Home > Software engineering >  How to implement a single secure RESTful API layer for both web client and micro-services
How to implement a single secure RESTful API layer for both web client and micro-services

Time:08-03

I am currently implementing a API project using express-js. There are multiple clients for the API. This includes a front-end web app and some backend services.

I am looking at using a normal session based management for authentication using express-session. I am preferring this over jwt since session based secure cookies is easier for many use cases which I would need need

  1. Ability to revoke user access from server side
  2. Allow only single active web session for a user

I am sure I can maintain a separate persistance table with userid refresh_token access_token to achieve the above. Its just that session based gives me these in straightforward.

Now when it comes to my daemon services, I would still like them to go via API route. This will be more like Client Credentials Flow. Since these are non-http clients, cookies will not be supported.

I am not sure how my app can API's continue to support both of them ?

The only option I have now based on readings on various blog sources is to use JWT in the cookies for the web front end and using JWT as bearer in header.

This means that

  1. I will need to implement all the security mechanisms like token black-listing, regenerating refresh_token etc.
  2. I will potentially lose out on main benefit of JWT of statelessness.

What are the options I have to ensure that my API layer can support both front-end web apps like react/angular and other micro services

CodePudding user response:

The standard solution here is to use an API gateway:

  • APIs receive JWT access tokens regardless of the client, and validate them on every request

  • Browser clients have their own routes to APIs, and send cookies that contain or reference tokens

  • Mobile clients call API directly, but with opaque access tokens

  • APIs call each other inside the cluster using JWTs, typically by forwarding the original token from the web or mobile client

The API gateway can perform translation where required. Here are a couple of related articles:

Done well, all of this should provide a good separation of concerns and keep application code simple.

  • Related