I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
Wow, thank you so much! You’re literally my savior 🙏 This video was a lifesaver and exactly what I needed. Keep up the amazing work! 🎉👏 It would be awesome if you could make a video on implementing microservices with role-based authorization . That would be so helpful!
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir. Thank you Sir
We need this kind of videos. It is an end to end tutorial for microservices with security + JWT. Plz make videos on real time deployments with microservice architecture.
Grateful for such a wonderful insight on Microservices security. It will definitely help me to improve skills in my projects. Thankyou so much for the efforts. I'm learning a lot from your channel. Awaiting for more interesting videos.
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question. May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Wooooow.... i seached a lot for this kind of scenario but i did not find and in so many interviews i faced this question and got stucked. A million thanks basanth.... it helps us a looooot......👏👏👏🤝🤝🤝🙏🙏🙏 Thanks you so much Next Please do videos on TESTING(mockito) microservices end to end and GLOBAL EXCEPTIONAL HANDLING (please think about it)
You have one of the best educational channels out there. I would love to give you a constructive opinion: It would be great if you could change your microphone into something clearer, like what the java brain and Navin have. Trust me, it makes a huge difference.
My approach for this is to apply filters to individual microservice, in which set up the securitycontextholder which would look something like below UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, null, authorities); SecurityContextHolder.getContext().setAuthentication(authenticationToken); This is working for me.
Wow Very Nicely Explained In Easy To Understand Manner. 1 Request can you please show how to implement role based authentication with Spring API Gateway ?
00:05 Triển khai Bảo mật dựa trên JWT trong microservice bằng Spring Cloud Gateway 07:12 Hai dịch vụ vi mô, Swiggi Service và dịch vụ nhà hàng, đang liên lạc với nhau thông qua API Gateway. 21:19 Cần phải viết một phương pháp để đăng ký người dùng, tạo mã thông báo và xác thực mã thông báo 28:07 Đã triển khai các điểm cuối xác thực và xác thực mã thông báo. 41:40 Xác định Dịch vụ chi tiết người dùng của riêng bạn để xác thực người dùng 48:42 Đã hoàn tất triển khai dịch vụ nhận dạng 1:02:00 Xác thực mã thông báo trong API Gateway 1:09:10 Triển khai logic xác thực mã thông báo JWT trong Cổng 1:22:07 Triển khai bảo mật microservice bằng xác thực JWT Crafted by Merlin AI.
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours. I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
finally someone addressed this scenario with proper explanation. Thanks as always. one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) { because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter. let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ? Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time. I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not. Will email no problem
Hi Basant , Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
Thank you so much great video. Just wanted to mention that oauth 2.1 removed the password grant type so a generated client_credentials would be a better option, and would like to see an updated video on that implementation.
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
Thanks so much, it is the Best tutorial ive seen. I have one question. Hoy can I get the current loged user and roles from the servíces to make autorizations
I am new to microservices & your videos helped me a lott🙌🙌 also can you please tell me, what should I use for role based authorisation in microservices. I am working on project which is a web portal for sanctioning government applications, It has user & admin as roles. Please guide🙌
Thanks for you awesome videos which helped me to have good idea about micro services and I also have a doubt how to implement role based authorization at spring cloud gateway level?
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Hello sir. there is api still open for each microservice. like calling the order in it's own microservice with port like localhost: 8082 then api is open . if anyone can call that api wihout gateway and security then what is the usage of jwt ???
@@Javatechie using url or somehow user know the endpoint or hacker know the endpoint. so the endpoints are not secured for each MS. you have to reconsider your code and try to figure out how to secure all the endpoints separately also
@@hkkabir2024 no buddy it will be known by user only if you exposed it . If we are doing that then it's the wrong approach then what is the need for a gateway?
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
The API Gateway is like the front door to your entire microservices setup. Every request coming in or going out passes through it. Think of it as a super-secure, load-balanced gatekeeper that makes sure only the right people and requests get in. Once you’ve validated requests at the gateway, there’s no need to worry about extra authentication for internal services since they aren’t directly accessible from the outside world. This setup keeps everything neat, secure, and centralized, so your microservices can focus on what they do best-without worrying about who’s knocking on the door.
