一个有效的选择是拥有2个级别的API:

One option that works well is to have 2 levels of API:

• 入口点API暴露于外界，并通过OAuth进行保护
• 微服务不受OAuth保护，无法在只有入口点API可以调用的锁定虚拟私有云中运行

例如: * Online Sales UI调用Online Sales API *在线销售API调用订单和客户微服务

Eg: * Online Sales UI calls Online Sales API * Online Sales API calls Orders and Customers microservices

OAuth访问令牌中的用户上下文可以从入口点API传递到微服务-或令牌本身可以转发

User context from the OAuth access token can be passed from entry point APIs to microservices - or the token itself can be forwarded

这也表现不错，避免了太多的Cognito呼叫.

This also performs well and avoids too many calls to Cognito.