320
CHAPTER 8 | Make secure .NET Microservices and Web Applications
CHAPTER
8
Make secure .NET
Microservices and Web
Applications
There are so many aspects about security in microservices and web applications that the topic could
easily take several books like this one. So,
in this section, we’ll focus on authentication, authorization,
and application secrets.
Implement authentication in .NET microservices and
web applications
It’s often necessary for resources and APIs published by a service to be limited to certain trusted users
or clients. The first step to making these sorts of API-level trust decisions is authentication.
Authentication is the proc
ess of reliably verifying a user’s identity.
In
microservice scenarios, authentication is typically handled centrally. If you’re using an API Gateway,
the gateway is a good place to authenticate, as shown in Figure 9-1.
If you use this approach, make
sure that the individual microservices cannot be reached directly (without the API Gateway) unless
additional security is in place to authenticate messages whether they come from the gateway or not.
Figure 9-1. Centralized authentication with an API Gateway
When the API Gateway centralizes authentication, it adds user information when forwarding requests
to the microservices. If services can
be accessed directly, an authentication service like Azure Active
321
CHAPTER 8 | Make secure .NET Microservices and Web Applications
Directory or a dedicated authentication microservice acting as a security token service (STS) can be
used to authenticate users. Trust decisions are shared between services with security tokens or
cookies. (These tokens can be shared between ASP.NET Core applications,
if needed, by implementing
cookie sharing
.) This pattern is illustrated in Figure 9-2.
Figure 9-2. Authentication by identity microservice; trust is shared using an authorization token
When microservices are accessed directly, trust, that includes authentication and authorization, is
handled by a security token issued by a
dedicated microservice, shared between microservices.
Dostları ilə paylaş: