You’ve built a microservices architecture, but have you secured your service-to-service communication? This post shows you how.
Hi Matt, what could be the reason to make an additional basic security between microservices? I mean private-layer API calls.
Your client calls microservice A, microservice A implementation might need to call microservice B internally to complete the original request and microservice B has oauth2 scope annotated on the API?
I’m not sure I understand your question. Are you asking why you should use HTTPS between your microservices?
Probably I misunderstood your point here: https://developer.okta.com/…
What is the reason to implement basic auth for communication between microservices? I think HTTPS is enough for that.
For that case JWT is required for sure
The configuration you mentioned is to secure communication between the Eureka server and microservices. Without this, any microservice can register with your Eureka server. You’re right, HTTPS is probably enough, but you can never be too secure IMO.
Sure, but the KISS design principle is always in my mind )
Is the implementation above thread safe? There is a singelton rest template but injecting a request specific interceptor. Does this really work?
Worked for me!
I “works”. But the question is if it works in a productive setting under load as it is supposed to work.
IMHO the code is a severe security breach.
When to request from different users are handled at the same time, one gets the Bearer token of the other.
I don’t think that you want someone else to see your bank account by accident?
Can you please check again your code under load with different users to verify that no racing conditions will cause a swap of Bearer tokens? We don’t want that the code is copied by someone and goes into production unless it is secure.
I don’t know if RestTemplate handles these issues under the hood but I highly doubt it.