Home > Software design >  Will this Authentication/Authorization Architecture for Microservices work?
Will this Authentication/Authorization Architecture for Microservices work?

Time:12-25

I'm designing a microservices-based architecture. The architecture should support multiple devices accessing the API.

In order to secure the internal Resource APIs, I wanted to implement authentication and authorization based on JWTs and Refresh Tokens.

My requirements are:

  1. Preventing an attacker from using XSS to steal the user's token
  2. Preventing CSRF attacks
  3. In-bounds security: even if the attacker can send requests to the internal Resource APIs, he can't do anything without a signed JWT
  4. Managing users (Authentication and Permissions) via a single internal Users API
  5. The tokens can be revoked at any time
  6. Support Multi-Factor Authentication via TOPT

This is what I came with:

enter image description here

Few details:

  1. The JWTs are really short-lived (30 seconds)
  2. The Internal API Gateway will include an endpoint (login) for converting username, password, and TOPT passcode to a new refresh token via the Users API.

Will this architecture actually work? will it be secure? Thank you very much!

Page link:https//www.codepudding.com/Softwaredesign/239742.html

Prev:Pushing form data to an array of objects
Next:AWS S3 Bucket: what is the difference between "Block public access" and a blank Bucket pol
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding