On web applications, how do you prevent APIs/microservices on a multilayered application are protected to ensure that are no unwanted calls coming from a journey that is not intended to? (internally)
Assuming a web-login API/webservice consuming a shared LOGIN service(backed by the IAM DB) will generate a JWT token. On a normal journey the end user would start a purchase (e.g. buy credits), which triggers a more generic purchasing service (e.g. credits). Due to the nature of the business, Login and weblogin are tightly coupled, same as bui-credits and credits, however the WEB-LOGIN service should not be allowed to call the CREDITS service.
An option we thought about is that all services on the second layer(login and credits) should implement a client-id/secret with the authorized caller. In the example this would prevent that CREDITS to be called from Web-Login(red arrow) which is not a valid scenario, as web-login is unable to hijack 'buy-credits' credentials
Any thoughts are welcome as I wasn't able to find a pattern for API security within the same border/application. I'm aware of B2B pattern but not sure how(or if) it's applicable
Using some kind of authorization between the layers seems sensible.
If you use API Manager, you could use one of the standard policies, like client id enforcement or JWT validation policies, that can be applied above your existing APIs without modifying them.
