Skip to main content

Introduction

JASMIN (Jwt Authentication Server & Microservice INterceptor) is a JWT Resource Server designed for authenticating communication between microservices.

Tech Used

  • MariaDB - for API Key and its scope Lookup.
  • Spring Boot - as the Java Library used to develop the Authentication Server & Interceptor Library.

JASMIN Sequence Diagram

JASMIN Sequence Diagram

Problem Description

The Microservice Ecosystem might not need to secure APIs within, but once the ecosystem grows where multiple team are taking part in the development process across domain. As such, the project may not want certain features to be exposed to another team.

Imagine a scenario where the ff. teams exist within your project:

  1. Critical Data Management Team - handling sensitive information of users, such as identifications.
  2. Content Management Team - handling content that might be readily available to the public, such as user posts.

Reasonably, Content Management Team might not need a full access to some critical data to perform its function.

As such, JASMIN is created to meet the ff. criteria:

  • microservices should follow the principle of least privileges.
  • microservices access should be audited.
  • microservice authentication must happen upon startup. microservices must fail to start if it fails to authenticate itself.
  • microservice authentication can be disabled within itself for testing. (Testing downstream APIs may require mocking the request response).

Solution

JASMIN solves the ff:

ProblemSolutionStatus
microservices should follow the principle of least privileges.APIs are onboarded without scopes.APIs are added to scope as a whole. A better implementation might be to onboard specific API endpoint set. Thus, providing further security but allowing flexibility
microservices access should be audited.JASMIN will log the scope update, along with the evidence that such APIs are approved by the providing team.Auditing is not yet implemented
microservice authentication must happen upon startup. microservices must fail to start if it fails to authenticate itself.Interceptor Library are created for each microservices.Already implemented via Interceptors
microservice authentication can be disabled within itself for testing. (Testing downstream APIs may require mocking the request response).JASMIN can be disabled via its configurations.*Implementation dictates that if the JASMIN is disabled, downstream API must have JASMIN disabled (or no integration with JASMIN at all). This is applicable especially for integration test cases.

* Jasmin configurations can be found in sidebar.

Notes to consider

  • Use JASMIN in conjunction with your Authentication Server of choice. This will ensure that:
    • JASMIN will be a security layer among your microservice ecosystem.
    • Chosen Auth Server will be a security layer for your ecosystem to the outside world.
  • JASMIN does not support endpoint-based scopes as of writing. Author will research this some time.
info

Using Gateway (Spring Cloud Gateway) is also a recommended approach to expose the Microservice Ecosystem Integrated to JASMIN.

Next steps will show you how to integrate JASMIN with your Microservice Ecosystem.