Design an API Gateway with OAuth2 Mutlitency JWT validation, Rate Limiter in PCF.
Every organization follows DR setup for any problems that occur in day-to-day business. It is critical for every enterprise to have a separate site or DR site to handle the business continuity. We will discuss how we can set up Active-Active applications in both main and DR sites.
***This may not work with other implementation, It's by design, but I will discuss what problems we faced, and how we overcome them.**
Background: We have a PCF cloud setup one is US East Coast, and the other is US West Coast, and our apps will be running in the ES East for normal day-to-day ops. Our apps will be consuming the data from other commercial vendors and we will call other Vendor APIs. As we are PCF, all our apps are built with the Spring framework.
Problem Statement/Risks: We have APIs which are secured through OAuth2, for inflow, and outflow as well. In this setup, if we want to Switch the traffic from US East to US West systems, then we have to invalidate the token and wait till the token expiry. This is causing a whole lot of effort from associates, and as well as we have to lose some transactions for the time when we switch to the West Coast system. Losing transactions means it will affect the business revenue.
So we have to overcome this situation, and DR switch can happen at any time. We cannot anticipate the external risks.
During the long weekend, and due to some network-level maintenance work(Infra), Our PCF Cloud East was shutdown happened. Our external vendors have got the OAuth JWT token 15mins, ago, and the token validity is 30mins. External vendors will not refresh the token until it expires, and due to this, we have to ignore the requests or lose the requests until the next 15 mins. Why?, because the OAuth token will be issued by the PCF, and this token generation will be done inside the PCF foundation. We cannot validate the East Coast System token by the West Coast system.
Secondly, there was one issue with one of the external vendors, due to their system-level changes, that vendor is posting 5000 duplicate requests per second. Which is not expected.
Now we will talk about how we solved these two problems with a single application.
We have developed a Spring Gateway API and secured the API with the Spring Security OAuth, and we implemented the Request rate limiter.
Now we all know that OAuth JWT tokens will be issued by the PCF will always be inside the foundations. East will have a foundation that is separate and doesn't have any resource sharing with West. Now If I want to switch between the data centers, then we cannot allow the vendor API calls with invalid tokens.
For this, we have to implement the Multi-tenancy JWT token validation in the Spring Security module. You just need to supply the token issuers in the configuration, so that the JWT token will be validated. From this, if you pass the token, which contains the issuers, then only Spring security will allow the request for further processing.
See the Security Filter Chain Bean in the below repository
Now, we will talk about the rate limiter, Rate Limiter is a logic to restrict the number of requests to the gateway to a predefined limit. You can define the transactions per second as 100, then the rate limiter will only allow up to 100 web requests. In this way, we are restricting the clients not to send more than what we agreed so far. In this module, the Rate Limiter is being achieved with the token bucket algorithm.
It would be good to know about the algorithm and its applications in the real world.
If you want to add new plans, for TPS, then you can define and configure them. In this application, we are using the Redis cache for performing the rate limiter. We have also implemented the reactive way of connecting to the Redis server. As we know, Redis can server up to 1M ops per second, and it's a single-threaded.
For configuring the Redis cache to our app, first, we have to connect to the Redis server. If you have the Redis cache in your PCF env. We have to create a config for performing the RateLimiter.
So, once you supply the configuration as per your environment, then the gateway is ready to serve the data.
Use this repo as a sample on how we can do the multitenancy JWT validation, Implement the gateway, Restrict the incoming requests from external sources.
Hope this helps someone :)
