Is it better to handle security at a microservice level or at api-gateway level in microservice deployments? Are there scenarios where one would be more apt than the other?
From this article:
A major benefit of using an API Gateway is that it encapsulates the internal structure of the application. Rather than having to invoke specific services, clients simply talk to the gateway.
This simply means that clients talk to microservices through an API gateway and that gateway handles all the requests which comes for any of the underlying services.
So, I think that if you need to do any authorisation for a request, it is beneficial to do it at API gateway itself because this way, an unauthorised request never reaches your service.
But that can't be a complete a solution as well. Let's consider a service which actually authenticate a user. This service will always be accessed by users who haven't been authorised yet, so, it makes sense to implement security for this service at the service level instead of the API gateway.
Also, consider a service which create orders. What if any internal service can call this service and create an order, without requiring any token (or any other authentication process). Now this problem can be solved using many ways like:
Of course this is a high level overview, are my thoughts and I am willing to see what others have to say.