Post on 21-Jan-2017
Gateway and ServicesJordan Valdma, TransferWise Partnerships Tech
Hi, I’m Jordan
TransferWise Global Partnerships Engineering
Estonian
(too few words)
MSc Data Sciences and Machine Learning
Like to organize events, hackathons, ..
This talk● Intro TransferWise MSs● RESTful API design● MicroService Security
Dark Ages - Separation of MonolithSeparate In-house and pub web applications. Modular thinking.
First Micro ServicesBeginning of life ..
Age of Enlightenment -DevOpsPeople wake “Hey, I have a right to release!”
Good night sleepDon’t have to worryabout people hacking
Baby Boom of Services“It’s so easy to make a...Service!”
Modern agesState of the art tech, separate codebases
Brief history of What We Have Done
Designing RESTful API
TransferWise RESTFful API
1. Starting point: internal APIa. People were not satisfied withb. Out of standard (rpc, errorhandling,..) couldn’t give it out
2. Formin focus group (strong stakeholders)3. Designing resourse model:
a. Base layer is flexibleb. Orcestration layers on top
4. Design Interfaces-Collaborate-REPEAT5. Implementation and tweaking
TipsFor Designing RESTful API
● “Interfaces over meetings”● Get the teams talking!!● Get alpha partners to give
fedbax on interfaces● Implement against it ● SWAGGER or similar● Start thinking about dev
support early.
Service Security
Gateway
● Single entry point● Protocol translation● Transformations● (Auth)
oAuth 2 flows
● Code● Implicit● Username and Password● Client credentials
MicroService auth -starting pointie. TransferService
curl /transfers/?createdByUserId={userId}
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
Is token OK?Who is the user?
Json Web Token
jwt.io
MicroService auth -JWTie. TransferService
curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
Is token OK?Who is the user?
Decode & Validate JWT
JWT Secret
JWT Secret
Problems with JWT
● Can not be revoked● Intercepting● Secret may get compromised
Json Web Token + oAuth Token
jwt.io
MicroService auth -JWT + oAuth Token
ie. TransferService
curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
AuthorizationServer Is token OK?Who is the user?
curl /check_token?token=”$JWT_TOKEN”
Decode JWT& Validate oAuthToken
Tips● Anonymous JWTs● Pain with Authentication types● Code grant for legacy token
swapFor Micro Service security
Tips
● Domain driven design● Move on from testing
infrastructure into staging asap● Proxy swagger upstream● Decouple from datasource
early!● Keep your gateway lean● Plan ahead for multi-node
setup
For Gateways and Services
Contact
Jordan Valdmajordan@transferwise.com
Twitter: @JordanValdma