stackoom
  简体   繁体   中英

API gateway + Login microservice + redis

 原文  2020-08-03 21:31:36       angular/ spring-boot/ authentication/ redis

Question

I am developing a web application and I am trying to design and implement a microservices architecture. I've been reading a lot about authentication and authorization and I would like to know if with my design I am on the right track.

I have an API gateway that manages all the communication flow between the frontend application and the back end services. Behind the gateway I have two microservices called identity provider and frontend microservice respectively. The identity provider manages things as login, registration and deliver access tokens. The frontend microservice contains an angular app. So, in a normal flow the user would authenticate with the identity provider that, in turn, open a login session stored in redis and gives the session id back as a cookie. The identity provider redirects the user to the frontend service that check the login status stored in redis and, only if authenticated, returns the angular app.

So, I am not using OAuth because I think I don't really need it at this very moment. Also I am not managing authentication at gateway level. Is it a good approach to have a microservice for the login and redis to store the session, so that all the other microservices can authenticate the user when needed? I see a lot of examples to implement authentication at gateway level, so is it a bad approach to delegate the microservice to authenticate the user? In a way that the gateway only works as a router. What do you think about this?

2 answers

solution1
 0  2020-08-03 22:13:26

Storing user session on Redis is not bad practice, however using Redis for authorization/authentication purposes could result in security issues. In an ideal microservice architecture, services need to be as stateless as they can. By giving the authorization job to redis you are creating an extra layer that you need to manage on every request. What will happen when user info changes? You will need to update redis too and when it is out of sync with the Authorization server, then problems will start to emerge. It is also not bad practice to use separate Authorization server behind your gateway.

solution2
 0  2021-06-29 07:08:36

When you are using an API-GATEWAY,you must keep in mind that in Microservice architecture we have to handle cross cutting concerns in Api-Gateway.Means,once you put some functionality like security , logging , user tracking in one place to perform to entire application zone and when you want to change them,you change one place not entire microservices,.,.So,you can use oauth2 with spring cloud gateway or zull as a oauth2 client and use Oauth2 provider.After successful login,gateway performs TokenRelay(removes cookie from request and replace it with jwt token and send it to your microservices).Now you can use Redis as a HttpSession management in your gateway.Also with this approach you can use multiple instance of your services.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Ocelot API Gateway How to secure an Angular 8 frontend with Keycloak and a Java Spring Cloud microservice backend with gateway, eureka Login application using xAuthToken , spring redis and security Angular 2 Accessing AWS API Gateway JHipster: Receive 401 Unauthorized when making API call to microservice Can an Angular app call Api in a Springboot microservice through an eureka server? API Gateway with Microservices and Application API with Fallback Controller "Enable CORS" in AWS API Gateway resource? CORS issue with AWS API Gateway in angular 4 AngularJs API Gateway Calls Multiple Microservices
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM