Benefit of API Gateway in terms of application security

API Gateway is a very popular pattern in microservice nowadays architecture. In this scope, I just want to point out some key advantages of the pattern in terms of application or API security

Reduce the effort in developing security integration

Every back-end service involves the OAuth2 flows as the resource server. So, it needs to be able to check the authority of the API call. This normally includes the verification of the existence and the expiration of the attached access token. It means that the service need to check whether the request contains the access token. If the token is there, then the service needs to check the validity of the token against the authorization server. This mechanism requires the repeated implementation or integration of each different service. For a customizable business, this has a special high benefit because there are a lot of back-end APIs added into the system over time.

Additionally, back-end services can be developed by multiple different technology stacks. Some are developed by Java, the others are built with .NET,... This turns out that API Gateway helps to remove the need for an engineer with a relevant skill set just because of adding authentication for that specific component.

Dynamically support different authentication mechanisms for different client

By isolating the authentication layer from back-end services to API Gateway, we can dynamically change the authentication types for each different client.