This is the way to implement in microservice but if you want more secure then better use 3rd party identity providers like okta or keyclok. I already uploaded a video of keyclok using microservice
hi, i have two questions. 1- what if we already have a user (or customer ) microservice? lets say we have a user microservice. i saved some user. if i want to do the process in the video what should i do? i need to create an entity like you did and save it to the auth service ? or can i rest call from user? 2- how can we block the request which are not coming from gateway? you we can see on the video, if we send a request from gateway or direct to the service ( swiggy, auth .. ) we got the result. i guess we need to add a prefilter but how? thanks for video btw. you are really good person
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
I feel like your explanations are even better than people who have english as their first language lol. You really do have a gift for this!
I love you. Finally the architecture I'm looking for. A lot of tutorial are covering authentication for only one microservice and you are probably the only one that approaches the problem keeping in mind the whole microservice architecture.
Thank you so much Lukasz for appreciating my work 🥰🥰
you worth millions of like
Is it still applicable in 2024, in the latest version of spring?
Finally found an understandable tutorial about securing a Spring Cloud Gateway microservices architecture! A thousand times thank you sir!
THIS IS THE VIDEO I WAS LOOKING FOR, THANKS SO MUCH FROM COLOMBIA
You saved my day. God bless you. Thanks so much from Mozambique.
Wow, thank you so much! You’re literally my savior 🙏 This video was a lifesaver and exactly what I needed. Keep up the amazing work! 🎉👏 It would be awesome if you could make a video on implementing microservices with role-based authorization . That would be so helpful!
Great Video sir, completely Awesome...Add the role based security through api gateway.
Amazing🤩, really like the way you explain and handle everything in a very simple way.
thank you!! it helped me a lot.🙏
This is the best channel about Spring and stuffs of all RUclips. Thank you Java Techie.
Best course available in youtube. Thankfully it is free. Keep up the good work
Nobody explains like you do..Thank you very much for the video.
This is Gold Boss... Thanks a ton for this video.. I lost most of my interview only because of not answering how to security is implemented in micro services question.... Appreciate your efforts.
Thank you buddy 🙂
Thank you so much for clear explain no one will explain like you.
Waited last couple of month to get solution which you explain about validate and filter the request form spring cloud getway. ##you make my weekend Basant Sir.
Thank you Sir
Thanks buddy 😊. Keep learning 👍
Actually without your tutorial I couldn't learn easily new things implementation in spring app...
You are Guru. Thanks lot.
Thank you Siva . Keep learning 😃
Thanks a lot.
I am looking for security in Microservices architecture. It is one of the best way, you have explained.
Glad to hear that😊
We need this kind of videos. It is an end to end tutorial for microservices with security + JWT. Plz make videos on real time deployments with microservice architecture.
Hi , Boss, Thanks for the video , i am following you since 2018, your videos help me to get move forward .
I've been waiting this long, thanks java techie greetings from peru😎
This is what, I was waiting for ,Very Helpful for me
Best video you can find for JWT auth ❤
it's awsome,,
I was trying to solve this kind of problem and this tutorial helps me a lot.
Thank You so much for the video tutorial.
Searching every where finally got it thanks sir 😀
i love you brother, you are the best teacher for learners in this field.
I had been waiting for this topic for long time. Finally wait is over.
Excellent Explanation. this is the Video i was looking for. thanks
This video is very useful for me . Thank you for your time and explanation
Thanks aTon Sir ❤, No one can match your Explanation level 👍
Nice video we learn couple of thing related to microservices and spring security ❤❤❤
Its a very best content which i ever seen in across youtube .. thanks basant keep it up..
me too
Is it still applicable in spring 3 (2024) ?
Yes
Awesome video Bhai.. much needed.. thanks a lot for the content shared. 🎉
No words Mind Blowing
Thanks Sir , Good explanation, your course was clear and understandable.
Grateful for such a wonderful insight on Microservices security. It will definitely help me to improve skills in my projects. Thankyou so much for the efforts. I'm learning a lot from your channel. Awaiting for more interesting videos.
