API网关应负责授权吗? [英] Should API gateway be responsible for authorisation?

问题描述

目前，我有一个Java/Spring Boot的整体应用程序，具有以下端点:

Currently I have a monolith application with Java/Spring Boot the following endpoints:

• /login
• /logout
• /some-resource

• /login
• /logout
• /some-resource

要访问some-resource，流程如下:

1. 用户向/login端点发出POST请求.如果凭据正确，则会在标头中返回JWT令牌，否则返回401.
2. 用户将JWT令牌和请求一起发送到/some-resource.如果令牌有效，则返回资源，否则返回403.

1. The user makes a POST request to /login endpoint. If the credentials are correct, a JWT token is returned in header, otherwise a 401.
2. The users sends the JWT token along with the request to /some-resource. If the token is valid, the resource is returned, otherwise 403.

现在，我想将整体拆分为2个服务:"AuthServer"和"SomeResourceServer".顶部将有一个API网关.我正在考虑两种可能的授权处理方式

Now I want to split the monolith into 2 services: "AuthServer" and "SomeResourceServer". There will be an API gateway on the top. I am thinking about 2 possible ways to handle authorisation

1. 用户向/login端点发出请求. API网关将其转发到"AuthServer".如果凭据正确，则会在标头中返回JWT令牌，否则返回401.-此步骤相同
2. 用户将JWT令牌和请求一起发送到/some-resource. API网关调用"AuthServer"以验证JWT令牌.如果令牌有效，则API网关将调用"SomeResourceServer"并返回结果.否则为403.

1. The user makes request to /login endpoint. The API gateway forwards it to the "AuthServer". If the credentials are correct, a JWT token is returned in header, otherwise a 401. - This step is the same
2. The users sends the JWT token along with the request to /some-resource. The API gateway calls the "AuthServer" to validate the JWT token. If the token is valid, the API gateway calls "SomeResourceServer" and returns the results. Otherwise 403.

---

选项2

1. 用户向/login端点发出请求. API网关将其转发到"AuthServer".如果凭据正确，则会在标头中返回JWT令牌，否则返回401.-此步骤相同
2. 用户将JWT令牌和请求一起发送到/some-resource. API网关仅将请求转发到"SomeResourceServer".然后，"SomeResourceServer"调用"AuthServer"以验证JWT令牌.如果令牌有效，则返回资源，否则返回403.

1. The user makes request to /login endpoint. The API gateway forwards it to the "AuthServer". If the credentials are correct, a JWT token is returned in header, otherwise a 401. - This step is the same
2. The users sends the JWT token along with the request to /some-resource. The API gateway simply forwards the request to "SomeResourceServer". Then "SomeResourceServer" calls "AuthServer" to validate the JWT token. If the token is valid, the resource is returned, otherwise 403.

---

在选项1中，API网关负责处理授权(与"AuthServer"通信)，在选项2中，通信在服务器之间完成.那么哪个选项更正确?有什么好的/坏的做法吗?还是另一种方式/选择?

---

In Option 1 the API gateway is responsible to handle authorisation (communicate with "AuthServer"), in option 2 the communication is done between the servers. So which option is more correct? Are there any good/bad practices? Or maybe another way/option?

推荐答案

您可以在网关上剥离身份验证，这样做没有错.网关上的开销很小，如果

You can strip of the authentication at the gateway and there is nothing wrong in doing so. There is a slight overhead on the gateway and this will not be a problem if

1. 您打算确保所有资源的安全.
2. 您确保到达资源服务的任何呼叫均来自安全区域，即请求不应直接进入服务，因为它将没有任何身份验证的方式.
3. 无授权. JWT令牌还具有有关角色的重要信息，这些角色可帮助应用程序确定授权. 如果您可以松散该信息，那就可以了.

1. you intend to make all your resources secure.
2. you make sure that any call that reaches the the resource service is from a secure zone i.e request should not come directly to service as it will not have any means to authenticate.
3. No Authorization. JWT tokens also has vital info about the roles which help application decide on the authorization. If it is ok for you to loose that bit of info, then thats fine.

但是您有一个地方可以处理身份验证，并且如果您从呼叫中剥离令牌，则取决于此呼叫必须执行的删除令牌的跳数可能会对您有所帮助.

However you have one place to handle authentication and if you strip the token from the call, depending on the number of hops this call has to make this removal of token may help you.

另一方面，II选项使您可以自由地单独保护所有服务.如果您希望某些服务的某些资源可以匿名使用，您也可以获取. 您还可以控制授权位.

On the other hand II option gives you freedom that all your services are individually secured. If you want some of the resources of some of the service to be available anonymously you can get that as well. You also have control over authorization bit.

这一切都是权衡取舍的.但是我更喜欢第二种方法，因为我有更多的自由.

Its all about trade offs. But I prefer the second approach as I have more freedom.

话虽如此，您实际上不需要致电auth服务器来验证JWT.如果您具有签名授权机构的公钥，则JWT令牌可以独立进行验证.

Having said that, you really don't need to make a call to auth server to verify the JWT. JWT tokens can be verified independently if you have the public key of signing authority.

另外，在请求资源时，如果令牌无效，则响应代码应为401，如果令牌有效，则主体无权访问该资源，则响应应为403.

Also when requesting for the resource, if token is invalid response code should be 401 and if token is valid Principal is not authorized to access the resource, response should be 403.

API网关IMO与授权(身份验证)无关，因为它是由服务决定的，并且因服务而异，因资源而异，应留给服务来处理.

API gateway IMO should not have anything to do with Authorization (authentication may be) as it is something which is decided by the service and vary from service to service and resource to resource and should be left for the services to take care of.

这篇关于API网关应负责授权吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！