Gateway and ServicesJordan Valdma, TransferWise Partnerships Tech

Hi, I’m Jordan

TransferWise Global Partnerships Engineering

Estonian

(too few words)

MSc Data Sciences and Machine Learning

Like to organize events, hackathons, ..

This talk● Intro TransferWise MSs● RESTful API design● MicroService Security

Dark Ages - Separation of MonolithSeparate In-house and pub web applications. Modular thinking.

First Micro ServicesBeginning of life ..

Age of Enlightenment -DevOpsPeople wake “Hey, I have a right to release!”

Good night sleepDon’t have to worryabout people hacking

Baby Boom of Services“It’s so easy to make a...Service!”

Modern agesState of the art tech, separate codebases

Brief history of What We Have Done

Designing RESTful API

TransferWise RESTFful API

1. Starting point: internal APIa. People were not satisfied withb. Out of standard (rpc, errorhandling,..) couldn’t give it out

2. Formin focus group (strong stakeholders)3. Designing resourse model:

a. Base layer is flexibleb. Orcestration layers on top

4. Design Interfaces-Collaborate-REPEAT5. Implementation and tweaking

TipsFor Designing RESTful API

● “Interfaces over meetings”● Get the teams talking!!● Get alpha partners to give

fedbax on interfaces● Implement against it ● SWAGGER or similar● Start thinking about dev

support early.

Service Security

Gateway

● Single entry point● Protocol translation● Transformations● (Auth)

oAuth 2 flows

● Code● Implicit● Username and Password● Client credentials

MicroService auth -starting pointie. TransferService

curl /transfers/?createdByUserId={userId}

Gateway

curl /transfers -h "Authorization: Bearer $TOKEN"

TransferService

Is token OK?Who is the user?

Json Web Token

jwt.io

MicroService auth -JWTie. TransferService

curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"

Gateway

curl /transfers -h "Authorization: Bearer $TOKEN"

TransferService

Is token OK?Who is the user?

Decode & Validate JWT

JWT Secret

JWT Secret

Problems with JWT

● Can not be revoked● Intercepting● Secret may get compromised

Json Web Token + oAuth Token

jwt.io

MicroService auth -JWT + oAuth Token

ie. TransferService

curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"

Gateway

curl /transfers -h "Authorization: Bearer $TOKEN"

TransferService

AuthorizationServer Is token OK?Who is the user?

curl /check_token?token=”$JWT_TOKEN”

Decode JWT& Validate oAuthToken

Tips● Anonymous JWTs● Pain with Authentication types● Code grant for legacy token

swapFor Micro Service security

Tips

● Domain driven design● Move on from testing

infrastructure into staging asap● Proxy swagger upstream● Decouple from datasource

early!● Keep your gateway lean● Plan ahead for multi-node

setup

For Gateways and Services

Contact

Jordan Valdmajordan@transferwise.com

Twitter: @JordanValdma