3

I am looking for an optimal way to create registration, authentication, and authorization for our project based on spring boot microservices. Microservices will provide rest API for SPA application, and later for mobile applications (android and ios). Actually, we have all users in Postgres database.

As I mentioned user registration and authentication will be consumed by SPA and mobile platforms so I prefer RESTful API for that.

My idea is to have one auth-service which will resolve auth* actions, and also provide a public key for other microservices to decode and verify JWT.

In fact that we don't need to provide authorization to external services does make sense to use OIDC provider like Keycloak? Or custom authentication is a better option?

Denis Stephanov
  • 4,563
  • 24
  • 78
  • 174
  • Stateless and standards based is always safer imo. ` one auth-service which will resolve auth* actions` I'd question whether it's wise to create an inter-service dependency for authorization decisions. Each service should probably own its own authorization logic as this can get quite complex and service-aware. – Taylor Oct 28 '20 at 14:08
  • @Taylor Maybe I just write it bad, sry for my English. I want spring resource server configuration, which can be configured with minimal custom code. It can consume endpoint with public rsa key, and decode and verify token on its own. So auth service will provide only this endpoint, not logic for authorization. – Denis Stephanov Oct 28 '20 at 14:14
  • Ah, I assumed when you said `auth*` you meant authentication and authorization. I'd definitely go OIDC internal. It's easy to facade adapt from SAML if you ever need to support that for SSO. I've not used Keycloak myself but have heard good things from people I trust. Only other thing I'd encourage you to consider is a service like Auth0 or AWS cognito. Depends on your needs, but one less thing to host/operate is always nice. – Taylor Oct 28 '20 at 14:18
  • You don't need auth to external services such as Google or Facebook to use OIDC. While dealing with security "custom" is never a better option. Use standards and services that have been proved to be secure e.g. Azure B2C, AWS Cognito, Auth0. You should probably move your users to one of these services and save yourself from dealing with passwords, hasing, salting etc. – Maxime Gélinas Oct 28 '20 at 21:10

1 Answers1

1

You're not forced to use the authorization capabilities provided by Keycloak if you want to use it for OIDC support. You can benefit from its registration, authentication or forget password flows as well as easily configurable OAuth/OIDC features.

Another nice feature about Keycloak is the smooth integration in the client side which allows your code to work almost with no change. I've not evaluated their Spring adapter, but in projects that I was involved, as they were all JEE based and were using standard security APIs provided by all application servers, we really benefited from using Keycloak adapter for our application server. It handles all the logic you described in your question, before the request reaches our code, which means everything is already setup (i.e. token got validated/verified and principal and roles are already extracted from it and we can just access it via request.getPrincipal() or sessionContext.getCallerPrincipal(), request.isUserInRole(), etc.).

zaerymoghaddam
  • 3,037
  • 1
  • 27
  • 33