gateway and secure micro services
TRANSCRIPT
![Page 1: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/1.jpg)
Gateway and ServicesJordan Valdma, TransferWise Partnerships Tech
![Page 2: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/2.jpg)
Hi, I’m Jordan
TransferWise Global Partnerships Engineering
Estonian
(too few words)
MSc Data Sciences and Machine Learning
Like to organize events, hackathons, ..
![Page 3: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/3.jpg)
This talk● Intro TransferWise MSs● RESTful API design● MicroService Security
![Page 4: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/4.jpg)
Dark Ages - Separation of MonolithSeparate In-house and pub web applications. Modular thinking.
First Micro ServicesBeginning of life ..
Age of Enlightenment -DevOpsPeople wake “Hey, I have a right to release!”
Good night sleepDon’t have to worryabout people hacking
Baby Boom of Services“It’s so easy to make a...Service!”
Modern agesState of the art tech, separate codebases
Brief history of What We Have Done
![Page 5: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/5.jpg)
Designing RESTful API
![Page 6: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/6.jpg)
TransferWise RESTFful API
1. Starting point: internal APIa. People were not satisfied withb. Out of standard (rpc, errorhandling,..) couldn’t give it out
2. Formin focus group (strong stakeholders)3. Designing resourse model:
a. Base layer is flexibleb. Orcestration layers on top
4. Design Interfaces-Collaborate-REPEAT5. Implementation and tweaking
![Page 7: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/7.jpg)
TipsFor Designing RESTful API
● “Interfaces over meetings”● Get the teams talking!!● Get alpha partners to give
fedbax on interfaces● Implement against it ● SWAGGER or similar● Start thinking about dev
support early.
![Page 8: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/8.jpg)
Service Security
![Page 9: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/9.jpg)
Gateway
● Single entry point● Protocol translation● Transformations● (Auth)
![Page 10: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/10.jpg)
oAuth 2 flows
● Code● Implicit● Username and Password● Client credentials
![Page 11: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/11.jpg)
MicroService auth -starting pointie. TransferService
curl /transfers/?createdByUserId={userId}
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
Is token OK?Who is the user?
![Page 12: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/12.jpg)
Json Web Token
jwt.io
![Page 13: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/13.jpg)
MicroService auth -JWTie. TransferService
curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
Is token OK?Who is the user?
Decode & Validate JWT
JWT Secret
JWT Secret
![Page 14: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/14.jpg)
Problems with JWT
● Can not be revoked● Intercepting● Secret may get compromised
![Page 15: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/15.jpg)
Json Web Token + oAuth Token
jwt.io
![Page 16: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/16.jpg)
MicroService auth -JWT + oAuth Token
ie. TransferService
curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
AuthorizationServer Is token OK?Who is the user?
curl /check_token?token=”$JWT_TOKEN”
Decode JWT& Validate oAuthToken
![Page 17: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/17.jpg)
Tips● Anonymous JWTs● Pain with Authentication types● Code grant for legacy token
swapFor Micro Service security
![Page 18: Gateway and secure micro services](https://reader031.vdocuments.net/reader031/viewer/2022020314/58836d911a28ab536b8b692b/html5/thumbnails/18.jpg)
Tips
● Domain driven design● Move on from testing
infrastructure into staging asap● Proxy swagger upstream● Decouple from datasource
early!● Keep your gateway lean● Plan ahead for multi-node
setup
For Gateways and Services