Secure Service-to-Service Spring Microservices with HTTPS and OAuth 2.0

Secure Service-to-Service Spring Microservices with HTTPS and OAuth 2.0

You’ve built a microservices architecture, but have you secured your service-to-service communication? This post shows you how.

Alex Saunin

Hi Matt, what could be the reason to make an additional basic security between microservices? I mean private-layer API calls.

WonHee Jung

Your client calls microservice A, microservice A implementation might need to call microservice B internally to complete the original request and microservice B has oauth2 scope annotated on the API?

Matt Raible

I’m not sure I understand your question. Are you asking why you should use HTTPS between your microservices?

Alex Saunin

Probably I misunderstood your point here: https://developer.okta.com/…
What is the reason to implement basic auth for communication between microservices? I think HTTPS is enough for that.

Alex Saunin

For that case JWT is required for sure

Matt Raible

The configuration you mentioned is to secure communication between the Eureka server and microservices. Without this, any microservice can register with your Eureka server. You’re right, HTTPS is probably enough, but you can never be too secure IMO.

Alex Saunin

Sure, but the KISS design principle is always in my mind )

Christof Tinnes

Is the implementation above thread safe? There is a singelton rest template but injecting a request specific interceptor. Does this really work?

Matt Raible

Worked for me! :slightly_smiling_face:

Christof Tinnes

Hi Matt,

I “works”. But the question is if it works in a productive setting under load as it is supposed to work.
IMHO the code is a severe security breach.
When to request from different users are handled at the same time, one gets the Bearer token of the other.
I don’t think that you want someone else to see your bank account by accident?
Can you please check again your code under load with different users to verify that no racing conditions will cause a swap of Bearer tokens? We don’t want that the code is copied by someone and goes into production unless it is secure.

I don’t know if RestTemplate handles these issues under the hood but I highly doubt it.