I am fairly new to the concept of microservices and api gateways in general. I am trying to understand the role that an api gateway plays in a modern web application using many microservices. I have been reading the documentation and tutorials of express-gateway but am a bit confused on how a web application would perform authentication with an api gateway set up like express-gateway.
My web app would have multiple microservices that it would talk to. I thought that putting an API gateway in front of all my microservices would make it so that each microservice would not need to worry about whether a user/request is authenticated or not, because if the microservice was being talked to it meant that the api gateway had verified the request was a valid user. Is my understanding of this correct?
Assuming that my thought of the api gateway serving as a gatekeeper to other microservices is correct, my follow up question is with the specifics of how it is performed.
Does this mean that all user creation and authentication is performed by the api gateway? Meaning that I would have no custom user creation/login microservices? Or would I have a publically reachable through the api gateway custom user creation microservice which upon creation would itself create the user accounts within the api gateway? Is user information now duplicated by my microservice in a database somewhere and the express-gateway's own storage? I guess my general confusion is around does an api gateway take the role of authentication/user creation entirely away from a web app's own microservices, or do you still need both parts?
I thought that my own authentication microservice would first validate a user then work with the api gateway to generate a valid short lived token, but reading about creating user or app accounts for authentication in express-gateway has made me confused on the roles each play.
to have an overview of the role of an API Gateway in a microservice based solution, I suggest you to have a look to this presentation I did couple of months ago. That should clarify the things a little bit.
Is my understanding of this correct?
Yes, you got it. If you have a look to the video, you can actually see that concept in practice as well.
For the storage, that kind of depends.
Express Gateway offers a subset of identity services such as users, applications and credentials. They're good enough for most application usages but you might find yourself with the needs of using an external service, such as Auth0.
Now, features aside — where you store the data, it's up to you. You can keep some of the data in Express Gateway and some of it in your own database — or entirely in Express Gateway. There's not a good or bad strategy here.