Microservices Security

  1. Identity and Access Management (IAM)
    1. Authentication Patterns
      1. User-to-Service Authentication
        1. API Gateway as Authentication Point
          1. Centralized Authentication Flow
            1. Token Validation at the Edge
              1. Authentication Offloading
              2. Identity and Access Proxies
                1. Delegated Authentication
                  1. Integration with Identity Providers
                    1. Proxy Configuration
                  2. Service-to-Service Authentication
                    1. Mutual TLS (mTLS)
                      1. Certificate-Based Authentication
                        1. Certificate Issuance and Renewal
                          1. Certificate Authority Management
                          2. API Keys
                            1. Key Generation and Distribution
                              1. Limitations and Risks
                                1. Key Rotation Strategies
                                2. JSON Web Tokens (JWTs)
                                  1. Token Issuance and Validation
                                    1. Token Expiry and Revocation
                                      1. Token Propagation
                                  2. Authorization Strategies
                                    1. Role-Based Access Control (RBAC)
                                      1. Role Definition and Assignment
                                        1. Role Hierarchies
                                          1. Permission Mapping
                                          2. Attribute-Based Access Control (ABAC)
                                            1. Policy Definition
                                              1. Attribute Sources
                                                1. Dynamic Authorization
                                                2. Policy-Based Access Control
                                                  1. Centralized Policy Engines
                                                    1. Policy Enforcement Points
                                                      1. Policy Distribution
                                                      2. Centralized vs. Decentralized Authorization
                                                        1. Trade-offs and Use Cases
                                                          1. Hybrid Approaches
                                                            1. Performance Considerations
                                                          2. Key Protocols and Standards
                                                            1. OAuth 2.0
                                                              1. Roles
                                                                1. Resource Owner
                                                                  1. Client
                                                                    1. Authorization Server
                                                                      1. Resource Server
                                                                      2. Grant Types
                                                                        1. Authorization Code
                                                                          1. Client Credentials
                                                                            1. Implicit (Legacy)
                                                                              1. Resource Owner Password Credentials (Legacy)
                                                                              2. Token Types
                                                                                1. Access Tokens
                                                                                  1. Refresh Tokens
                                                                                  2. Security Considerations
                                                                                  3. OpenID Connect (OIDC)
                                                                                    1. ID Token
                                                                                      1. UserInfo Endpoint
                                                                                        1. OIDC Flows
                                                                                          1. Claims and Scopes
                                                                                          2. JSON Web Tokens (JWT)
                                                                                            1. Structure
                                                                                              1. Header
                                                                                                1. Payload
                                                                                                  1. Signature
                                                                                                  2. Claims
                                                                                                    1. Registered Claims
                                                                                                      1. Public Claims
                                                                                                        1. Private Claims
                                                                                                        2. JWT Signing Algorithms
                                                                                                          1. Symmetric Algorithms
                                                                                                            1. Asymmetric Algorithms
                                                                                                            2. JWT Validation
                                                                                                              1. Signature Verification
                                                                                                                1. Expiry and Audience Checks
                                                                                                                  1. Issuer Validation

                                                                                                            Previous

                                                                                                            1. Introduction to Microservices Security

                                                                                                            Go to top

                                                                                                            Next

                                                                                                            3. Securing Service-to-Service Communication