Search

US-12621286-B2 - Microservice applications with decentralized authorization enforcement in cloud platforms with multiple authentication ingress modes

US12621286B2US 12621286 B2US12621286 B2US 12621286B2US-12621286-B2

Abstract

A device includes one or more processors configured to receive an authentication request from a requestor. The one or more processors are also configured to determine, based on content of the authentication request, an ingress mode of the authentication request. The one or more processors are further configured to select, based on the ingress mode, a particular authentication mode from a plurality of authentication modes. The one or more processors are also configured to generate an authentication token based on the particular authentication mode.

Inventors

  • David R. Bowman
  • Preston R. Barbare

Assignees

  • THE BOEING COMPANY

Dates

Publication Date
20260505
Application Date
20230509

Claims (20)

  1. 1 . A device comprising: one or more processors configured to: receive an authentication request from a requestor; determine, based on content of the authentication request, an ingress mode of the authentication request, wherein the ingress mode indicates a generative source of the authentication request, whether content of the authentication request is non user-specific, or a combination thereof; select, based on the ingress mode, a particular authentication mode from among a plurality of authentication modes, wherein the plurality of authentication modes includes at least two of a first authentication mode based on a first certificate and an access portal identity token, a second authentication mode based on a second certificate, a web service gateway identifier, and a web service gateway user identifier, and a third authentication mode based on a third certificate and a proxy authentication token for a user; and generate an authentication token based on the particular authentication mode.
  2. 2 . The device of claim 1 , wherein the ingress mode corresponds to a first ingress mode when the generative source of the authentication request is an internal network, and wherein the ingress mode corresponds to a second ingress mode when the generative source of the authentication request is an external network.
  3. 3 . The device of claim 2 , wherein: the ingress mode corresponds to a third ingress mode when the authentication request is user-specific, and the ingress mode corresponds to a fourth ingress mode when the authentication request is non user-specific.
  4. 4 . The device of claim 1 , wherein the plurality of authentication modes includes at least two of a first authentication mode based on a user identifier and a password, a second authentication mode based on a first certificate, a third authentication mode based on a second certificate and an access portal identity token, a fourth authentication mode based on a third certificate, a web service gateway identifier, and a web service gateway user identifier, or a fifth authentication mode based on a fourth certificate and a proxy authentication token for a user.
  5. 5 . The device of claim 1 , wherein: the plurality of authentication modes includes at least a first authentication mode based on a user identifier and a password and a second authentication mode based on a certificate; the first authentication mode is selected based on a determination that the ingress mode corresponds to a user-specific ingress mode; and the second authentication mode is selected based on a determination that the ingress mode corresponds to a non-user specific ingress mode.
  6. 6 . The device of claim 1 , wherein, to select the particular authentication mode, the one or more processors are configured to access mode mapping data that includes mappings between a plurality of ingress modes and the plurality of authentication modes.
  7. 7 . The device of claim 1 , wherein, to select the particular authentication mode, the one or more processors are configured to: access mode mapping data that includes mappings between a plurality of ingress modes and the plurality of authentication modes; determine, based on the mode mapping data, whether the ingress mode matches any of the plurality of ingress modes; and select the particular authentication mode based on a determination that the ingress mode matches a particular ingress mode of the plurality of ingress modes and that the particular ingress mode maps to the particular authentication mode.
  8. 8 . A method comprising: receiving, at a device, an authentication request from a requestor; determining, based on content of the authentication request, an ingress mode of the authentication request, wherein the ingress mode indicates a generative source of the authentication request, whether content of the authentication request is non user-specific, or a combination thereof; selecting, based on the ingress mode, a particular authentication mode from among a plurality of authentication modes, wherein the plurality of authentication modes includes at least two of a first authentication mode based on a first certificate and an access portal identity token, a second authentication mode based on a second certificate, a web service gateway identifier, and a web service gateway user identifier, and a third authentication mode based on a third certificate and a proxy authentication token for a user; and generating, at the device, an authentication token based on the particular authentication mode.
  9. 9 . The method of claim 8 , wherein the ingress mode corresponds to a first ingress mode when the generative source of the authentication request is an internal network, and wherein the ingress mode corresponds to a second ingress mode when the generative source of the authentication request is an external network.
  10. 10 . The method of claim 9 , wherein: the ingress mode corresponds to a third ingress mode when the authentication request is user-specific, and the ingress mode corresponds to a fourth ingress mode when the authentication request is non user-specific.
  11. 11 . The method of claim 8 , wherein the plurality of authentication modes includes at least two of a first authentication mode based on a user identifier and a password, a second authentication mode based on a first certificate, a third authentication mode based on a second certificate and an access portal identity token, a fourth authentication mode based on a third certificate, a web service gateway identifier, and a web service gateway user identifier, or a fifth authentication mode based on a fourth certificate and a proxy authentication token for a user.
  12. 12 . The method of claim 8 , wherein the plurality of authentication modes includes at least a first authentication mode based on a user identifier and a password, and a second authentication mode based on a certificate.
  13. 13 . The method of claim 8 , wherein said selecting the particular authentication mode includes accessing mode mapping data that includes mappings between a plurality of ingress modes and the plurality of authentication modes.
  14. 14 . The method of claim 8 , wherein the particular authentication mode is selected based on determining that mode mapping data indicates that the ingress mode maps to the particular authentication mode, the method further comprising: sending a data request from the device to a service, the data request including the authentication token; receiving, at the device, data responsive to the data request; and sending the data from the device to the requestor.
  15. 15 . A non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to: receive an authentication request from a requestor; determine, based on content of the authentication request, an ingress mode of the authentication request, wherein the ingress mode indicates a generative source of the authentication request, whether content of the authentication request is non user-specific, or a combination thereof; select, based on the ingress mode, a particular authentication mode from among a plurality of authentication modes, wherein the plurality of authentication modes includes at least two of a first authentication mode based on a first certificate and an access portal identity token, a second authentication mode based on a second certificate, a web service gateway identifier, and a web service gateway user identifier, and a third authentication mode based on a third certificate and a proxy authentication token for a user; and generate an authentication token based on the particular authentication mode.
  16. 16 . The non-transitory computer-readable medium of claim 15 , wherein the ingress mode corresponds to a first ingress mode when the generative source of the authentication request is an internal network, and wherein the ingress mode corresponds to a second ingress mode when the generative source of the authentication request is an external network.
  17. 17 . The non-transitory computer-readable medium of claim 16 , wherein: the ingress mode corresponds to a third ingress mode when the authentication request is user-specific, and the ingress mode corresponds to a fourth ingress mode when the authentication request is non user-specific.
  18. 18 . The non-transitory computer-readable medium of claim 15 , wherein the plurality of authentication modes includes at least two of a first authentication mode based on a user identifier and a password, a second authentication mode based on a first certificate, a third authentication mode based on a second certificate and an access portal identity token, a fourth authentication mode based on a third certificate, a web service gateway identifier, and a web service gateway user identifier, or a fifth authentication mode based on a fourth certificate and a proxy authentication token for a user.
  19. 19 . The non-transitory computer-readable medium of claim 15 , wherein: the plurality of authentication modes includes at least a first authentication mode based on a user identifier and a password and a second authentication mode based on a certificate; the first authentication mode is selected based on a determination that the ingress mode corresponds to a user-specific ingress mode; and the second authentication mode is selected based on a determination that the ingress mode corresponds to a non-user specific ingress mode.
  20. 20 . The non-transitory computer-readable medium of claim 15 , wherein, to select the particular authentication mode, the instructions, when executed by the one or more processors, further cause the one or more processors to access mode mapping data that includes mappings between a plurality of ingress modes and the plurality of authentication modes.

