Verifying the source of a request in a microservice architecture

Hi guys, I have a quick question about verifying where the request comes from,
Let’s say I have a User X a Microservice A and a Microservice B.
The normal flow of the request is to pass from user x (after authenticating himself of course ) to microservice A to microservice B, in this case the token will be passed to microservice B through the authorization header.
The thing is, I want ot forbid the User from directly calling the microservice B, in other words I want microservice B to only accpet requests that are coming through microservice A.
So is there a way to do this with a Keycloak flow Untitled Diagram

If you are using OIDC (and OAuth 2.0) then REST API’s typically use scopes to protect resources.

For example: Flowable OAuth2 Resource Server

Have you thought about using a service mesh for service-to-service communications?

See: Service Mesh Ultimate Guide: Managing Service-to-Service Communications in the Era of Microservices

Also, try Googling “Spring Boot service mesh”

1 Like

Thanks for your response Robinyo,

I’m already using consul as a service mesh, I don’t have a problem configuring the OIDC to protect my resources. But I couldn’t figure out a way to block the calls to a certain endpoint on the microservice B.
I already figured out how to configure my project in order to be able for User x to get an access token and send it to Microservice A and then microservice A propagate it to microservices B so that microservice B can identify the User x. But this scenario gives the user X the possibility to directly call Microservice B with his access token which is an unwanted behaviour in my case. So my question is, is there a way to add another layer of identification between the two microservices (A–B) in order for microservice B to know that the call comes from microservice A, all that without losing the ability of propagating the user x access token to the microservice B.

I hope it’s more clear, Thanks in advance.

One approach would be expose a public service via an API gateway. The application can call the public service and the public service can invoke private microservices. However, the application cannot invoke private microservices.

1 Like

I guess there’s no way to do it the keycloak way then