I'm currently working on a project building a new product. I am struggling with identity propagation and authentication. The system is built in Azure and uses AAD and app registration.
The client application is multi tenanted, and we tenant data sorted in the databases local to each microservice.
Let's say the the basic architecture is: Multi tentant Client app An API gateway fronting the microservices, probably ocelot. This would also need to be a multi tenanted ap registration. Microservice APIs (A/B/C) let's call them.
So I understand that the client app and API gateway apps are multi tenanted so these will appear in each tenants enterprise apps area.
My thinking is microservices are internal only and should only be accessible by my tenant for security. Also surely you wouldn't want to clutter up another tenants enterprise apps area with potentially hundreds of microservices.
Therefore, I think make the microservices single tenant app registrations, and do application authentication between API gateway and microservice APIs. User authentication is done in the client app and API gateway.
This will all most likely be built in AKS.
However, this is where I'm struggling. How do I propagate the user's identity such as oid etc to the microservices?
I could pass them as params to microservice APIs assuming everything behind the API gateway is not open to public access. Is this secure or the correct way to do this? Or am I miss understanding how to architect this?
CodePudding user response:
It looks like you have a good understanding of the overall architecture and the security considerations involved in building a multi-tenant system in Azure with AAD.
One approach to propagate the user's identity to the microservices would be to use JWT tokens issued by AAD, and passed through the API gateway to the microservices.
The microservices can then use the token to authenticate the user's identity and authorize access to the appropriate resources.
When the client application authenticates with AAD, it can request access token for the API gateway and access token for each microservice. The client can pass these tokens as headers in the requests to the API gateway and microservices.
The API gateway can use access token for the microservice to authenticate the request and forward the request to appropriate microservice. Then microservice can use the token to authenticate the user and authorize access to the appropriate resources.
To secure this communication, you should use HTTPS to encrypt the traffic between the client, API gateway, and microservices. You should configure AAD to only accept tokens issued by the tenant’s AAD instance to ensure that only authorized clients can access the microservices.
In addition, you can look into using Managed identity feature of Azure, which allow you to authenticate Azure services without having to pass credentials in your code.
It's also important to test your security implementation thoroughly to ensure that it is working as expected.