paint-brush
Securing APIS with JSON Web Tokens and an API Gatewayby@lunchbadger
1,756 reads
1,756 reads

Securing APIS with JSON Web Tokens and an API Gateway

by LunchBadgerMarch 21st, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

What are JSON Web Tokens? Why do they matter in the context of microservices architectural style?

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Securing APIS with JSON Web Tokens and an API Gateway
LunchBadger HackerNoon profile picture

What are JSON Web Tokens? Why do they matter in the context of microservices architectural style?

Glad you asked. There’s a lot to discuss when it comes to JSON Web Tokens, but let’s start with an overview of an API Gateway and then we’ll dive deep into JSON Web Tokens and how to get started (including a great new video tutorial).

Intro: API Gateways are at the heart of microservices

You’re probably wondering what is an API Gateway and why does it matter.

TLDR: It’s kind of a big deal.

Here’s a little secret on why: it straddles both the business side and technical side of your business. An API Gateway, by definition, is considered “middleware” because it sits between backend services, web and other external clients. The API Gateway executes this via a set of protocols and through a set of RESTful APIs.

So, it moves almost all of the the required logic from the client into the gateway which makes it much simpler to develop, secure, manage, and scale endpoints.

If you’re like Netflix or Google, the move to Microservices may not have been easy, but you can recognize the benefits of breaking down monolithic architecture into smaller, more manageable pieces. Your architecture would look a little something like this:

As you may already notice, it’s already messy and (at least on paper) looks a lot less secure and more difficult to connect to external resources given so many different touchpoints and complicated information routing.

Also, who wants to deal with all of that, when a major benefit of moving over to microservices was to make life easier and more flexible, yet secure at the same time?

This question touches on a very important point about strategies for growth at enterprise scale. Having a mess of microservices connecting at every touchpoint doesn’t meet typical enterprise criteria of building in a secure way. More touchpoints, more to monitor. More to monitor, more resources spent doing duplicative work that should just be straight forward. So what now?

By adding an API gateway, you can reorganize this relationship with external touchpoints, apps and APIs. Essentially, Secure your microservices in a way that allows you to build on your business logic at the same time as making life easier for engineers.

This new relationship is underscored by a single touchpoint, that you can secure, monitor and extend. As a basic industry standard, API Gateways handle authentication and authorization from the external APIs.

Scalable, efficient — what’s not to love about JSON Web Tokens (JWT) and OAuth?

However; there is more than one way to orchestrate this.

Another important aspect to JSON Web Tokens (JWT) is how you plan to initiate them. One side is to support JSON Web Tokens initiated by other identity servers, like Auth0.The other side is to actually initiate and manage the JWTs through our Identity Server. This is just as much about your security strategy as it is about your technical approach.

While there is no silver bullet, there are some advantages to the integration approach. There’s an excellent getting started story in setting up identity with Auth0 and plugging in to Express Gateway.

Why Managing your own identity server blows

This is why we baked one into Express Gateway from the start. So, there’s more opportunity to get started right out of the box without having to sign up for extra services. Additionally, Express Gateway can interface with your existing JWT provider as well.

Let’s just face some cold hard facts. Chiefly, no business requirements doc is going to say “set up an identity server that supports JWT.” The feedback we have gotten from the developer community is that most of the time, we all just imagine it already exists. So, if you’re working on a project and don’t have one…developers have to scramble to make some magic happen.

Also, it’s worth noting that reading the OAuth2 spec is…hard. Which also means that getting all the right details is an amazing feat which is not insurmountable, but takes time. When speed and agility matter, slowing down can make it seem worse.

It’s why there’s an entire product segment around this.

No, seriously. There is an entire set of products and companies that will knock this out of the park for you such as Ping Identity, Okta, and (our favorite) Auth0. Learn more about Auth0 and Express Gateway.

Still not feeling it?

We’ve had those in-between moments of realization where you just need to get it done. That’s where the internal support for JSON Web Tokens (JWT) will can come in handy. To help get you started, we’ve put together a video tutorial on setting up JSON Web Tokens initiated by other identity servers, like Auth0, and when you actually initiate and manage the JWTs through an Identity Server.

Get started with JSON Web Token Support in Express Gateway with this easy-to-follow How-To Video:

OR: You can also check out the more technical getting started guide in the release post detailing the latest updates.

Originally published at www.express-gateway.io, but shared here with extra notes, diagrams and special Medium editorial commentary.