Thanks buddy keep learning 😃
Thank you so much sir for wonderful explanation ❤
Bro, thank you!!! God bless you!!!
Awesome explanation !!! Really i feel that you are one of the most amazing solution architect !!!
Thank you for appreciating buddy. I am just a senior software Engineer not an architect 🤪🤪
bro you helped me a lot, thank you very much and greetings from Argentina
Good explanation, your course was clear and understandable.
Looks really simple, just as I used to implement the JWT service in a monolithic way, but porting everything to a new independent webservice to validate JWT to access any endpoint without compromising the other webservices.
Awesome videos. Hats off to you in explaining it in a very simple and easy manner. One question.
May I know if we have a requirement to secure our swiggy and restaurant service endpoint and grant access based on role, then how we can achieve this requirement .
Hi Basant sir, Jwt in microservices explanation is so good. Thank you so much...
Thank you for such an awesome lecture. We many of us benefit from such work. Continue teaching brother
thanks for giving us this much excellent content and awesome video
Thanks so much Basant. Appreciate your efforts. I am learning lot from your videos. Waiting for more videos.
Wooooow.... i seached a lot for this kind of scenario but i did not find and in so many interviews i faced this question and got stucked. A million thanks basanth.... it helps us a looooot......👏👏👏🤝🤝🤝🙏🙏🙏 Thanks you so much
Next Please do videos on TESTING(mockito) microservices end to end and GLOBAL EXCEPTIONAL HANDLING (please think about it)
I will share the link with what you mentioned which i already uploaded. Even if you can search in the channel it's already there buddy
Exception handling : ruclips.net/video/gPnd-hzM_6A/видео.html
Mockito testing: ruclips.net/video/Hh17JDpsKqc/видео.html
Wonderful. Thank you very much for sharing
Thanks!! Helpful for basic understanding.
Thank you, Basant Bhai...
Much waited ❤ Thank you sir for your wonderful teaching and the knowledge your sharing .
You are super talented man.clear explanation .Thank you
Thank you for this wonderful video❤️❤️
You have one of the best educational channels out there. I would love to give you a constructive opinion: It would be great if you could change your microphone into something clearer, like what the java brain and Navin have. Trust me, it makes a huge difference.
Thanks Filz , i noted it and going forward i will come with better audio quality. Need to look into rode configuration
@@Javatechie 🎉d o 😢😢😢😮😊😂😅😅😅😅😮😮😮😮😮😅😮fq😢😢😢😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮😮
Archana not getting you
@@Javatechie I think, that's a bot.
Even not getting you buddy. What do you mean by bot
Thank you for this tutorial... Kudos
Hey Basant Anna, this is awesome 👌thanks for such a smooth flow..its really a very complex topic & nightmare for interview candidates.
Excellent Work....Thank you
52:00 Auth service integrate with Gateway
56:00 Validate token
Thanks for sharing the knowledge ❤
Loved your explaination ❤❤❤❤
This Video is really helpful, Pls. Can you cover Role base authentication and Authorization on the individual microservices?
My approach for this is to apply filters to individual microservice,
in which set up the securitycontextholder
which would look something like below
UsernamePasswordAuthenticationToken authenticationToken =
new UsernamePasswordAuthenticationToken(username, null, authorities);
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
This is working for me.
Quite informative, thanks!
Wow Very Nicely Explained In Easy To Understand Manner.
1 Request can you please show how to implement role based authentication with Spring API Gateway ?
Yes buddy it's in queue i will upload soon
superb clear video
you're really amazing thank you so mutch
00:05 Triển khai Bảo mật dựa trên JWT trong microservice bằng Spring Cloud Gateway
07:12 Hai dịch vụ vi mô, Swiggi Service và dịch vụ nhà hàng, đang liên lạc với nhau thông qua API Gateway.
21:19 Cần phải viết một phương pháp để đăng ký người dùng, tạo mã thông báo và xác thực mã thông báo
28:07 Đã triển khai các điểm cuối xác thực và xác thực mã thông báo.
