Barolina · April 21, 2021 13:22
diff --git a/auth server and gateway b/auth server and gateway
 # Auth server

 As name implies it's the authentication server. You can leverage third party Auth servers (Azure Active Directory or auth0 (https://auth0.com)) or you can create your own. When you create your own (not recommended practice) , you have to have manage everything on your own from tokens to security and maintaining user databases ,and that's another microservice in your case. All Auth server does is to provide you access token which validates the user identity. But you may have to save only small set of user info into your database to run your business logic. e.g. your shopping application offer basic/Standard/Premium services to the shopping users and to identify which service the particular user is subscribed to is only possible if you have user ID saved in your database. So your auth server is only responsible to give you token and from there you are responsible to run the show.

 # API Gateway

 API gateway is the entry to your microservices. Gateway is used as single point of entry and offload user authentication , TLS etc. Generally your API gateway is responsible to go talk to Auth server and bring back access token which you can be verified in your API gateway.

 Using that token in other microservices is dependent on how you deploy your microservices. APIgateway is generally public IP which is used to enter your system. However if all other Microservices that you deployed are public facing (has public IP) then you have to secure them too. Anyone with Public IP can access your Microservices without even going to Gateway. In this case you have to verify the token with every request entering into any public facing microservice. But if you deploy your microservices inside the cluster (Kubernetes etc) that have private IPs accessible within cluster only then you don't have to worry about authentication. Only your API gateway has access to cluster and cluster sits behind virtual networks/Firewall. So your Gateway is the only way for traffic to come and go.
	# Auth server

	As name implies it's the authentication server. You can leverage third party Auth servers (Azure Active Directory or auth0 (https://auth0.com)) or you can create your own. When you create your own (not recommended practice) , you have to have manage everything on your own from tokens to security and maintaining user databases ,and that's another microservice in your case. All Auth server does is to provide you access token which validates the user identity. But you may have to save only small set of user info into your database to run your business logic. e.g. your shopping application offer basic/Standard/Premium services to the shopping users and to identify which service the particular user is subscribed to is only possible if you have user ID saved in your database. So your auth server is only responsible to give you token and from there you are responsible to run the show.

	# API Gateway

	API gateway is the entry to your microservices. Gateway is used as single point of entry and offload user authentication , TLS etc. Generally your API gateway is responsible to go talk to Auth server and bring back access token which you can be verified in your API gateway.

	Using that token in other microservices is dependent on how you deploy your microservices. APIgateway is generally public IP which is used to enter your system. However if all other Microservices that you deployed are public facing (has public IP) then you have to secure them too. Anyone with Public IP can access your Microservices without even going to Gateway. In this case you have to verify the token with every request entering into any public facing microservice. But if you deploy your microservices inside the cluster (Kubernetes etc) that have private IPs accessible within cluster only then you don't have to worry about authentication. Only your API gateway has access to cluster and cluster sits behind virtual networks/Firewall. So your Gateway is the only way for traffic to come and go.