Security Patterns for Microservice Architectures

Security Patterns for Microservice Architectures

Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it.

Govner

What about token exchange?

https://tools.ietf.org/html…

Matt Raible

I wasn’t aware of this, so thanks for pointing it out.

This specification defines a protocol extending OAuth 2.0 that enables clients to request and obtain security tokens from authorization servers acting in the role of an STS. Similar to OAuth 2.0, this specification focuses on client developer simplicity and requires only an HTTP client and JSON parser, which are nearly universally available in modern development environments. The STS protocol defined in this specification is not itself RESTful (an STS doesn’t lend itself particularly well to a REST approach) but does utilize communication patterns and data formats that should be familiar to developers accustomed to working with RESTful systems.

Definitely looks useful, but it looks like it was just finalized in January. Do you know of any identity providers that support it?

Govner

The spec is already implemented by Keycloak, Auth0, Ping, Azure AD …

Do you think you can push for this internally with Product Owner?

Matt Raible

Yes. I’ll do my best!

Mamta Sharma

What, Why and How of Container Security? Cloud computing and agility on local machines have been evolving over the years with respect to the operating systems for running applications. Earlier the applications could only be run over the host operating systems of a computer but later virtual machines enabled us to run a guest OS on the Host OS. Now we have containers where all the required dependencies can be packed with the application which enables us to run these applications without getting dependent on the OS. In other words, developers can run an application configured over MacOS on windows just by running up the container on windows and save their time by avoiding reconfigurations.