This seems to be a hard answer to find: with the api gateway approach to micro-servicing, Does the JWT or whatever token your working with thats sent to the gateway need to be passed to and from other services its acting on? Or are the services suppose to be behind a secure network that only the public gateway has access to ? Im trying to map out my first real take on this architectural approach and have had trouble finding support around this topic.

  • 0
    No. Internal network, or, different, internal tokens
  • 0
    @bagfox so your saying either or but keep entirely within an internal network ?
  • 2
    from what i understand:
    the browser or app sends an request to the gateway. the gateway sends it to the containers and they process it and use jwt to ensure that the user is authorized for the request.
  • 2
    Services should be internal and should not need to know about authentication. (You don't want to update all your services if you need to update your authentication scheme or add support for additional ones)
  • 1
    @ItsNotMyFault damn that’s a great point.
Add Comment