Microservices are one possible architectural choice when building scalable systems. With microservices we build many small components, focused on business use-cases, with clear interfaces between services. Components are designed to work in orchestration, each one being a part of the team, with most commonly used interface being REST API. With this in mind, we are faced with a challenge of implementing a security system that can follow this chosen architecture, without becoming a bottleneck. Also, the choice of REST API, as a specialization of HTTP protocol narrows down possible solutions to the problem.
In this talk we will first cover some theoretical aspects of security architectures. With security systems mostly focused on Identification, Authentication and Authorization, we will look into different implementations of security systems regarding these aspects.
Authentication systems will be roughly divided into three categories:
*Local (local user store)
*Distributed (NAS, LDAP, SQL-based)
*Delegated (Kerberos, OAuth2, SAML2)
Authorization is a process of deciding whether some action upon some target, by some entity, should be allowed. Authorization systems can roughly be divided into two groups:
*Target based (UNIX DAC, ACL,...)
*Subject based (RBAC, entitlements)
With this in mind and having microservices as platform to apply security to, we are faced with a challenge of choosing the right architecture, so that we harnes and not hinder the power of our chosen platform. We will argue that the best choice for the microservices architecture is delegated or token-based authentication. Given the most prevalent inter-service interface is REST API, we will look into OAuth2, SAML2 and OAuth2/JWT as authentication-authorization mechanism. With that in mind, we will show differences in authorization when using these three mechanisms. We will show some examples of using OAuth2 + JWT as token-based mechanism and see pros and cons of each approach. SAML2 being similar in some aspects to JWT will be briefly mentioned.