How do I secure a Go microservice endpoint? What's best practice?

agolangf · · 517 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I&#39;m building a React-native application. The authentication is handled by Google Firebase. I&#39;m slowly adding microservices hosted on Google App Engine to the stack, and it all works well as of now :)</p> <p>However - how would you secure a microservice? I imagine it could be done by the JWT generated by Firebase, but how does that work when the microservices are distributed?(naturally!)</p> <p>I obviously only want authenticated, valid users of my react-native application to be able to call the endpoint. But short of storing the JWT in a database on Firebase, and calling/validating it from each microservice for each call, I&#39;m not sure of how to solve it. </p> <p>This solution seems horribly inefficient as well, so I&#39;m pretty sure it&#39;s not a good approach.</p> <p>Any advice? Thanks a lot in advance :) </p> <hr/>**评论:**<br/><br/>beknowly: <pre><p><a href="https://firebase.google.com/docs/auth/admin/verify-id-tokens" rel="nofollow">https://firebase.google.com/docs/auth/admin/verify-id-tokens</a></p> <p>The idea with JWT is that the token contains everything you need to validate it. It should be cryptographically signed, which means you can verify them &amp; extract information without calling out to an external server. I&#39;ve done exactly this before (go microservice w/ jwt), feel free to ping me if you have any questions.</p> <p><a href="https://github.com/dgrijalva/jwt-go" rel="nofollow">https://github.com/dgrijalva/jwt-go</a> contains pretty much everything you&#39;ll need, pop in some of your own code for getting public keys and you should be set.</p></pre>cbll: <pre><p>So let me get this straight:</p> <ol> <li>The user logs in, Firebase returns a JWT</li> <li>This JWT is stored in localStorage(or the equivalent, now that it&#39;s a mobile app) on the client</li> <li>Upon calling the microservice endpoint, the user passes on the JWT from localStorage when doing the call</li> <li>This is where I&#39;m in doubt. What does the microservice do in this case? It receives the JWT, how does it know whether or not to return a http 200 + data, or a http 403 forbidden? Not sure how to handle this case?</li> </ol> <p>On the Firebase docs, should I use the Go example, then? Is that it?</p> <p>Sorry if i&#39;m repeating myself. It&#39;s an interesting subject :) </p></pre>jaekim: <pre><p>For #4, your microservice needs to validate the signature that was used to sign the JWT (you can&#39;t just trust it since it came from the front end, by validating the signature, you can feel comfortable that it was in fact generated by your login api) . </p> <p>You will have to use some sort of secrets management to pass the key to your service on the backend.</p></pre>cbll: <pre><p>I was thinking something along those lines.. So I need the Firebase JWT to create some sort of secret key that I then validate on the microservice? How would that be done in practice? </p></pre>JustinCampbell: <pre><p>The JWT is signed with a key. Your microservice needs that same key in order to verify the payload has not been changed.</p> <p><a href="https://godoc.org/github.com/dgrijalva/jwt-go#Parser.Parse" rel="nofollow">https://godoc.org/github.com/dgrijalva/jwt-go#Parser.Parse</a></p></pre>cbll: <pre><p>From the client how should the JWT be appended? In the header?</p></pre>JustinCampbell: <pre><p>Yes, you could put in the Authorization header prefixed with Bearer (eg <code>Authorization: Bearer TOKEN</code>), a custom header, or as a URL query parameter.</p></pre>cbll: <pre><p>Excellent, thank you so much. Gonna start cracking away at this :)</p></pre>bjwschaap: <pre><p>Here&#39;s an article that explains it better than I can: <a href="https://auth0.com/docs/api-auth/tutorials/verify-access-token" rel="nofollow">https://auth0.com/docs/api-auth/tutorials/verify-access-token</a> HTH!</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

517 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传