-1

If I have multiple applications and want to use a single auth microservice how should I handle the role based access control?

Let's assume I send a credential object back to the user that carries the different tokens, userid and the domain(application the user signed into). Something like:

Credential {
    String userid;
    string domain; // defines which application the user has signed up for
    string signature; 
    .....
}

A game might not have multiple roles but a ecommerce application will definitely have roles like owner, salesman, manager etc.

So how can this issue be solved if I wanted to have a centralized auth service?

A bit more explanation:

Let's assume I have 3 applications:

  1. Game
  2. Ecommerece
  3. A blog site like medium

Each of them are separate microservice on their own. And I want to implement a central auth microservice for all of this application.

So a game might not have lot of roles but ecommerece and blog site may have admin, moderators, shop owners, salesman etc etc.

Since the auth microservice has no way to know how many applications I might have in future I cannot implement the RBAC part in auth service right?

So if my auth service only handles the authentication how can I solve the authorization part?

  • This will mostly vary based on scenario. It would be nice if you provide some information and more descriptive about things you want to achive. – dotnetstep Apr 01 '22 at 12:06
  • Hi, I have added a scenario for explanation –  Apr 01 '22 at 13:07

3 Answers3

1

Let me try to answer but in Microservice world, it always depends on use cases. Also you almost there.

  1. Authentication and Authorization is different part.
  • If you create separate service for authentication or use any external provider like Azure B2C or Identity server or any other such provider and its integration with application and api. By this way when any token get issued, it will be verified at API level. Also OAuth/OpenId is good way to go.

  1. You are right that you can implement RBAC separately but you definitely have one Microservice that allow to configure RBAC for Game, Ecomm and blog. Now when any role or permission is being assigned or change inside authorization service, it publish the message and it can be used by other service like blog, ecomm and they will store that user/role/permissions into their own localdb. By this way you have one service that handle the configuration.

  2. Point 2 become central and that modules needs to know about all permissions/role used in another service. So either they get information via message or http call as Role/permission not frequently change so no such issue. If it is issue then messaging also will help.

  3. Another solution is to create separate package that handle RBAC but that package will be side by side with other services. So those service can handle its own role but this is not good as now role configuration scatter across services.

dotnetstep
  • 17,065
  • 5
  • 54
  • 72
  • So for example if i choose aws as my cloud service provider I can let aws handle all my access control in an api level while my auth services handles the authentication only? –  Apr 01 '22 at 15:32
  • If AWS support RBAC for your microservice then it is good. You can use that. If you have your own auth store then you have perform RBAC your in API based on token you received from user. – dotnetstep Apr 01 '22 at 16:24
0

I suggest you look into OAuth, it is an open standard for access delegation widely used for this use case.

Johan Nordlinder
  • 1,672
  • 1
  • 13
  • 17
0

I would say this depends on how you deploy this solution e.g. a docker-swarm or kubernetes orchestration platform. You could use something like Traefik (or nginx) + Authelia. Traefik acts as your centralized ingress, authelia takes care of the auth. With external LDAP, you can have a very flexible RBAC configuration with the added value of features like multi-factor auth. You dont need to build your own RBAC solution.

Traefik can also be configured such that whether your clients access the game service, or the ecommerce service, if they are not authenticated, it will always query authelia.

Hope this helps.

kuboraam
  • 1
  • 1