Microservice Authentication

Question

Microservice Authentication

Context

I have several services like:

User (LDAP or active directory, etc.)
Billing
Planning
etc...
Authentication

I need to connect to my microservices. Using OAuth2.0, first use a standard username / password (I use my own data and do not get the third leg server).

Problem

According to these pictures:

Step 1

enter image description here

Step 2

How can I handle access control or access_token authorization in my services other than authmicroservice?

+7

rest microservices

mfrachet Jun 25 '15 at 7:53

source share

4 answers

David level · Answer 1 · 2017-03-11T10:34:23+0000

To manage authentication in a microservice architecture, you must have a different perspective.

Remember, when you were working on a monolith, you had one authentication process.

As an example, in a PHP application, you will find your user in a database with the appropriate credentials, then you create a session, the user is "authenticated".

With microservices, the workflow is the same. The only thing that has changed now is that you cannot open a session in different services. In addition, you do not need to receive an authenticated user. You only need to make sure that he is authorized to make the current call on your microservices.

Thanks to oauth2, having a valid access_token, you get this information.

This should answer the outside. In the backend part (I mean, behind the api gateway) you should not control access_token, because this does not apply to microservices. You can use the function key to search for any information related to the user inside microservices, for example, uuid.

To get uuid when using oauth2, I suggest using openid connect. A user with this protocol manages specific user information and gives you access to a specific "/ userinfo" endpoint.

We hope that this outline will make this answer clearer.

Jacek głodek · Answer 2 · 2015-06-28T18:50:48+0000

our activator has a tutorial and description of the authentication flow in microservices, in Scala - http://www.typesafe.com/activator/template/reactive-microservices (source: https://github.com/theiterators/reactive-microservices )

The basic idea: you need to verify the authenticity of the authentication token for each request. You can:

- do it in a proxy (gateway)

- do it inside a billing microservice

We strive to verify Auth-Token authentication in every microservice that accesses the client.

- We save Auth-Token for user information inside the Redis instance.

- the service accessing the client requests a redis instance if this token is valid.

- Redis returns some JSON string, which we can use as user data for further authorization.

So, the server side stream looks like this:

get("projects/" / Segment) { projectName => getHeader("Auth-Token") { authToken => Redis.get("auth:token:#{authToken}").map { userJson => if(userJson("projects").include(projectName)) { ...processSth... Ok } else { Unauthorized } } } }

Ahashmi · Answer 3 · 2016-03-13T11:30:57+0000

It is possible to create a separate Auth service to provide access_token, as shown in step 1. But in the API gateway, each service needs to call this auth service to check the token. It’s best to use the oauth process in the Gateway API that I use for my product, and this approach is also explained in many articles. let's look at the image below.

From a technical perspective, it can simply be part of the code (function) that processes the request header to verify the token provided as oauth authentication, which can be processed inside the code or by accessing its own database before it forwards endpoint service requests .

You can use one method to provide authentication, security, and send requests to the endpoint, or by the Advanced Gateway API service. A question has already been asked in stackoverflow here , but what I found easy to follow are 3 or 4 series of tutorials that you will find here

Get a clear idea of using your API gateway before focusing on microservices to work.

Nima gardideh · Answer 4 · 2017-03-06T18:43:21+0000

Depending on how you structure your microservices, you can also use the composition.

Since you already have an auth service, you can use it in your billing service to verify the authenticity of the request before processing it.

For example, if you use a platform like StdLib (we use this ourselves):

 // Billing const lib = require('lib'); module.exports = function(params, callback) { lib.user.isAuthenticated(params, function(err, user) { if (err) return callback(err); // Do stuff with user, process billing }); };

This may be a great idea for you if you always use HTTP to exchange data between functions (as this will probably add a good 200-300 ms to your request). But StdLib loads several services within the same area, and you can access them as functions that solve this problem (at least so far we have seen).

Microservice Authentication

More articles: