Securing Microservices that are serving internal as well as external requests can become tricky. If the services are serving APIs for internal requests only, its easy to place them behind the firewalls and grant access to them from the internal systems/clients only. However, when it comes to microservices that serve external clients security becomes critical and should be given utmost importance. API Gateway pattern is an approach aimed at micro-services management and security.
A few implementations based on the above pattern are AWS API Gateway, and IBM API Manager etc. OAUTH, JWT (Tokens by Reference for External Access & Tokens by value for Internal Access) are well established approaches for securing the micro-services. Commercial Products such as Ping Access also allow for token based API/Micro-services access. The key aspect that these solutions are yet to unravel is to identify a seamless and secure way of allowing browser based clients access without having to authenticate via an Identity service. The aforementioned solutions though can be modified to facilitate such an approach. If you have micro-services that are in the cloud such as AWS or Google Cloud, AWS API Manager with its API access key solution or using a custom Authorizer can provide security for your apis.
