Episode 144 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Updating OWASP’s Microservice Security Cheat Sheet

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Dimitrij Drus, Senior Consultant at INNOQ

Channels

• Linkedin Event
• Youtube Video

Description

Join us live as we dive into authentication architecture for microservices, exploring OWASP’s updated cheat sheet on authentication patterns—from service-embedded to edge-level, proxy-mediated, and kernel-based strategies. We’ll compare trade-offs in scalability, security, and complexity, and show how correctly choosing where and how identity is established affects authorization, observability, and operational risk. Whether you’re building internal services or external APIs, this session will give you clearer guidance on establishing strong trust boundaries in distributed systems.

Blogs

• Updating OWASP’s Microservice Security Cheat Sheet: Authentication Patterns
• Updating OWASP’s Microservice Security Cheat Sheet: Authorization Patterns

OWASP Links

• Authn Patterns Cheat Sheet

• New Identity Propagation Patterns Cheat Sheet PR

• New Authorization Patterns Cheat Sheet PR

Takeaways

• ⚡ OWASP Authn/Authz design patterns are canonical once they are published. There is an opportunity for Identerati to engage, but they generally don't (crickets chirping...). Identerati need to help if we want these patterns to represent the current best practices and help application developers understand prior art.

• ⚡ OpenID Connect is not seen as a solution for microservices authn/authz. This makes sense to a certain extent, because microservices are not directly connected to the human, and OIDC is after all an identity layer, especially for humans using third party applications. But why OAuth isn't seen as more foundational and useful? The OAuth community needs to do more outreach or their solutions will remain esoteric.

• ⚡ The old OWASP archiecture was really dated. Dmitrij spent three months working to update them. But more work is needed. I think there could be more patterns that address different ways to convey trust. I also wonder if there should be room for new patterns, which are as yet unproven--we have new challenges and thus need to catalyze invention.

• ⚡ Relying on a proxy for security is still really popular for microservices, but it violates "Zero Trust" archiectural patterns. If the hacker get on a trusted network, it can bypass the proxy and call the microservice directly. A Zero Trust solution would favor policy enforcement embedded in the microservice--in case the proxy approach fails. Proxy security is good--why pass a bad request to the microservice? But it's not enough today.

Livestream Audio Archive

here