Should Resource Servers Independently Verify Authentication Claims?
It all depends on what each company considers to be enough security for them.
The stated approach of only verifying at the border may be enough. An security-in-depth approach as you prefer would clearly be better.
In addition of the risk of an evil actor present in the same network, you should consider:
- Unintended proxy: presence of an Unintended proxy in another system in the privileged network (relatively unlikely).
- Header injection: I might be able to inject a new
User-ID: 281745
header through embedding a newline into another header (e.g. a POST parameter copied to a header). - Header homonyms: if the gateway sets and filters exactly
User-ID
, but the processing actually treatsUsEr-Id:
orUser_ID:
as being the same header. This is not as unlikely as it seems, due to how CGI interface worked. See for example this Wikipedia incident. - Confused proxy: if I was able to slip two requests to the backend in what the gateway considered one, I would be in control of the headers for the second one.
Whereas a stronger verification at the final backend would make much harder to perform any of those attacks (at the cost of greater complexity there).
Obviously, none of those may be an issue currently, but get inadvertently introduced later with an update to the gateway or the backend.