Authorization in API Gateway vs Microservice Endpoints

Question

I'm trying to build a microservice architecture. I've learned some benefits of API gateway like: load balancing, invoking multiple microservices and aggregating the results, cache management etc. So I decided to include it in my system.

My question is whether I should implement authorization in gateway layer or separately in each microservice endpoints ? For example authenticating user on gateway and passing user claims in decrypted form to be used in authorization logic to each service call ?

It seems like it make sense and saves processing time to authorize some aggregates before even calling each service. However, authorization logic is really a concern of individual service.

What is your advice ?

Answer 1

You can use API Gateway Pattern / API Gateway. Then you can also offload the authentication/authorization responsibility of the microservice. It will be easy for user or developer that is calling the services. API GW support External /Internal GW even. It may support Role base permissions. eg: WSO2 APIM.

You will get below advantages when you have API /MS GW:

• An API Gateway is the single point of entry for any microservice call.
• It can work as a proxy service to route a request to the concerned microservice.
• It can aggregate the results to send back to the consumer.
• This solution can create a fine-grained API for each specific type of client.
• It can also convert the protocol request and respond.

Answer 2

each microservices endpoint. implementing the authorization in API gateway will make your system rigid. If at any later stage you have to separate logic for authorization (say, internal user, external user, open api). This will be very difficult to incorporate. Authorization should happen at each API level.