I would like to use mTLS to protect microservices instead of Open ID Connect.
As I understand how mTLS works, it encrypts the communications between two services via SSL handshake.
However, can I use mTLS as authentication mechanism instead protect services through Open ID Connect?
CodePudding user response:
You can use mTLS as an infrastructure security solution between microservices, but it will have limitations, and will not be able to manage user level security. So it depends who the clients of your microservices are, and how you need to authorize API requests.
USER LEVEL SECURITY
This is where OAuth and OIDC are used, and often there is a web or mobile app as a client:
- The client runs a code flow and gets tokens
- The client sends an access token to microservices
- Microservices receive a JWT access token that identifies the user
- Microservices can forward this to other microservices when required
Because of the user identity in the access token, the API can perform user level authorization, eg to. ensure that a user can only view their own purchase history.
COMBINING mTLS AND OAUTH
It is common to combine these two building blocks, and security standards / regulations sometimes require this. See this financial-grade security overview for some example scenarios.