Nicolas Fränkel 🇪🇺🇺🇦🇬🇪

When exposing an application, consider a an #APIGateway to protect it from attacks. Rate Limiting comes to mind first, but it shouldn’t stop there. We can factor many features in the API Gateway and should be bold in moving them from our apps. In this post, I’ll show how to implement authentication at the Gateway API stage.

https://blog.frankel.ch/authentication-api-gateway/

#authentication #keycloack #SpringSecurity #SystemArchitecture

System architecture: move authentication to the API Gateway

When exposing an application to the outside world, consider a Reverse-Proxy or an API Gateway to protect it from attacks. Rate Limiting comes to mind first, but it shouldn’t stop there. We can factor many features in the API Gateway and should be bold in moving them from our apps. In this post, I’ll show how to implement authentication at the Gateway API stage. Overall authentication flow The API Gateway doesn’t authenticate but delegates authentication to an authentication

A Java geek
Jul 30, 2023 at 6:25pmWeb
Show threadSebastian Stein 🇺🇦Jul 30, 2023

@frankel An API gateway seems to be a good component to handle authentication, rate limiting, and similar cross cutting concerns.

But some also suggest to handle e.g. input validation of individual endpoints in API gateway. This feels wrong to me.

So my rule of thumb: Only move stuff to API gateway if it is shared by several endpoints.

Do you agree?

Show threadNicolas Fränkel 🇪🇺🇺🇦🇬🇪Jul 30, 2023

@steinchen That’s a good question, but I’m not sure I’d agree. I’d move authentication and caching anyway for example.

I’m willing to further discuss further as it’s gut feeling on my side, but I’d like to express the reasons explicitly and I’m not able at this point 🤔

Show threadAdil ArifJul 30, 2023
@frankel I never heard of Apache APISIX before, this article was really helpful. Thank you!
Show threadNicolas Fränkel 🇪🇺🇺🇦🇬🇪Jul 30, 2023
@adilarif Happy to help! Let me know if you have questions