Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Microservices at API Gateway using Cloud Native Solutions

Securing Microservices at API Gateway using Cloud Native Solutions

Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.

We present a solution along with a proof of concept implementation for the problem described above — To be able to perform authentication and authorization for microservices in the API Gateway itself.

Abhisek Datta

June 06, 2020

More Decks by Abhisek Datta

Other Decks in Technology


  1. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

    • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek
  2. 1. The need for centralized Authentication and Authorization 2. Understand

    the role of API Gateway as a Security Gate 3. Proof of Concept Implementation using Traefik as API Gateway and Open Policy Agent (OPA) for policy management and evaluation Key Take Away
  3. This is not an introduction to Microservices We will look

    at an approach for securing Microservices using API Gateway as a Security Gate Learn more about Microservices https://microservices.io/
  4. AuthN & AuthZ in Microservices Identity Provider Client Oauth2 +

    OIDC Reverse Proxy Identity (JWT) Services Authentication & Authorization Established Trust
  5. API Gateway How do the clients of a Microservices- based

    application access the individual services?
  6. 1. Authenticate a request 2. Authorize a request 3. Route

    the request to backend microservice AuthN and AuthZ in API Gateway
  7. • API Gateway • Traefik https://containo.us/traefik/ • Policy Management and

    Enforcement • Open Policy Agent https://www.openpolicyagent.org/ Our Choice of Technology
  8. Demo • This is a minimal proof of concept implementation

    for demonstration • It should not be considered for production use as is.
  9. • Use as a reverse proxy • Use dynamic configuration

    discovery • Routing and Load Balancing • Middlewares • https://docs.traefik.io/ Learning Traefik API Gateway
  10. • Introduction to Open Policy Agent • https://www.openpolicyagent.org/docs/latest/ • Rego

    Playground • https://play.openpolicyagent.org/ • Running Open Policy Agent (Lib/Server/Interactive) • https://www.openpolicyagent.org/docs/latest/#running-opa • Open Policy Agent for Kubernetes Admission Control • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/ Learning Open Policy Agent
  11. • Proof of Concept Implementation • https://github.com/appsecco/opa-traefik-microservice-authz • Microservices Authorization

    using Open Policy Agent and Traefik (API Gateway) • https://blog.appsecco.com/microservices-authorization-using- open-policy-agent-and-traefik-api-gateway-ae30f3bf2846 Resources