Securing Your Services

So far in this book, all the interactions between services were done without any form of authentication or authorization. Each HTTP request would happily return a result. This can't happen in production for two simple reasons: we need to know who is calling the service (authentication) and we need to make sure that the caller is allowed to perform the call (authorization). For instance, we probably don't want an anonymous caller to delete entries in a database.

In a monolithic web application, authentication happens with a login form, and once the user is identified, a cookie is set and used for all subsequent requests.

In a microservice-based architecture, we can't use that scheme everywhere because services are not users and won't use web forms to authenticate. We need a way to allow or reject a call between each service automatically.

The OAuth2 authorization protocol (https://oauth.net/2/) gives us the flexibility to add authentication and authorization in our microservices, that can be used to authenticate both users and services. In this chapter, we'll discover some aspects of OAuth2 and how to implement an authentication microservice. This service will be used to secure service-to-service interactions.

Securing services also means we want to avoid any fraud and abuse of the system. For instance, if a client starts to hammer one of our endpoints, whether it's malicious or an unintended bug, we need to detect that behavior and try to protect the system. There's not much we can do in case of a massive Distributed Denial Of Service (DDoS) attack, but setting up a basic web application firewall is easy to do and a great way to protect the system from basic attacks.

Lastly, a few things can be done at the code level to protect your services, such as controlling system calls or making sure HTTP redirects are not ending up in hostile web pages. The last part of the chapter will enumerate some of them and demonstrate how you can continuously scan your code for potential security issues.

 

  • An overview of the Oauth2 protocol
  • How token-based authentication works in practice
  • What is the JWT standard and how to use it in a “token dealer†for securing microservices
  • How to implement a web application firewall
  • Some best practices to secure your microservice code
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset