Chapter 2. Access Control for Microservices

APIs make application integration simple. A web browser or a curl command is all you should need to try out an endpoint. No complex libraries, no code-generated SDKs, not even a compile—just the basic architecture and infrastructure of the web. This elimination of barriers and friction, more than any other reason, is why developers love APIs.

But you can take the web model too far, and this is especially true for security. APIs bring some complex challenges in trust and identity that demand a more sophisticated approach than the conventional web has to offer. Protocols like OAuth and OpenID Connect, practices such as service throttling—these were all responses to the unique challenge of API security.

Microservices add another layer of complexity with unique security demands. Containers, ephemeral instances, runtime service discovery, the focus on re-use across many apps—these factors conspire to make microservices security hard. Until now, there have been few guides describing how to secure modern microservices.

The goal of this chapter is to help architects and developers better understand where they are investing their trust. This chapter does not go into the details of how to setup each technology, as this is beyond the scope of this book and better dealt with using the most up-to-date materials for your implementation. Instead, it illustrates why a technology exists so that you apply it correctly in your own microservices architecture. ...