Secure Service-to-Service Spring Microservices with HTTPS and OAuth 2.0

oktadev-blog · March 7, 2019, 2:13pm

You’ve built a microservices architecture, but have you secured your service-to-service communication? This post shows you how.

oktadev-blog · March 20, 2019, 10:14pm

Alex Saunin

Hi Matt, what could be the reason to make an additional basic security between microservices? I mean private-layer API calls.

oktadev-blog · March 25, 2019, 9:57pm

WonHee Jung

Your client calls microservice A, microservice A implementation might need to call microservice B internally to complete the original request and microservice B has oauth2 scope annotated on the API?

oktadev-blog · March 26, 2019, 3:16pm

Matt Raible

I’m not sure I understand your question. Are you asking why you should use HTTPS between your microservices?

oktadev-blog · March 26, 2019, 3:24pm

Alex Saunin

Probably I misunderstood your point here: https://developer.okta.com/…
What is the reason to implement basic auth for communication between microservices? I think HTTPS is enough for that.

oktadev-blog · March 26, 2019, 3:25pm

Alex Saunin

For that case JWT is required for sure

oktadev-blog · March 26, 2019, 3:53pm

Matt Raible

The configuration you mentioned is to secure communication between the Eureka server and microservices. Without this, any microservice can register with your Eureka server. You’re right, HTTPS is probably enough, but you can never be too secure IMO.

oktadev-blog · March 27, 2019, 10:59pm

Alex Saunin

Sure, but the KISS design principle is always in my mind )

oktadev-blog · November 15, 2020, 6:47pm

Christof Tinnes

Is the implementation above thread safe? There is a singelton rest template but injecting a request specific interceptor. Does this really work?

oktadev-blog · November 20, 2020, 9:55pm

Matt Raible

Worked for me!

oktadev-blog · January 8, 2021, 11:52pm

Christof Tinnes

Hi Matt,

I “works”. But the question is if it works in a productive setting under load as it is supposed to work.
IMHO the code is a severe security breach.
When to request from different users are handled at the same time, one gets the Bearer token of the other.
I don’t think that you want someone else to see your bank account by accident?
Can you please check again your code under load with different users to verify that no racing conditions will cause a swap of Bearer tokens? We don’t want that the code is copied by someone and goes into production unless it is secure.

I don’t know if RestTemplate handles these issues under the hood but I highly doubt it.