I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir. Thank you Sir
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
Grateful for such a wonderful insight on Microservices security. It will definitely help me to improve skills in my projects. Thankyou so much for the efforts. I'm learning a lot from your channel. Awaiting for more interesting videos.
Wow Very Nicely Explained In Easy To Understand Manner. 1 Request can you please show how to implement role based authentication with Spring API Gateway ?
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question. May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours. I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
I am new to microservices & your videos helped me a lott🙌🙌 also can you please tell me, what should I use for role based authorisation in microservices. I am working on project which is a web portal for sanctioning government applications, It has user & admin as roles. Please guide🙌
Hi Basant , Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
finally someone addressed this scenario with proper explanation. Thanks as always. one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) { because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter. let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ? Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time. I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not. Will email no problem
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
Nice explanation! Only thing I'm concerning is that why did you filter and authenticate user in gateway directly rather than routing to IDENTITY service and authenticate?
Your explanation is amazing. Learned lot of concepts with this practical example. I have a request hope you would look into it. I need to integrate same service and gateway with AWS cognito as auth service. Possible to do one video on this. ?
It was the best tutorial I found on this concept... Thank you sir... And one doubt for authorization we have to call the security service other wise we have to write the security code in Api Gate way itself these are the two possibilities otherwise is there any other best practice is there sir? ..... Open question question for all java developers out there thanks in advance
@@Javatechie i get that, but if this was the goal all along, then why did we implement this in the id-service to begin with? I want to avoid duplicate code.
In Gateway service, can you please show us role based authentication. You just showed authentication part but not authorisation. Please show us. It’s very important
Thanks for sharing ❤ But how can we authenticate based on role. Here we can access the whole microservice but how can we access some end points of one microservice and other endpoint for another role.
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
Excellent work , but the website u use for getting the secret is not working any more . so people are suffering to get the secret and cant able to use the full potential of the work you have done here . pls give an alternative way to get secret from else where . i was suffering for a week for validating JWT and routing . this came as a life saver . Thanks much for a fablous work . i would like to do a donation . if u have any payment portal pls let me know .
Hi @@Javatechie , Appreciate you're reading the comments . if you make shorts for generating the secret please share the link here and the spring security video description .
Thanks for sharing this video. I have one question. Do we need of validator.isSecure for endpoints /token, /register, /validateToken? I think no because we are not applying filter for IdentityService then obviously API Gateway will not use the filter. Please correct me I am wrong.
Yes it's required otherwise wise how can we bipass the request. Currently I am not calling identity service api but as per best practices it's good to do rest API call to validate the token hence above URL required to bypass
Thank you Basant ❤, this is like rock I really appreciate your time and efforts. Could you please also make a video for swagger in microservices services?
My English is poor. Maybe you talked about this. I understood correctly that in a real project we do not need to create a method for validating tokens in the identity service, because validation needs to be implemented only in Spring Gateway?
We can keep it in the gateway that's what I did in this video but it's a bad practice because the key thumb rules of microservice is to segregate functionality to different modules so if I keep security and routing in the same application then it violates the principle isn't it?
Hey Basant, Once again you delivered nice content which we were looking since long time. I locally setup up and tried it working fine. I have a concern here If user directly request to 'Swiggy App' or 'Restaurent Service' then he able to get all details without providing JWT token. How secure these 2 apps if user directly send request?
Hi Rahim think practically why you will expose swiggy and restaurant microservice endpoints directly to the end user. If that is the case API gateway itself is no use right . So we should only expose api gateway endpoints that is how we can force everyone to use gateway with token
@@Javatechie Hi that was a great explanation, but I have a question. Is there any way we can secure swiggy and restaurant microservice and use it in gateway as well?
@@Javatechie We can make secure swiggy and restuarent apps too. Currently I am on similar kind of project where we secure each microservices app. I will update here later.
Thanks so much, it is the Best tutorial ive seen. I have one question. Hoy can I get the current loged user and roles from the servíces to make autorizations
Your tutorial very good. I need some information on how to implement role/permission based access control in microservices. Would you please help on this?
Loved the explanations!! But, how can i do a role based authentication, like admin and user for example? I've faced with this question and got stucked. I wonder if you can help me.
I feel like your explanations are even better than people who have english as their first language lol. You really do have a gift for this!
Finally found an understandable tutorial about securing a Spring Cloud Gateway microservices architecture! A thousand times thank you sir!
I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
Thank you so much Lukasz for appreciating my work 🥰🥰
you worth millions of like
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
How to block each microservice endpoint to access??
Bro, thank you!!! God bless you!!!
This video is very useful for me . Thank you for your time and explanation
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir.
Thank you Sir
Thanks buddy 😊. Keep learning 👍
Best course available in youtube. Thankfully it is free. Keep up the good work
Actually without your tutorial I couldn't learn easily new things implementation in spring app...
You are Guru. Thanks lot.
Thank you Siva . Keep learning 😃
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Thank you buddy 🙂
THIS IS THE VIDEO I WAS LOOKING FOR, THANKS SO MUCH FROM COLOMBIA
Great Video sir, completely Awesome...Add the role based security through api gateway.
