I have a general question about the way for user authentication with many microservices and Express-Gateway.
I have N microservices. One of those microservices (lets call it "User Profiles") will contain all of the user profile related data such as email, username, registration date, birth date etc. So, here are the questions:
- How to organize the user registration and authentication? What about this workflow:
- EG has API endpoints which are directly exposed to the external world. These endpoints come from this "User Profiles" microservice.
- if the user want to register OR login, he/she send a POST request to this service. This request contain all the needed data.
- in order to get a JWT accessToken which then is used for all other requests, this microservice sends a request to the Admin API of the EG and create the following things:
- create user
- create jwt credentials for this user
- after receive the responses from EG, the "User Profiles" microservice form the JWT access token based on the keyId and keySecret
- send this token back to the user
- the user now could access all of the protected routes when pass a Bearer accessToken
Here is the workflow diagram.
- My second question is - if the above workflow is ok, then after each user creation, there will be newly created keySecret. What do I need to put for
secretOrPublicKeyparam ingateway.config.yml? Maybe when generate a JWT accessToken, I need to use some type of private key and not thekeySecretfrom the credentials creation step and then to put the very same key in thegateway.config.yml?
