Security strategies for access management (MS-SS-2)

• Define and provision access policies to all APIs and their resources through an access server. Usually, coarse level access policies such as ""Permit to call for a given set of addressable functionalities"" are defined and enforced at the initial API Gateway while the finer grain authorization (specific to particular microservices' business logic) are defined and enforced closer to the microservices (e.g. at the microgateway or the microservice itself).
• Allow microservices to cache access policies at the time the access server becomes unavailable. These caches must expire after a set period of time depending on environment and infrastructure parameters.
• Use standardized tokens encoded in platform-independent format (e.g. OAuth 2.0 token formatted in JSON) to communicate the access decisions by the access servers to microservices. These tokens should be either handle-based or assertion bearing. For more information on OAuth 2.0, please see [T1887: Decide on the right OAuth 2.0 flow for your application|/library/tasks/T1887/].
• Carefully control the scope of internal authorization tokens appended by the micro gateway to each request. For example, in a request for transaction, the internal authorization token's scope should be limited to only involve the API endpoints that must be accessed for that transaction.

Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/openshift-source-to-image-s2i-builder-image/tasks/phase/architecture-design/106-T2129/