Thanks a lot.
I am looking for security in Microservices architecture. It is one of the best way, you have explained.
Glad to hear that😊
This is the best channel about Spring and stuffs of all RUclips. Thank you Java Techie.
Its a very best content which i ever seen in across youtube .. thanks basant keep it up..
me too
Thanks aTon Sir ❤, No one can match your Explanation level 👍
Thank you so much for clear explain no one will explain like you.
it's awsome,,
I was trying to solve this kind of problem and this tutorial helps me a lot.
Thank You so much for the video tutorial.
Quite informative, thanks!
I've been waiting this long, thanks java techie greetings from peru😎
I had been waiting for this topic for long time. Finally wait is over.
Best video you can find for JWT auth ❤
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
Could you please explain more about how that works?
can you please come with your hands on similar like this using KONG.
bro you helped me a lot, thank you very much and greetings from Argentina
This Video is really helpful, Pls. Can you cover Role base authentication and Authorization on the individual microservices?
No words Mind Blowing
Grateful for such a wonderful insight on Microservices security. It will definitely help me to improve skills in my projects. Thankyou so much for the efforts. I'm learning a lot from your channel. Awaiting for more interesting videos.
Thanks buddy keep learning 😃
Searching every where finally got it thanks sir 😀
Wow Very Nicely Explained In Easy To Understand Manner.
1 Request can you please show how to implement role based authentication with Spring API Gateway ?
Yes buddy it's in queue i will upload soon
Thanks Sir , Good explanation, your course was clear and understandable.
Much waited ❤ Thank you sir for your wonderful teaching and the knowledge your sharing .
Excellent Explanation. this is the Video i was looking for. thanks
Nice video we learn couple of thing related to microservices and spring security ❤❤❤
This is what, I was waiting for ,Very Helpful for me
Hey Basant Anna, this is awesome 👌thanks for such a smooth flow..its really a very complex topic & nightmare for interview candidates.
Thank you for such an awesome lecture. We many of us benefit from such work. Continue teaching brother
Awesome explanation !!! Really i feel that you are one of the most amazing solution architect !!!
Thank you for appreciating buddy. I am just a senior software Engineer not an architect 🤪🤪
Good explanation, your course was clear and understandable.
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question.
May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Awesome video Bhai.. much needed.. thanks a lot for the content shared. 🎉
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Thanks!! Helpful for basic understanding.
Awesome video.
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours.
I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
you can't but you can make that api endpoint in api gateway itself
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
make use of method level authorization and roles
Yes I am still not finding any solution for this approach. Will check and update you
@@Javatechie Thanks
@@Javatechie I saw others using OAuth2 to solve this problem. KeyCloak is one of them.
@@Javatechie Hey, I found your video helpful, however I wanted to inquire, did you find any solution for this approach?
Thank you for this wonderful video❤️❤️
I am new to microservices & your videos helped me a lott🙌🙌 also can you please tell me, what should I use for role based authorisation in microservices.
I am working on project which is a web portal for sanctioning government applications, It has user & admin as roles.
Please guide🙌
I am working on jwt token microservices.
How to logout user or expire token imediate?
Wonderful. Thank you very much for sharing
thanks for giving us this much excellent content and awesome video
Excellent Work....Thank you
Hi Basant ,
Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
Your question is genuine but this automatically stuff needs to handle from UI not from the backend
@@Javatechie ok thank you!
Fantastic video and an outstanding explanation ❤🔥. Thank you so much!!!
finally someone addressed this scenario with proper explanation. Thanks as always.
one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) {
because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter.
let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ?
Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time.
I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not.
Will email no problem
@@faixan13 okay simple things buddy remove those 2 url from validator don't bypass it and run your app then test . Hope you will get your point.
You are super talented man.clear explanation .Thank you
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
Please check the video below 👇 you will get an idea ruclips.net/video/qODoDq5_hAM/видео.html
@@Javatechie Thanks a lot
Thank you so much. Can you do a video share how to config authorization with JWT in microservices ?
Thank you for this tutorial... Kudos
Nice work man, please implement the swegger this application which is used for api documentation, thanks in advance
keep it up good work.
Loved your explaination ❤❤❤❤
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
superb clear video
13:44 Comienza a crear el proyecto identity-service (lo hace desde el Spring initializer de su IDE IntelliJ)
The best explanation
Thanks a lot. Jai jagarnath
love you bro you are helping so much
Thank you bro 🎉
Thank you so much !!
But how can we restrict direct access to individual microservices
Only one way to avoid exposing them
Nice explanation! Only thing I'm concerning is that why did you filter and authenticate user in gateway directly rather than routing to IDENTITY service and authenticate?
Your explanation is amazing. Learned lot of concepts with this practical example.
I have a request hope you would look into it. I need to integrate same service and gateway with AWS cognito as auth service. Possible to do one video on this. ?
