2

I am working on microservices application where the client application sends the access token to orders microservice with the POST call. When saving the order, the inventory micro-service should be called to update the inventory. The Inventory microservice updateIntentory method should also be protected.

In this use case, should I be propagate the same access token to the inventory microservice and restrict the api access to update inventory or should I make use of client-credentials grant flow to allow saveOrder method in the order microservice to invoke the updateInventory method in the inventory microservice.

Note: Both the order and inventory microservices are acting as resource servers. What is the right approach.

zilcuanu
  • 3,451
  • 8
  • 52
  • 105
  • 2
    I think what you're describing is that the `orders` and `inventory` services are acting as a [resource server](https://docs.spring.io/spring-security/servlet/oauth2/oauth2-resourceserver.html). If the `orders` service calls `inventory`, you can implement the token-relay pattern or use `client_credentials` with a separate `client_id`, depending on whether the two services share the same authorization scheme or not. – Steve Riesenberg Oct 19 '21 at 16:32
  • @SteveRiesenberg Both the order and inventory microservices are acting as resource servers. How to implement the `token-relay` pattern? Also, what is the `authorization scheme` – zilcuanu Oct 19 '21 at 18:15
  • Please google before asking new questions in comments. – Toerktumlare Oct 19 '21 at 18:25
  • @SteveRiesenberg I did not find any practical guide and hence asked in the comment. – zilcuanu Oct 19 '21 at 18:36
  • 1
    By "authorization scheme" I simply mean your application's requirements for authorization. For example, if both services require `ROLE_USER` to execute the desired operation, vs. one requiring a completely different level of access from the other; another example would be whether you determine what the user has access to in the same way between the two services, vs. very different ways. – Steve Riesenberg Oct 19 '21 at 19:38

1 Answers1

7

Good question:

BOUNDARIES

If you were calling an external API belonging to someone else you would definitely use client credentials to get a token that entitles you to call that API.

MICROSERVICES

If the data owner is the same then you should simply forward the access token. This is how OAuth is meant to work: a scalable architecture that only requires simple code:

  • Client gets an access token with scopes for multiple APIs
  • Each API validates the JWT
  • Each API verifies its own scopes
  • Each API trusts the claims in the JWT and uses them for authorization

The Scope Best Practices article explains this for a real world system.

HIGH PRIVILEGE OPERATIONS

It is common to get a fresh token for high security operations, such as redirecting the user with a payment scope. This should be the exception rather than the rule though.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • 1
    How to propagate the token from one microservice to another? Is there a standard way since `OAuth2RestTemplate` is deprecated in Spring Boot. – zilcuanu Oct 19 '21 at 18:40
  • 1
    Just by a simple HTTP request - eg use the Apache HTTP client. All you have to do is send the bearer token in the HTTP Authorization header - avoid Spring Security for simple API calls. See [this guide](https://howtodoinjava.com/java/library/jaxrs-client-httpclient-get-post/) – Gary Archer Oct 19 '21 at 18:51