We use IAG as API gateway inside the kubernetes cluster, and ISVA (OIDC) as identity provider, to secure north - south traffic from enduser.
IAG is forwarding the identity from the end-user to the application with JWT. Each application is validating this JWT with code.
Our kubernetes environment is set up with linkerd as zero trust service mesh, and mTLS between components.
This ensures only authorized applications are able to communicate with eachother.
What is the recommended pattern for identity propagation between microservices, and authorize east-west traffic?
We have aroind 300 microservices, so traffic out of the cluster for each request will be expensive.
As I see it there are multiple options:
1) Traffic between app1 authenticate to iag on app2 using jwt bearer token (from IAG header)?
2) Same as above but with session cookie, session shared in redis
3) App1 bypass iag and let app2 do jwt validation/authorization
4) Some other best practice
------------------------------
Øyvind Bergerud
------------------------------