Yes I will try that
It was the best tutorial I found on this concept... Thank you sir... And one doubt for authorization we have to call the security service other wise we have to write the security code in Api Gate way itself these are the two possibilities otherwise is there any other best practice is there sir? ..... Open question question for all java developers out there thanks in advance
No these are the only 2 options if you are using your own security impl if you are using any third party like keyclok then it's not required
@@Javatechiethanks for responding ❤
why did you copy the code of "/validate" to gateway? It's useless now in the identity-service if you run this piece of code from the gateway
Rather than doing another rest call to identity service i have used it in gateway itself
@@Javatechie i get that, but if this was the goal all along, then why did we implement this in the id-service to begin with? I want to avoid duplicate code.
great job Sr. does it come with new spring boot verison
Just what I needed. 👍
In Gateway service, can you please show us role based authentication. You just showed authentication part but not authorisation. Please show us. It’s very important
Great explanation, but you only cover authentication part dosnt cover authorization , can explain that
Great job
You're a life saver!
Thanks for sharing ❤
But how can we authenticate based on role.
Here we can access the whole microservice but how can we access some end points of one microservice and other endpoint for another role.
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
You need to handle it through DR . In microservice world 🌎 no guarantee of 0 downtime
@@Javatechie thanks
Excellent work , but the website u use for getting the secret is not working any more . so people are suffering to get the secret and cant able to use the full potential of the work you have done here . pls give an alternative way to get secret from else where . i was suffering for a week for validating JWT and routing . this came as a life saver . Thanks much for a fablous work . i would like to do a donation . if u have any payment portal pls let me know .
Ohh is it , the last time I tried it works since these are open-source we can't predict from any website will check alternative and update in thread
Hi @@Javatechie , Appreciate you're reading the comments . if you make shorts for generating the secret please share the link here and the spring security video description .
well explained concepts, thank you
Nice detailed video..
really helpful, but I have a doubt, what if someone directly access the microservice url by bypassing the api gateway. how to handle that?
How does someone know your URL, if you are sharing then it strictly breaks the microservice contract
Thanks for sharing this video.
I have one question. Do we need of validator.isSecure for endpoints /token, /register, /validateToken? I think no because we are not applying filter for IdentityService then obviously API Gateway will not use the filter. Please correct me I am wrong.
Yes it's required otherwise wise how can we bipass the request. Currently I am not calling identity service api but as per best practices it's good to do rest API call to validate the token hence above URL required to bypass
since springboot 3.0 you dont have to do @EnableDiscoveryClient annotation. It is enough that dependency is defined in pom.xml
I haven't tried , will check and update you
Thank you again.
Thank you Basant ❤, this is like rock I really appreciate your time and efforts. Could you please also make a video for swagger in microservices services?
Swagger i have already implemented please check in my microservice playlist
@@Javatechie Thanks
52:00 Auth service integrate with Gateway
56:00 Validate token
My English is poor. Maybe you talked about this. I understood correctly that in a real project we do not need to create a method for validating tokens in the identity service, because validation needs to be implemented only in Spring Gateway?
We can keep it in the gateway that's what I did in this video but it's a bad practice because the key thumb rules of microservice is to segregate functionality to different modules so if I keep security and routing in the same application then it violates the principle isn't it?
Great thanks, can you please continue this and implement role based Authorization as well ?
Okay i will
@@Javatechie can you suggest what to add more to achieve role based acess to endpoints
@@danishali2519 Hey Danish. Have you found any source about role based acess to endpoints?
Hey Basant, Once again you delivered nice content which we were looking since long time. I locally setup up and tried it working fine. I have a concern here
If user directly request to 'Swiggy App' or 'Restaurent Service' then he able to get all details without providing JWT token.
How secure these 2 apps if user directly send request?
Hi Rahim think practically why you will expose swiggy and restaurant microservice endpoints directly to the end user. If that is the case API gateway itself is no use right .
So we should only expose api gateway endpoints that is how we can force everyone to use gateway with token
@@Javatechie Hi that was a great explanation, but I have a question. Is there any way we can secure swiggy and restaurant microservice and use it in gateway as well?
Again we landed in the same context . If this is your requirement then you should avoid using gateway
@@Javatechie We can make secure swiggy and restuarent apps too.
Currently I am on similar kind of project where we secure each microservices app.
I will update here later.
@@rahimkhan-fh9dd Can you provide more details. It would be helpful. Thanks.
👍 very nice 🙂
Thanks so much, it is the Best tutorial ive seen. I have one question. Hoy can I get the current loged user and roles from the servíces to make autorizations
Please check the next video you will get logged in user info but regarding Authorization i am working on it
Thank you! how is it going if i have the UserData in an other service, is there any video with this case ?
In our case also user data available in other services right
Your tutorial very good. I need some information on how to implement role/permission based access control in microservices. Would you please help on this?
Okay i will cover that part
Loved the explanations!! But, how can i do a role based authentication, like admin and user for example? I've faced with this question and got stucked. I wonder if you can help me.
Thanks for the tutorial. I was waiting for this. How to handle token expired case.
Thanks a lot 🙏