dusterio
commented
6 years ago @mrlilly the gateway ("vrata") does the authentication based on JWT tokens, then it passes user ID from the token and the token scopes to all microservices in outgoing requests via HTTP headers (X-User/X-Token-Scopes). so the authentication is already done and all microservices can assume so - they can just trust these headers from the API gateway. if there is a need for advanced authorization (specific permissions) - microservices should do it internally, in their own code
Could I ask about authentication to the microservices? Am I right in thinking that this setup could only be used 'as is' to consume microservices that you control/own due to there being no authentication between the gateway and the microservices?
Would you put a microservice between the API gateway and a third party service, just to handle the authentication and regulate the API of the third party service?
I really like this approach and your Medium article was a great read.