0

I am currently working on a project which has a GraphQL service that takes care of handling all client requests and communicates with other microservices as needed be. This GraphQL service is the only service exposed to the client, basically kind of like an API gateway.

Taking this into account, I was wondering if all microservices are required to have authentication/authorization handlers, as well as input and data validation. Since these microservices can only be accessed by the GraphQL service and are never exposed to the public, is there any risk to not performing these mentioned tasks on them? Can't the main GraphQL service simply take care of all the authentication, authorization and input validation and then proceed to only send requests to the microservices having these steps occurred successfully?

Tiago Silva
  • 455
  • 5
  • 20
  • 1
    It should have at least basic authorization middleware in all microservices to only allow that specific clients can access them, in this case GraphQL. More [reference](https://stackoverflow.com/questions/29644916/microservice-authentication-strategy) – Taku Sep 03 '19 at 17:02
  • 2
    If the only way for the microservices is through gateway then It's ok. As long as your microservices are in private subnet that can only be accessed using api gateway. If you are using some cloud service like AWS/Azure then you can take advantage of out of box private subnets and only accept traffic from APIgateway. If you are not sure then good practice is to put basic Auth like someone mentioned above. – Imran Arshad Sep 03 '19 at 22:13
  • Yeah, my plan is to have it deployed on AWS and only accept traffic in the microservices coming from the GraphQL interface / API gateway. Thank you for the help! – Tiago Silva Sep 03 '19 at 22:52

0 Answers0