Introduction

In our journey to transition from a monolithic architecture to a microservices-based approach, we aim to create small, focused applications that serve specific business functions. These applications will likely be built using Express.js and deployed in Docker containers, possibly on AWS Elastic Beanstalk.

To manage and secure these microservices, we are considering using Kong Gateway as our API Gateway, which will help encapsulate the complexities of our microservices.

Implementation Strategy

To effectively secure our microservices, we will leverage the JWT (JSON Web Token) plugin provided by Kong. This plugin will handle the verification of JWT signatures and facilitate the passing of the customer_id in the request headers to the respective microservices. Here’s a step-by-step outline of our implementation:

  1. Create Consumers: We will generate consumers for each platform and third-party developer involved in our ecosystem, including web applications, mobile apps, and integration partners. Note that we will not create individual consumers for every user login, as this would complicate management and security.

  2. Authentication via Kong: Kong will act as the gatekeeper, authenticating requests without performing authorization checks. This means that once a request is authenticated, it can proceed to the microservice without further validation of the token.

  3. Token Handling in Microservices: The microservices will not need to validate the JWT themselves. Instead, they can utilize middleware to decode the token and implement custom logic to determine if the user has the necessary permissions to perform the requested action.

Additional Considerations

  • Access Control: Kong offers an access control plugin that allows us to assign different privileges to various consumers. For instance, our main applications can operate with elevated privileges, while third-party developers can be restricted to specific routes and HTTP methods.

  • Revoking Access: Revoking access for third-party developers is straightforward. However, managing end-user access can be more complex. One approach is to limit the JWT's lifespan to around 10 minutes, requiring applications to refresh tokens periodically. This allows us to flag users in our database without needing to invalidate all tokens at once.

  • Security Best Practices: We will enforce SSL across all communications. JWTs will be stored in secure, HTTP-only cookies in the browser, ensuring that no sensitive information is included in the token claims.

Conclusion

By implementing Kong Gateway with JWT authentication, we can effectively secure our microservices architecture while maintaining flexibility and control over access. This strategy not only enhances security but also simplifies the management of user permissions across our applications.