API gateway role in micro services security

Question

I'm new to microservices and system design, and I'm trying to understand the role of the API Gateway in authentication and authorization.

I've come across two different approaches, each with its pros and cons:

1. API Gateway Handles Authorization

In this approach, the API Gateway:

• Validates JWT tokens.
• Checks user permissions before forwarding requests to downstream services.

Pros:

• Centralized logic simplifies maintenance.
• Reduces duplicate code across services.

Cons:

• The gateway becomes a single point of failure.
• A security breach at the gateway could compromise all downstream services.

2. Each Microservice Handles Authorization

Here, each microservice:

• Independently validates JWT tokens.
• Checks permissions for every request it handles.

Pros:

• Aligns with a zero-trust security model.

• Each service enforces its own security, reducing reliance on the
  gateway.

Cons:

• Leads to duplicated code across services.
• Harder to maintain, as changes must be replicated in all services.

Question

Which approach is more widely adopted in the industry, and what factors should be considered when choosing between these models?

Answer 1

This is more robustly answered here: Microservice authorization pattern with api gateway, but in general you really want to couple your authorization in your service-layer, otherwise you will quickly create a "god-object" anti-pattern in your gateway. It will very quickly violate Single Responsibility Principal when your gateway has deep knowledge of the inner workings of all the services that it fronts.