I have a general design question.... Is anyone using the API Gateway to support their security needs? If so, could you describe how things are laid out (to the extent that you can)?
I have a set of REST apis that I want to have secured. These services need to understand user identity and will enforce user roles (RBAC). I don't expect the gateway to handle RBAC. I don't have anything like OAuth set up; however, my "human" users are typically authenticated via a form-based login and then issued an SSO token. I also have "machine" users that will authenticate using different means (basic auth, certifcates, etc..).
Ideally, I'd like all of my services to understand a common "token" that represents an authenticated user and their authorizations/claims (JWT comes to mind). I'd rather not bake all of the authentication handling into each policy, for each service. I was considering using the gateway to handle the different types of authentication paths and produce a token that could be used in subsequent requests.
Should I be looking to policy to help me with this? I am curious to what others have done here.