Ideally all microservices would delegate their security concerns so that the two-pizza team can concentrate on the functional requirements of the service rather get distracted by the ancillary non-functional requirements. Being able to offload the security burden from each and every microservice implementation is a big deal.
IBM API Management
At first glance I was hoping that using a service like IBM API Management (APIM) would provide the API security gateway capabilities to secure Bluemix hosted microservices.
As parts 1 and 2 have illustrated, when a RESTful microservice is hosted in Bluemix it will be publicly exposed. Even if using APIM to secure this API, the App implementing the REST services still has a public route. Therefore requests could easily circumvent APIMs enforcement and monitoring by simply calling the service directly rather than using the APIM URL. Unfortunately this means embedding security within each CF App is unavoidable.
APIM has no means to discover Worker or Service processes in Bluemix. APIM cannot participate in pub-sub messaging behind the firewall. In short APIM can only send HTTP/S requests to routable endpoints.
The initial approach has the App implementing the microservice mandate SSL mutual authentication as a simple way to ensure that the service would only accept requests from APIM, effectively shutting the door on the alternate route directly to the service. Unfortunately, since these services sit behind an SSL terminator, the App never sees HTTPS traffic.
The value of IBM API Management as an API gateway to microservices hosted within Bluemix is diminished by these limitations.
Ironically APIM is better suited for securing APIs hosted outside of Bluemix conveniently hidden behind a firewall and reachable only via VPN or Secure Gateway.
Forcing Requests through API Management
The IBM API Management service isn’t limited to just securing APIs. Monitoring, throttling, developer discovery, versioning and request/response transformation are other use cases.
In this first scenario I’ve had to add basic authentication to all my service operations to ensure they can only be invoked via APIM. However, let’s say I don’t actually want to require authentication in order to use the API. In APIM I make sure that the APIM path does not require authentication,
while providing the basic auth credentials to the request that APIM makes to the secured microservice.
So users attempting to invoke the service directly via
will be unauthorized whereas users calling the operation via APIM
will succeed because APIM knows the functional ID and password protecting the service.
The APIM endpoint consists of:
- <organization> and <space> is where you bound the service in Bluemix
- <environment> is the API deployment environment (default is sandbox or ‘sb’)
- <API basepath> and <operation> is specified as part of the the API definition
Basic Auth Users and Functional IDs
It is possible to have APIM require from the user one set of credentials while supplying the service provider with a different set. Ensure the API operation requires authentication (checked) and that the authentication endpoint is defined (in APIM API section).
The authentication endpoint will be provided the basic auth credentials supplied by the user. The only purpose of this endpoint is to handle authentication for ALL operations marked as requiring authentication. It should not access, add or modify any resources whatsoever. Unfortunately this authentication endpoint will have no insight as to the requested operation, neither the verb (GET, PUT, DELETE, etc) nor the resource. It is strictly about authentication. Authorization plays no part here. It will be called exclusively by APIM to determine if the requesting user is authenticated. If so, APIM will invoke the operation using a functional ID and password not known to the end user.
Basic Authentication Pass-through
Of course you are not forced to implement a separate Basic Auth endpoint. You could simply pass the user supplied credentials directly onto the service provider. Make sure that Authentication is unchecked for the API operation. This will avoid having APIM check with the special basic auth endpoint as in scenario 2. Next have APIM simply proxy the request to the service provider. This way the user credentials will be passed along to the endpoint for authentication.
In the continuation of this series I will delve into the OAuth authentication options provided by the IBM API Management service.