Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.
We present a solution along with a proof of concept implementation for the problem described above — To be able to perform authentication and authorization for microservices in the API Gateway itself.