微服务之间的身份验证:Amazon API Gateway [英] Authentication between microservices: Amazon API Gateway

问题描述

我在AWS上托管了几个微服务(Springboot).例如，假设Service1和Service2是两个微服务. Service1是可由前端和移动应用程序访问的微服务. Service1调用Service2. Service2完全是内部的.

I have several microservices(Springboot) which I have hosted on AWS. For example Lets assume Service1 and Service2 are two micro services. Service1 is the microservice which is accessed by frontend and mobile app. Service1 calls Service2. Service2 is completely internal.

我已经设置了位于Service1前面的Amazon API Gateway.我已经使用cognito配置了Authentication(Oauth).

I have setup Amazon API Gateway which sits infront of Service1. And I have Authentication(Oauth) configured using cognito.

所有这些都有效.从前端/应用程序调用时，需要先通过API网关对请求进行身份验证，然后才能到达Service1.

All this is working. When calling from frontend/app, the request needs to be authenticated with the API Gateway, before reaching Service1.

但是我的问题是，如果Service1需要与Service2通信，考虑到我正在使用AWS，哪种身份验证最合适?

But my question is If Service1 needs to communicate with Service2, what sort of Authentication would be best suited, considering I am using AWS

1. 我可以重新使用API​​网关生成的令牌吗?这样，Service1可以在其请求中将其转发给Service2，并以某种方式Service2通过网关对其进行验证.是否有可能?如果是，这是个好主意吗?

1. Can I resuse the token generated by API Gateway. So that Service1 can forward it to Service2 in its request and somehow Service2 verifies this with Gateway. Is it possible? If yes is it a good idea?

在某些情况下，Service1与Service2通信而没有来自前端/应用程序的请求(cronjob).在这种情况下，通信不会通过API网关进行，因此不会生成令牌.我应该如何处理案件.

In some cases, Service1 communicates with Service2 without the request (cronjob) from frontend/app. In this case the communication doesn't go through API Gateway, hence there will be no token generated. How should I deal with case.

我不想引入Oauth身份验证来在两个内部微服务之间进行身份验证.我觉得这有点过分了.有更好的方法吗?

I do not want to introduce Oauth Authentication to authenticate between two internal microservices. I feel its a bit of a overkill. Is there a better approach?

推荐答案

一个有效的选择是拥有2个级别的API:

One option that works well is to have 2 levels of API:

• 入口点API暴露于外界，并通过OAuth进行保护
• 微服务不受OAuth保护，无法在只有入口点API可以调用的锁定虚拟私有云中运行

例如: * Online Sales UI调用Online Sales API *在线销售API调用订单和客户微服务

Eg: * Online Sales UI calls Online Sales API * Online Sales API calls Orders and Customers microservices

OAuth访问令牌中的用户上下文可以从入口点API传递到微服务-或令牌本身可以转发

User context from the OAuth access token can be passed from entry point APIs to microservices - or the token itself can be forwarded

这也表现不错，避免了太多的Cognito呼叫.

This also performs well and avoids too many calls to Cognito.

这篇关于微服务之间的身份验证:Amazon API Gateway的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！