I know the answer is "it depends" but I still want...
# helpy
Yusuf Sultan
05/05/2025, 9:53 AMI know the answer is "it depends" but I still want at least some basic advice here: in a microservices architecture with a gateway, should the gateway use Cerbos to authorize requests, or should microservices use Cerbos to authorize requests?
Yusuf Sultan
05/05/2025, 9:54 AMCurrently the gateway handles authenticating clients, and it just passes user identity to upstream services (which trust the gateway)
Yusuf Sultan
05/05/2025, 9:54 AMSo the logical thing to me sounds like the gateway should also analyze the incoming GraphQL query and somehow authorize it with Cerbos before passing it over
Yusuf Sultan
05/05/2025, 9:55 AMbut then that feels somewhat impossible (?)
Yusuf Sultan
05/05/2025, 9:55 AMLike I'm not sure how Cerbos is typically used
a
Andrew Haines (Cerbos)
05/06/2025, 8:11 AM
Typically speaking it would be done in the microservices. The gateway has the details of the principal (user) but it likely doesn't have the full details of the resources they are trying to access, and you need both to form the call to Cerbos.
In some cases it might be possible to do at least some high-level authorization at the gateway level, and then more fine-grained checks from the microservices, but it's probably simpler to start out with just doing authentication in the gateway and leaving authorization to the microservices.
y
Yusuf Sultan
05/06/2025, 8:17 AMGot it 👍 That's kind of what I was thinking but wanted to make sure my hunch is correct
Thanks!
🙌🏼 1