Description

FIELD OF THE DISCLOSURE The present disclosure is generally related to system architecture for secure highly available microservice applications with decentralized authorization enforcement in cloud platforms with multiple authentication ingress modes. BACKGROUND An application programming interface (API) gateway facilitates requests that are to be processed by various services. The API gateway can act as a unified entry point to access the services, and can also be used to implement various capabilities such as authentication, traffic management, etc. If permissions change after a user has been authenticated by the API gateway such that the user is no longer permitted to access a service, a security lapse can occur if the API gateway continues to enable the user to access the service based on the previous authentication. Services can have varying authentication criteria. It can be inconvenient for the user if the API gateway requests different credentials when a user requests access to a different service, or when one service has to access another service on behalf of the user. In some examples, various ingress modes can be used to access the services. Having different gateways for each ingress mode can lead to inconsistent user experience and duplication of resources. SUMMARY In a particular implementation, a device includes one or more processors configured to receive an authentication request indicating credentials of a requestor. The one or more processors are also configured to determine, based on the credentials, whether the requestor is authorized. The one or more processors are further configured to, responsive to determining that the requestor is authorized, generate a first authentication token. The one or more processors are also configured to, responsive to determining that the first authentication token has expired, determine whether the requestor remains authorized based on the credentials. The one or more processors are further configured to, responsive to determining that the requestor remains authorized, generate a second authentication token. In another particular implementation, a method includes receiving, at a device, an authentication request indicating credentials of a requestor. The method also includes determining, based on the credentials, whether the requestor is authorized. The method further includes, responsive to determining that the requestor is authorized, generating a first authentication token. The method also includes, responsive to determining that the first authentication token has expired, determining whether the requestor remains authorized based on the credentials. The method further includes, responsive to determining that the requestor remains authorized, generating a second authentication token. In another particular implementation, a non-transitory computer readable medium stores instructions that, when executed by one or more processors, cause the one or more processors to receive an authentication request indicating credentials of a requestor. The instructions, when executed by the one or more processors, also cause the one or more processors to determine, based on the credentials, whether the requestor is authorized. The instructions, when executed by the one or more processors, further cause the one or more processors to, responsive to determining that the requestor is authorized, generate a first authentication token. The instructions, when executed by the one or more processors, also cause the one or more processors to, responsive to determining that the first authentication token has expired, determine whether the requestor remains authorized based on the credentials. The instructions, when executed by the one or more processors, further cause the one or more processors to, responsive to determining that the requestor remains authorized, generate a second authentication token. In another particular implementation, a device includes one or more processors configured to receive, from a user device, an authentication request including credentials of a user. The one or more processors are also configured to obtain user attributes of the user from one or more user data records associated with one or more identity systems. The one or more processors are further configured to obtain one or more roles of the user based on one or more membership lists. The one or more processors are also configured to generate an authentication token indicating the user attributes and the one or more roles. In another particular implementation, a method includes receiving, from a user device, an authentication request including credentials of a user. The method also includes obtaining user attributes of the user from one or more user data records associated with one or more identity systems. The method further includes obtaining one or more roles of the user based on one or more membership lists. The method also includes generating an authentication token indicating the user attri