41:40 Xác định Dịch vụ chi tiết người dùng của riêng bạn để xác thực người dùng
48:42 Đã hoàn tất triển khai dịch vụ nhận dạng
1:02:00 Xác thực mã thông báo trong API Gateway
1:09:10 Triển khai logic xác thực mã thông báo JWT trong Cổng
1:22:07 Triển khai bảo mật microservice bằng xác thực JWT
Crafted by Merlin AI.
Fantastic video and an outstanding explanation ❤🔥. Thank you so much!!!
Thank you very much for providing such a detailed explanation. Your video is undoubtedly superior to paid courses that tend to overcomplicate things and stretch on for more than 8 hours.
I have a question: If I were to call Swiggy or a restaurant service directly, bypassing the gateway or discovery service, how would I handle authentication?
you can't but you can make that api endpoint in api gateway itself
instead of completely using spring cloud stack we can make this more OSS (open source stack) like every micro service is containerised (dockerised) then use KONG as API gateway. this way we can make the configuration more simple and reduce tight coupling.
Could you please explain more about how that works?
can you please come with your hands on similar like this using KONG.
The best explanation
finally someone addressed this scenario with proper explanation. Thanks as always.
one question that if auth service also has to pass through api gateway and we didn't add filter param in gateways routes for auth service then why we are checking those urls through validators in authentication filter ? because request will never land on filter in case of /register and /token api
No usually we should do a rest call to identify service from gateway to validate and get token but here to avoid that I have directly used jwt logic in gateway that's why it's confusing for you
@@Javatechie but that rest call we are doing lately when all the checks are true before that. I am talking about that "if" condition in start (validator.isSecured.test(exchange.getRequest())) {
because in this condition we are checking /register and /token urls to bypass the token check and according to implementation when we will call register or token it would never land on Authentication Filter.
let me know if I am missing something still.
That's correct right. In the filter we had token validation logic right? So when i don't want to authenticate the user for the first time login then why do you want this to be delegated to filter what is the sense here ?
Let me know if I understand your concern correctly. If not please drop an email to javatechie4u@gmail.com
@@Javatechie no I dont want to authenticate for the first time.
I am just saying that, main if condition is of no use when we will call /register or /token , it does not matter if the condition is there or not.
Will email no problem
@@faixan13 okay simple things buddy remove those 2 url from validator don't bypass it and run your app then test . Hope you will get your point.
Hi Basant ,
Very useful tutorial however I have one doubt, In production when the token is generated by passing a valid username and password it should automatically pass the token to the gateway right but here I saw that you are manually passing the token to the gateway through Postman for accessing microservices, My question is how we can automatically pass the token to the gateway for accessing microservices when the token is generated
Your question is genuine but this automatically stuff needs to handle from UI not from the backend
@@Javatechie ok thank you!
Awesome video.
Thank you so much great video. Just wanted to mention that oauth 2.1 removed the password grant type so a generated client_credentials would be a better option, and would like to see an updated video on that implementation.
Wonderful and clearly explained. I want just to know how to access authentication info (principal for example) and how to do authorization if needed in microservices
Please check the video below 👇 you will get an idea ruclips.net/video/qODoDq5_hAM/видео.html
@@Javatechie Thanks a lot
love you bro you are helping so much
Nice detailed video..
well explained concepts, thank you
keep it up good work.
1:11:00 The rest call from gateway to auth service is not working. It is throwing an error saying cannot call from java.lang.illegalstateexception: block()/blockfirst()/blocklast() are blocking, which is not supported in thread reactor-http-nio-1. Please let me know if someone can help in this
Hi sir! I am grateful for this tutorial. In this tutorial you have two client services, one gate way, one security service and you added security in Api Gate. I like the way you did it. But i need to move forward and add some Authorization. Suppose in swiggy service there are some end points what only admin can access and some end points normal user can access. How to apply this type of Authorization. Would you please make second part of this tutorial please? I am following this tutorial and trying to learn. I tried to implement the security directly in the API GATE-WAY service. But that was not easy because gate-way supports webflux not the web.
make use of method level authorization and roles
Yes I am still not finding any solution for this approach. Will check and update you
@@Javatechie Thanks
@@Javatechie I saw others using OAuth2 to solve this problem. KeyCloak is one of them.
