Gateway and Services Architecture Overview
•
3 likes•808 views
- Jordan Valdma from TransferWise gave a talk about gateways, services, and APIs at TransferWise. - The talk covered the history of microservices, designing RESTful APIs, and security considerations for microservices including OAuth 2.0 flows, JSON Web Tokens, and combining JWT with OAuth tokens. - Tips were provided for designing RESTful APIs, gateways, services, and security including focusing on interfaces, getting early feedback, and decoupling from data sources.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (8)
Similar to Gateway and Services Architecture Overview
Similar to Gateway and Services Architecture Overview (20)
Recently uploaded
Recently uploaded (20)
Gateway and Services Architecture Overview
- 1. Gateway and Services Jordan Valdma, TransferWise Partnerships Tech
- 2. Hi, I’m Jordan TransferWise Global Partnerships Engineering Estonian (too few words) MSc Data Sciences and Machine Learning Like to organize events, hackathons, ..
- 3. This talk ● Intro TransferWise MSs ● RESTful API design ● MicroService Security
- 4. Dark Ages - Separation of Monolith Separate In-house and pub web applications. Modular thinking. First Micro Services Beginning of life .. Age of Enlightenment - DevOps People wake “Hey, I have a right to release!” Good night sleep Don’t have to worry about people hacking Baby Boom of Services “It’s so easy to make a...Service!” Modern ages State of the art tech, separate codebases Brief history of What We Have Done
- 6. TransferWise RESTFful API 1. Starting point: internal API a. People were not satisfied with b. Out of standard (rpc, errorhandling,..) couldn’t give it out 2. Formin focus group (strong stakeholders) 3. Designing resourse model: a. Base layer is flexible b. Orcestration layers on top 4. Design Interfaces-Collaborate-REPEAT 5. Implementation and tweaking
- 7. Tips For Designing RESTful API ● “Interfaces over meetings” ● Get the teams talking!! ● Get alpha partners to give fedbax on interfaces ● Implement against it ● SWAGGER or similar ● Start thinking about dev support early.
- 9. Gateway ● Single entry point ● Protocol translation ● Transformations ● (Auth)
- 10. oAuth 2 flows ● Code ● Implicit ● Username and Password ● Client credentials
- 11. MicroService auth - starting point ie. TransferService curl /transfers/?createdByUserId={userId} Gateway curl /transfers -h "Authorization: Bearer $TOKEN" TransferService Is token OK? Who is the user?
- 13. MicroService auth - JWT ie. TransferService curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN" Gateway curl /transfers -h "Authorization: Bearer $TOKEN" TransferService Is token OK? Who is the user? Decode & Validate JWT JWT Secret JWT Secret
- 14. Problems with JWT ● Can not be revoked ● Intercepting ● Secret may get compromised
- 15. Json Web Token + oAuth Token jwt.io
- 16. MicroService auth - JWT + oAuth Token ie. TransferService curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN" Gateway curl /transfers -h "Authorization: Bearer $TOKEN" TransferService AuthorizationServer Is token OK? Who is the user? curl /check_token?token=”$JWT_TOKEN” Decode JWT& Validate oAuthToken
- 17. Tips ● Anonymous JWTs ● Pain with Authentication types ● Code grant for legacy token swapFor Micro Service security
- 18. Tips ● Domain driven design ● Move on from testing infrastructure into staging asap ● Proxy swagger upstream ● Decouple from datasource early! ● Keep your gateway lean ● Plan ahead for multi-node setup For Gateways and Services