Platform engineering is the discipline of designing and building toolchains and workflows that enable self-service capabilities for software engineering organizations in the cloud-native era.

Platform Engineering

That’s the direction that we’re headed in, by moving authn/authz (gradually) to a centralised service that hooks into our API Gateway <https://www.getambassador.io/docs/emissary/latest/howtos/basic-auth/>

Centralized place is how AWS IAM works and pretty typical for large scale platform, this is also how we built the internal platform here in Tencent 

Is there any reason why you decided against `ngx_http_auth_jwt_module` and built a custom service instead?

it looks to me like Ambassador would fill exactly the same set of functionality

Ambassador/Emissary Ingress doesn’t provide central authentication, but the mechanism to handle it. Our service (built out of existing authn/authz code from the monolith) handles allow/deny and (re)builds headers to downstream services

(note that we’re not building net-new centralised authn/authz, but moving existing code from 2-3 services to a single service that will sit in-front of n services in the future)

What would you do in event of failure? Even iff unlikely, if your authentication service fails, the entire platform comes to a halt

Where JWT tokens are decentralised. You need the secret for the checksums, and thats it

High-availability for the service where possible, similar to the API Gateway itself and other potential single-point-of-failures. Certainly not saying it’s the best/optimal solution, just 1 of many :slightly_smiling_face:

+1 for looking at API Gateways. I work for <http://tyk.io|tyk.io>, if you are interested to explore this option, you might want to take a look our open source gateway: <https://github.com/TykTechnologies/tyk>

<@U03509KMEAJ> we also looked at Emissary. Wondering if youre on AWS and compared AWS API Gateway. 

Were going down this route now of figuring out our API gateway solution. <@U03SYS3KLHW> might be able to chime in he was heavily involved there.

We’re on GCP so we never investigated, although we looked at Tyk, Kong and Traefik also. Am unsure with AWS API Gateway if you can manage users outside of Cognito? (our Auth service is fully standalone with domain-specific logic)

Would be curious of the performance/limitations of the Lambda authorizers if anyone has experience? <https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html>

PM me <@U03509KMEAJ>, there are many options for solving this problem. Happy to help

What about using a sidecar approach , and route all traffic to this sidecar( that could be a docker container running with the auth part, in any language  ) and this sidecar calls to your api on localhost at other port ?