Scribd
Upload
152 views

Implementing Security With API Gateway and BFF Patterns Slides

Implementing Security with API Gateway and BFF Patterns discusses API gateways, security patterns, and backend-for-frontend (BFF) patterns. An API gateway sits between clients and backends, providing services like authentication, monitoring, and routing requests. It decouples clients from backends. A common pattern is to authenticate at the gateway level and pass user information downstream via headers. Ocelot is an open source .NET API gateway that can implement this pattern. A BFF acts as an API gateway tailored for a specific client, becoming the backend for that frontend.

Uploaded by

trushen
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
152 views

Implementing Security With API Gateway and BFF Patterns Slides

Implementing Security with API Gateway and BFF Patterns discusses API gateways, security patterns, and backend-for-frontend (BFF) patterns. An API gateway sits between clients and backends, providing services like authentication, monitoring, and routing requests. It decouples clients from backends. A common pattern is to authenticate at the gateway level and pass user information downstream via headers. Ocelot is an open source .NET API gateway that can implement this pattern. A BFF acts as an API gateway tailored for a specific client, becoming the backend for that frontend.

Uploaded by

trushen
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Implementing Security with API

Gateway and BFF Patterns

Kevin Dockx
ARCHITECT

@KevinDockx https://www.kevindockx.com
t
h
s

Exploring the API gateway


Coming Up - API gateway security pattern

Using Ocelot and integrating it with our


identity service

Passing user information downstream


The backend-for-frontend pattern
API gateway
An API management tool that sits between one or more
client applications and one or more APIs
Exploring the API Gateway

Identity

A
P
I
Event catalog
g
a
GloboTicket t
client e
w Shopping basket Discount
a
y
Common API Gateway Tasks

Service discovery and aggregation

Rate limiting

Monitoring usage, analytics, logging

Caching

Handling security
s
h
s

An API gateway
Exploring the - Decouples the client from the backend
implementation
API Gateway
- Takes away responsibilities
A Common API Gateway Security Pattern

{ aud: “globoticketgateway” } Identity private network


A
P
I

g Event catalog
a
t
GloboTicket
client e
w
Shopping basket Discount
a
y
HTTPS everywhere
HTTPS isn’t just for the outside world. It’s also for your
internal, private network, cloud-based or otherwise.
s
h
s

A very simple ASP.NET Core project that


passes through requests can be considered
a bare-bones API gateway
Introducing
On Azure, Azure API Gateway is a very
Ocelot good option
- https://azure.microsoft.com/
en-us/services/api-management
s
h
s

Ocelot is an open source .NET Core based


API gateway
- Consists of a set of middleware that
handles common tasks related to API
gateways
- https://ocelot.readthedocs.io
Identity Service Location

Identity private network


A
P
I

g Event catalog
a
t
GloboTicket
client e
w
Shopping basket Discount
a
y
Identity Service Location

private network

Identity
Event catalog
API
gateway
GloboTicket
client

Shopping basket Discount


s
h
s

Identity
You identity service is used across your
Service application landscape
Location
Identity Service Location

One gateway Multiple Backend-for- Other


across all APIs gateways for frontend API approaches
multiple sets of gateways
APIs
s
h
s

Identity You identity service is used across your


Service application landscape
- Don’t tie it to one API gateway
Location
Introducing Ocelot

Identity private network


A
P
I

g Event catalog
a
t
GloboTicket
client e
w
Shopping basket Discount
a
y
t
h
s

Demo

Adding Ocelot
t
h
s

Demo
Integrating Ocelot with our identity
service
s
h
s

Currently, the access token is not verified


downstream as that’s not the responsibility
of the microservice in our approach
Passing User
But…
Information to
- We can trust the user at level of the
a Microservice gateway
- We can pass that information
downstream via request headers
t
h
s

Demo
Passing user information to a
microservice
The Backend-for-frontend Pattern

One gateway Multiple Backend-for- Other


across all APIs gateways for frontend API approaches
multiple sets of gateways
APIs
Backend-for-frontend (BFF)
A layer between the user experience and the resources it
calls on, catered to each specific user experience
The Backend-for-frontend Pattern
private network
GloboTicket event
manager client

B
F
F

Event catalog

Identity

B
F
GloboTicket
F Shopping basket Discount
general client
s
h
s

A backend-for-frontend is often an API


The Backend- gateway in its own right
for-frontend - The BFF becomes the API gateway
catered to a specific client or user
Pattern experience
t
h
s

An API gateway is an API management


Summary tool that sits between one or more client
applications and one or more APIs
- Service discovery and aggregation,
monitoring, monetization, logging,
rate limiting, … and security

Ocelot is an open source API gateway


based on .NET Core
t
h
s

Gateway security pattern


Summary - Check authentication and authorization
at level of the gateway
- Microservices are not responsible for
checking incoming tokens
- Everything behind the API gateway is
secured on another level than
application level
t
h
s

Ocelot specifics
- Secure routes to microservices by
Summary letting Ocelot check the incoming token
- Pass information to each microservice
via request headers

A backend-for-frontend is a backend
catered to a specific user experience
- It can be implemented as an API
gateway

You might also like