Scribd Logo
Upload

Welcome to Scribd!

  • Implementing Security With API Gateway and BFF Patterns Slides

    Uploaded by

    trushen
    51 views27 pages

    Original Title

    Implementing Security With API Gateway and Bff Patterns Slides

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    51 views27 pages

    Implementing Security With API Gateway and BFF Patterns Slides

    Uploaded by

    trushen

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    Implementing Security with API

    Gateway and BFF Patterns

    Kevin Dockx
    ARCHITECT

    @KevinDockx https://www.kevindockx.com
    t
    h
    s

    Exploring the API gateway


    Coming Up - API gateway security pattern

    Using Ocelot and integrating it with our


    identity service

    Passing user information downstream


    The backend-for-frontend pattern
    API gateway
    An API management tool that sits between one or more
    client applications and one or more APIs
    Exploring the API Gateway

    Identity

    A
    P
    I
    Event catalog
    g
    a
    GloboTicket t
    client e
    w Shopping basket Discount
    a
    y
    Common API Gateway Tasks

    Service discovery and aggregation

    Rate limiting

    Monitoring usage, analytics, logging

    Caching

    Handling security
    s
    h
    s

    An API gateway
    Exploring the - Decouples the client from the backend
    implementation
    API Gateway
    - Takes away responsibilities
    A Common API Gateway Security Pattern

    { aud: “globoticketgateway” } Identity private network


    A
    P
    I

    g Event catalog
    a
    t
    GloboTicket
    client e
    w
    Shopping basket Discount
    a
    y
    HTTPS everywhere
    HTTPS isn’t just for the outside world. It’s also for your
    internal, private network, cloud-based or otherwise.
    s
    h
    s

    A very simple ASP.NET Core project that


    passes through requests can be considered
    a bare-bones API gateway
    Introducing
    On Azure, Azure API Gateway is a very
    Ocelot good option
    - https://azure.microsoft.com/
    en-us/services/api-management
    s
    h
    s

    Ocelot is an open source .NET Core based


    API gateway
    - Consists of a set of middleware that
    handles common tasks related to API
    gateways
    - https://ocelot.readthedocs.io
    Identity Service Location

    Identity private network


    A
    P
    I

    g Event catalog
    a
    t
    GloboTicket
    client e
    w
    Shopping basket Discount
    a
    y
    Identity Service Location

    private network

    Identity
    Event catalog
    API
    gateway
    GloboTicket
    client

    Shopping basket Discount


    s
    h
    s

    Identity
    You identity service is used across your
    Service application landscape
    Location
    Identity Service Location

    One gateway Multiple Backend-for- Other


    across all APIs gateways for frontend API approaches
    multiple sets of gateways
    APIs
    s
    h
    s

    Identity You identity service is used across your


    Service application landscape
    - Don’t tie it to one API gateway
    Location
    Introducing Ocelot

    Identity private network


    A
    P
    I

    g Event catalog
    a
    t
    GloboTicket
    client e
    w
    Shopping basket Discount
    a
    y
    t
    h
    s

    Demo

    Adding Ocelot
    t
    h
    s

    Demo
    Integrating Ocelot with our identity
    service
    s
    h
    s

    Currently, the access token is not verified


    downstream as that’s not the responsibility
    of the microservice in our approach
    Passing User
    But…
    Information to
    - We can trust the user at level of the
    a Microservice gateway
    - We can pass that information
    downstream via request headers
    t
    h
    s

    Demo
    Passing user information to a
    microservice
    The Backend-for-frontend Pattern

    One gateway Multiple Backend-for- Other


    across all APIs gateways for frontend API approaches
    multiple sets of gateways
    APIs
    Backend-for-frontend (BFF)
    A layer between the user experience and the resources it
    calls on, catered to each specific user experience
    The Backend-for-frontend Pattern
    private network
    GloboTicket event
    manager client

    B
    F
    F

    Event catalog

    Identity

    B
    F
    GloboTicket
    F Shopping basket Discount
    general client
    s
    h
    s

    A backend-for-frontend is often an API


    The Backend- gateway in its own right
    for-frontend - The BFF becomes the API gateway
    catered to a specific client or user
    Pattern experience
    t
    h
    s

    An API gateway is an API management


    Summary tool that sits between one or more client
    applications and one or more APIs
    - Service discovery and aggregation,
    monitoring, monetization, logging,
    rate limiting, … and security

    Ocelot is an open source API gateway


    based on .NET Core
    t
    h
    s

    Gateway security pattern


    Summary - Check authentication and authorization
    at level of the gateway
    - Microservices are not responsible for
    checking incoming tokens
    - Everything behind the API gateway is
    secured on another level than
    application level
    t
    h
    s

    Ocelot specifics
    - Secure routes to microservices by
    Summary letting Ocelot check the incoming token
    - Pass information to each microservice
    via request headers

    A backend-for-frontend is a backend
    catered to a specific user experience
    - It can be implemented as an API
    gateway

    You might also like