Authentication and Authorization with Spring Boot

Hi,

I am new at Apigee. Headquarters of my company directed us to use Apigee for API gateway and authentication /authorization mechanism.

Right now we are developing our services as microservices with Spring Boot. I could not find any related documents or samples about Spring Boot on Apigee websites. And also how can i integrate my services to authentication and authorization mechanism with Apigee? What should i do? I am open to any ideas about this problem. I was using keycloak for authentication/authorization but right now i have no idea about Apigee's capabilities.

Solved Solved
0 2 7,314
1 ACCEPTED SOLUTION

Hi Resat

Apigee Edge acts as an HTTP proxy.

This means that the communication flows from client to API Gateway, and then a separate communication, a separate HTTP request/response, flows from the Apigee Edge API Gateway to the backend (or "upstream") system.

You said that the upstream in your case is a microservices layer, which you implement in Java with Spring Boot. But that doesn't matter to Apigee Edge. If the upstream is an HTTP Server, then Apigee Edge can connect with it.

If you want to use Apigee Edge as the authentication / authorization gateway, you can do so. Essentially the API Gateway will act as a trusted intermediary in your system. To make this happen, the upstream endpoints need to trust the API Gateway. You can implement this in different ways. The most common (and strongly recommended) way is to use a mutual-TLS connection between Apigee Edge and your microservices layer.

This means Apigee Edge - acting as a client - presents a certificate to your microservices endpoint, and the microservices endpoint (acting as a server) presents its certificate to Apigee Edge. Only if both endpoints trust the respective certificates, does the secure HTTPS connection get established. This is transport-layer security.

Normally you would not build TLS negotiation into your microservices layer directly. Those microservices will run in PKS or Kubernetes or some other cluster, and in front of that cluster there is an ingress proxy, or a virtual IP, maybe a hardware device like an F5, which negotiates the TLS connection. In any case, TLS negotiation is typically not implemented directly in code you write in your mincroservices layer.

OK, so we can rely on the TLS connection between Apigee Edge and the upstream. The next decision you have to make is: What does the authentication and authorization look like, in the API Gateway layer?

There are many options. Among them:

  • OauthV2 Bearer tokens with client credentials grant, authorization code grant, password grant...? Even an RFC7523 grant (in place of client credentials)
  • JWT issued by some third party. (Using VerifyJWT. Third parties include, for example, Okta, or KeyCloak)
  • API Keys (aka client_id) via VerifyApiKey
  • Application-level signing and security, as with HttpSignature or HAWK
  • Other options

OAuthv2 bearer tokens are the most common, followed by JWT. But there are variations and combinations. For example Verify a JWT and then verify the client_id that is claimed in the JWT. There's a wide variety of technical requirements, and OAuthV2 doesn't always satisfy.

What you choose to do, is up to you, and depends on your requirements for your particular use cases. Apigee Edge can implement any of those options.

Good luck.

View solution in original post

2 REPLIES 2

Hi Resat

Apigee Edge acts as an HTTP proxy.

This means that the communication flows from client to API Gateway, and then a separate communication, a separate HTTP request/response, flows from the Apigee Edge API Gateway to the backend (or "upstream") system.

You said that the upstream in your case is a microservices layer, which you implement in Java with Spring Boot. But that doesn't matter to Apigee Edge. If the upstream is an HTTP Server, then Apigee Edge can connect with it.

If you want to use Apigee Edge as the authentication / authorization gateway, you can do so. Essentially the API Gateway will act as a trusted intermediary in your system. To make this happen, the upstream endpoints need to trust the API Gateway. You can implement this in different ways. The most common (and strongly recommended) way is to use a mutual-TLS connection between Apigee Edge and your microservices layer.

This means Apigee Edge - acting as a client - presents a certificate to your microservices endpoint, and the microservices endpoint (acting as a server) presents its certificate to Apigee Edge. Only if both endpoints trust the respective certificates, does the secure HTTPS connection get established. This is transport-layer security.

Normally you would not build TLS negotiation into your microservices layer directly. Those microservices will run in PKS or Kubernetes or some other cluster, and in front of that cluster there is an ingress proxy, or a virtual IP, maybe a hardware device like an F5, which negotiates the TLS connection. In any case, TLS negotiation is typically not implemented directly in code you write in your mincroservices layer.

OK, so we can rely on the TLS connection between Apigee Edge and the upstream. The next decision you have to make is: What does the authentication and authorization look like, in the API Gateway layer?

There are many options. Among them:

  • OauthV2 Bearer tokens with client credentials grant, authorization code grant, password grant...? Even an RFC7523 grant (in place of client credentials)
  • JWT issued by some third party. (Using VerifyJWT. Third parties include, for example, Okta, or KeyCloak)
  • API Keys (aka client_id) via VerifyApiKey
  • Application-level signing and security, as with HttpSignature or HAWK
  • Other options

OAuthv2 bearer tokens are the most common, followed by JWT. But there are variations and combinations. For example Verify a JWT and then verify the client_id that is claimed in the JWT. There's a wide variety of technical requirements, and OAuthV2 doesn't always satisfy.

What you choose to do, is up to you, and depends on your requirements for your particular use cases. Apigee Edge can implement any of those options.

Good luck.

thank you for your help @Dino-at-Google