3

We're trying to figure out a best practice for IPC authentication and authorization. I'll explain. We have a micro-services based architecture SaaS with a dedicated service for authentication. This service is responsible for doing the authentication and managing auth tokens (JWTs).

Everything works perfectly good with users that login and start to consume resources from the different services.

The question now is how to authentication and authorize requests which being initiated by other services (without the context of a specific user)?

  1. Should we generate a dedicated user per service and treat it like any other user in the system (with appropriate permissions)?
  2. Should we have a "hard coded"/dynamic token deployed among the services?
  3. Any other ideas?

Our biggest concern is such tokens/passwords will be compromised at some point since requests from one service to another is treated with high level of permissions.

Cheers,

Lior Ohana
  • 3,467
  • 4
  • 34
  • 49

2 Answers2

0

I'm not a microservices expert, just started to get my feet wet in the microservices world. From what I've read until now, this could be handled in many ways, one of which as you mentioned is hard coding api-keys so that services recognise one another. But I never liked this idea personally - also using a user per service like you mentioned. A solution I really liked is using Oauth2 for handling these scenarios - an interesting implementation I found is Gluu Server and I think client credentials grant type is what you're looking for - refer https://gluu.org/docs/integrate/oauth2grants/.

Have fun :)

user2635359
  • 1
  • 1
0

Normally, API Gateway is integral part of any MS system. All the services encapsulated and should be not accessible without API Gateway.

Such encapsulation allows direct communication between the services, without providing the requester payload, which should be required if the request comes straight from API Gateway.

In that case the request threated as something different, and follows different logic/middleware pipeline. No additional special users needed.

BlackStork
  • 7,603
  • 1
  • 16
  • 18