I hope this post fits in this community :)
I’m trying to wrap my head around how authentication works with micro services.
Say we have a system, with a frontend, that communicates with an API gateway, which in turn communicates with all the micro services.
As I understand it, we authenticate the client in the API gateway, and if we trust the client, the request are forwarded to the micro services.
However, what is stopping a malicious actor from bypassing the API gateway and communicating directly to the micro services ?
Do we solve this problem using a firewall, so only trusted traffic reaches the micro services ?
Or do we still have API keys between the API gateway and the micro services ?
Or is there a third way ? :)
All the articles I’ve read seem to assume, that we can trust all traffic entering the micro services
You hand out a token, often a json web token, to an authenticated user, which is then validated for each request. A token is basically a hall pass which is signed by your central authority. Depending on how “instant” removal of users needs to be, you sync with a central identity provider each time or you rely on short lived tokens.