Challenge

As enterprises migrate and adopt modern cloud technology, they shift from a monolithic application architecture to a cloud-native one. Hundreds of microservices interact with each other through numerous API calls every milli-second of the day. The sheer number and complexity of calls between microservices (East-West traffic) can make authorization a security challenge.

The PlainID Authorization Platform

The key for microservices authorization is to adopt a model of central management with distributed enforcement, where the logic and policies are centrally defined outside of the service, and the enforcement is done at the service level using a sidecar.

Read more

PlainID Authorizers for Microservices

PlainID Authorizers are ready-to-use integrations for specific service-mesh technologies, delivered as a sidecar, to control authorization on the service-to-service traffic. Such Authorizers include Istio Authorizer, Kuma Authorizer, and Linkerd Authorizer

Architecture flow

  • The client sends its access/id token in the request header.
  • The request is intercepted by the envoy proxy and passed to the PlainID Authorizer sidecar which is another container that is automatically injected to the pods.
  • The PlainID sidecar makes a permit/deny decision, based on the defined policies. The decision is based on the request URL, request header and request body. Optionally, Permit can provide the transaction with new token or enrichment with functional Authorizations.
  • If the authorization decision is permit, the Envoy proxy passes the request to the service container, Otherwise, If the authorization decision is deny, the request never reaches the actual service container and a 403 response is returned immediately.