@@Javatechie Hey, I found your video helpful, however I wanted to inquire, did you find any solution for this approach?
Thank you bro 🎉
Thanks so much, it is the Best tutorial ive seen. I have one question. Hoy can I get the current loged user and roles from the servíces to make autorizations
Please check the next video you will get logged in user info but regarding Authorization i am working on it
Thank you so much. Can you do a video share how to config authorization with JWT in microservices ?
Great job
Thank you so much !!
But how can we restrict direct access to individual microservices
Only one way to avoid exposing them
Just what I needed. 👍
I am new to microservices & your videos helped me a lott🙌🙌 also can you please tell me, what should I use for role based authorisation in microservices.
I am working on project which is a web portal for sanctioning government applications, It has user & admin as roles.
Please guide🙌
I am working on jwt token microservices.
How to logout user or expire token imediate?
Nice work man, please implement the swegger this application which is used for api documentation, thanks in advance
Thanks for you awesome videos which helped me to have good idea about micro services and I also have a doubt how to implement role based authorization at spring cloud gateway level?
I am also doing R&D but not getting a proper solution on the Authorization part. I will update once i find the solution
@@Javatechie Thank you
👍 very nice 🙂
Great Video! Need some more info : How do we avoid scattering secret? it can be stolen from code repo. How will the services be talking to each other? How will they get the token? Also how to enable HTTPS with proper handling of secrets.
Thank you! how is it going if i have the UserData in an other service, is there any video with this case ?
In our case also user data available in other services right
great job Sr. does it come with new spring boot verison
Hello sir. there is api still open for each microservice. like calling the order in it's own microservice with port like localhost: 8082 then api is open . if anyone can call that api wihout gateway and security then what is the usage of jwt ???
Simple question can you please answer me how the user will know about the endpoints of your microservice ?
@@Javatechie using url or somehow user know the endpoint or hacker know the endpoint. so the endpoints are not secured for each MS. you have to reconsider your code and try to figure out how to secure all the endpoints separately also
@@hkkabir2024 no buddy it will be known by user only if you exposed it . If we are doing that then it's the wrong approach then what is the need for a gateway?
Could you explain me : Client -> Security Service (GenerateToken) -> API Gateway -> MicroService1 (validate JWT) this flow is fine . What happen we request come directly to Client-> Microservice1 . How to check JWT for each endpoint.
How to block each microservice endpoint to access??
The API Gateway is like the front door to your entire microservices setup. Every request coming in or going out passes through it. Think of it as a super-secure, load-balanced gatekeeper that makes sure only the right people and requests get in.
Once you’ve validated requests at the gateway, there’s no need to worry about extra authentication for internal services since they aren’t directly accessible from the outside world. This setup keeps everything neat, secure, and centralized, so your microservices can focus on what they do best-without worrying about who’s knocking on the door.
Thanks a lot. Jai jagarnath
Thank you! but i have a question! is this enough in term of security in my application and how can i add more security layers
This is the way to implement in microservice but if you want more secure then better use 3rd party identity providers like okta or keyclok. I already uploaded a video of keyclok using microservice
hi, i have two questions.
1- what if we already have a user (or customer ) microservice?
lets say we have a user microservice. i saved some user.
if i want to do the process in the video what should i do? i need to create an entity like you did and save it to the auth service ? or can i rest call from user?
2- how can we block the request which are not coming from gateway?
you we can see on the video, if we send a request from gateway or direct to the service ( swiggy, auth .. ) we got the result. i guess we need to add a prefilter but how?
thanks for video btw. you are really good person
Explained very well. My doubt is if there are 100s of microservices all the call will go through API gate way and the auth Service, how to handle API gateway or auth service failure ?
You need to handle it through DR . In microservice world 🌎 no guarantee of 0 downtime
@@Javatechie thanks
Thanks a lot 🙏