API网关是否应该负责授权? [英] Should API gateway be responsible for authorisation?

问题描述

目前我有一个带有 Java/Spring Boot 的单体应用程序，具有以下端点:

Currently I have a monolith application with Java/Spring Boot the following endpoints:

• /login
• /注销
• /some-resource

访问some-resource，流程如下:

1. 用户向 /login 端点发出 POST 请求.如果凭据正确，则在标头中返回 JWT 令牌，否则返回 401.
2. 用户将 JWT 令牌与请求一起发送到 /some-resource.如果令牌有效，则返回资源，否则返回 403.

1. The user makes a POST request to /login endpoint. If the credentials are correct, a JWT token is returned in header, otherwise a 401.
2. The users sends the JWT token along with the request to /some-resource. If the token is valid, the resource is returned, otherwise 403.

现在我想将单体拆分为 2 个服务:AuthServer"；和SomeResourceServer".顶部会有一个 API 网关.我正在考虑 2 种可能的方式来处理授权

Now I want to split the monolith into 2 services: "AuthServer" and "SomeResourceServer". There will be an API gateway on the top. I am thinking about 2 possible ways to handle authorisation

1. 用户向 /login 端点发出请求.API网关将其转发到AuthServer".如果凭据正确，则在标头中返回 JWT 令牌，否则返回 401.- 此步骤相同
2. 用户将 JWT 令牌与请求一起发送到 /some-resource.API网关调用AuthServer"验证 JWT 令牌.如果令牌有效，则 API 网关调用SomeResourceServer"；并返回结果.否则为 403.

1. The user makes request to /login endpoint. The API gateway forwards it to the "AuthServer". If the credentials are correct, a JWT token is returned in header, otherwise a 401. - This step is the same
2. The users sends the JWT token along with the request to /some-resource. The API gateway calls the "AuthServer" to validate the JWT token. If the token is valid, the API gateway calls "SomeResourceServer" and returns the results. Otherwise 403.

---

选项 2

1. 用户向 /login 端点发出请求.API网关将其转发到AuthServer".如果凭据正确，则在标头中返回 JWT 令牌，否则返回 401.- 此步骤相同
2. 用户将 JWT 令牌与请求一起发送到 /some-resource.API网关简单地将请求转发到SomeResourceServer".然后SomeResourceServer"调用AuthServer"验证 JWT 令牌.如果令牌有效，则返回资源，否则返回 403.

1. The user makes request to /login endpoint. The API gateway forwards it to the "AuthServer". If the credentials are correct, a JWT token is returned in header, otherwise a 401. - This step is the same
2. The users sends the JWT token along with the request to /some-resource. The API gateway simply forwards the request to "SomeResourceServer". Then "SomeResourceServer" calls "AuthServer" to validate the JWT token. If the token is valid, the resource is returned, otherwise 403.

---

在选项 1 中，API 网关负责处理授权(与AuthServer"通信)，在选项 2 中，通信在服务器之间完成.那么哪个选项更正确呢?有什么好的/坏的做法吗?或者也许是另一种方式/选择?

---

In Option 1 the API gateway is responsible to handle authorisation (communicate with "AuthServer"), in option 2 the communication is done between the servers. So which option is more correct? Are there any good/bad practices? Or maybe another way/option?

推荐答案

您可以在网关处剥离身份验证，这样做没有任何问题.网关上的开销很小，如果

You can strip of the authentication at the gateway and there is nothing wrong in doing so. There is a slight overhead on the gateway and this will not be a problem if

1. 您打算确保所有资源的安全.
2. 确保到达资源服务的任何调用都来自安全区域，即请求不应直接进入服务，因为它没有任何方法进行身份验证.
3. 无授权.JWT 令牌还包含有关帮助应用程序决定授权的角色的重要信息.如果您可以丢失那部分信息，那就没问题了.

但是，您有一个地方可以处理身份验证，如果您从调用中删除令牌，则根据此调用必须进行的跳数，删除令牌可能会对您有所帮助.

However you have one place to handle authentication and if you strip the token from the call, depending on the number of hops this call has to make this removal of token may help you.

另一方面，II 选项让您可以自由地确保所有服务都受到单独保护.如果您希望匿名提供某些服务的某些资源，您也可以获取该资源.您还可以控制授权位.

On the other hand II option gives you freedom that all your services are individually secured. If you want some of the resources of some of the service to be available anonymously you can get that as well. You also have control over authorization bit.

一切都是为了权衡.但我更喜欢第二种方法，因为我有更多的自由.

Its all about trade offs. But I prefer the second approach as I have more freedom.

话虽如此，您确实不需要调用身份验证服务器来验证 JWT.有签名权限的公钥可以独立验证JWT令牌.

Having said that, you really don't need to make a call to auth server to verify the JWT. JWT tokens can be verified independently if you have the public key of signing authority.

此外，在请求资源时，如果令牌无效，响应代码应为 401，如果令牌有效，主体无权访问资源，则响应应为 403.

Also when requesting for the resource, if token is invalid response code should be 401 and if token is valid Principal is not authorized to access the resource, response should be 403.

API 网关 IMO 不应该与授权(可能是身份验证)有关，因为它是由服务决定的，并且因服务和资源而异，应该留给服务来处理.

API gateway IMO should not have anything to do with Authorization (authentication may be) as it is something which is decided by the service and vary from service to service and resource to resource and should be left for the services to take care of.

这篇关于API网关是否应该负责授权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！