MicroSvcs_Security

Security

Cons:
- Sticky session binds a session to a server. If the server goes down or needs to be maintained.
- Sticky session needs to store session data in load balancer.
Possible solutions:
1. Session synchronization by replicating across web servers
2. Store session data completely inside users' browser
  - Cons: Limited size of cookie
3. Store session data in a shared storage

Pros:
- Encapsulate everything related with token issuing
- Introduce the concept of token, which could be passed around between services
Cons:
- Services need to implement the logic to validate the token.
- All services need to talk to authSvc, which might become a performance bottleneck.
- All requests need to be verified via auth service.

Pros:
- Gateway centralizes the logic of parsing userInfo. Only gateway need to validate the token with auth service.
Cons:
- All requests need to be verified via auth service. Auth service needs to be maintained and scaled in a manageable way.

Pros:
- Compact and lightweight
- Low pressure on Auth server
- Simplify the implementation of auth server
Cons:
- Could not invalidate a JWT token if it has been leaked
- JWT might become big

Identity-aware proxy is a reverse proxy that allows either public endpoints or checks credentials for protected endpoints. If the credential is not presented but required, redirect the user to an identity provider. e.g. k8s ingress controller, nginx, envoy, Pomerium, ory.sh/oathkeeper, etc.
Identity provider and manager is one or a few services that manage the user identity through certain workflows like sign in, forgot password, etc. e.g. ory.sh/kratos, keycloak
OAuth2 and OpenID Connect provider enables 3rd-party developers to integrate with your service.
Authorization service controls who can do what.

https://medium.com/@chamod.14_80003/token-caching-wso2-api-manager-5c5b3d6ddd09
https://www.pingidentity.com/en/company/blog/posts/2021/ultimate-guide-token-based-authentication.html