I'm investigating microservices architecture and now focusing on the api gateway along with security.
I found out that there are two different approaches:
1- Where authentication is outside of the gateway, meaning, the user
2- Another way is to have everything behind the gateway, which means, user
And while some might speak about the 2nd approach, I can't seem to find any actual implementation or detailed description. Which makes me wanna ask ... why?
If I'm following a microservices design, I would naturally have the 2nd implementation, but no ... everyone appeared to be using the 1st one.
According to what I've read, yes, it takes more efforts since you'd have to reroute the necessary authentication and authorization endpoint, but is that it? Aren't there any other reasons which would make us favor the 1st one rather the 2nd one?
Any insights?
The second option is the most common. And you're right. If you don't need to redirect the user, don't.
Before microservices, all of the 'services' were different routes within a single application. The application routed user traffic to the right place.
Putting a gateway in the middle is abstracting that first level router from the single application to its own application.
People who talk about authentication flows that use different user-visible targets (urls) are solving common problems. 3 reasons I can think of:
Example, take a service like Google Oauth or Okta SAML - you need to login on their domain, and you need a way to get the token
back to your domain. Since you can't see google.com or okta.com cookies on yoursite.com, the external flows are necessary. This is often the case as companies add products that have different domains.
Google products redirect a few times every time you login. They are doing cookie management from accounts.google.com to gmail.google.com and keeping google.com cookies isolated the whole time. However, you're hitting the same google load balancer every time (or you theoretically you could).