentication token from that authentication server and the API gateway passes the token through to the API of your backend services.客户端从该身份验证服务器接收身份验证令牌,然后 API 网关将令牌传递给后端服务的 API。

Another possibility could be to authenticate towards the API gateway but let the API gateway use the same authentication server as your backend services.另一种可能性是向 API 网关进行身份验证,但让 API 网关使用与后端服务相同的身份验证服务器。 Some gateways allow you to forward the authentication to an authentication server somewhere outside of the API gateway.一些网关允许您将身份验证转发到 API 网关之外某处的身份验证服务器。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 API 网关和应用后端认证 - API gateway and app backend authentication IAP后端最佳做法 - IAP backend best practice 针对后台应用程序的Salesforce.com API身份验证的最佳实践 - Best Practice for Salesforce.com API authentication for background apps Laravel API最佳实践 - Laravel API Best Practice REST API最佳做法 - REST api best practice Rails 4 API最佳实践 - Rails 4 best practice for API 在Django后端上的API密钥实现 - API Key implementation on a Django backend 网关vs拨号API后端API - Gateway vs Dialup API backend API's 使用API​​作为后端池的Azure Application Gateway无法正常工作 - Azure Application Gateway with API as a backend pool is not working API包装器架构最佳实践 - API Wrapper Architecture Best Practice
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM