Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Centralized auth in service oriented architecture

Tags:

authentication

soa

web-services

authorization

I'm exploring basic service oriented architecture and I'm wondering how to best handle user authentication throughout the services.

As a very simple example, suppose we have a blog app that calls out to two other services:

  1. A user/auth service for storing user data and exchanging credentials for an access token
  2. A posts service for managing post data

Let's say a user of the application is attempting to delete a particular post and that only users with an "admin" role are allowed to do so.

The following requests would need to be made:

  • app -> auth

    Authenticate the current user (via some sort of token). If the token is expired the app could redirect the user to a login form, etc.

  • app -> posts

    Delete the post.

  • posts -> auth

    Before a post is deleted, the post service needs to make sure the requesting user has permission to do so. Authenticate the current user (via token) and make sure they have the "admin" role.

This is an overly simple example but I'm curious how folks are dealing with auth throughout their services. It seems likely that each service would need to make a separate call to the authentication service in order to authorize the request. Is this the case? Are there better ways to handle auth in this kind of SOA?

Thanks!

like image 470
scttnlsn Avatar asked Apr 28 '13 00:04

scttnlsn

People also ask

What is SOA authentication?

Certilogo Seal of Authentication (SOA) is a safe, immediate, convenient tool to prove the authenticity of a product sold or bought online.

1 Answers

You can implement an identity provider - Once a user authenticates with the authorization/authentication service she should get a token that identifies her. This token can identify her (roles/claims) and signed by the authentication/authorization service private key. When a service gets a security token and it is signed by a trusted authority it doesn't need to go to the authentication/authorization service again.

If your system has a higher security requirements (e.g. at the user level) you may need either elaborate claims or to access the authorization system on each request. I worked once on a system where certain types of info required authorization on every access and other types were ok with role based security - your millage may vary.

like image 146
Arnon Rotem-Gal-Oz Avatar answered Oct 25 '22 02:10

Arnon Rotem-Gal-Oz
Sign in to Comment

Related questions

How do you Screen Scrape? [closed]
Phpunit, mocking SoapClient is problematic (mock magic methods)
Error when consuming service : The type name ‘AAA' does not exist in the type ‘YYY.YYY’
Checking envelope with Ksoap2 (Android)
java.lang.ClassNotFoundException: org.glassfish.jersey.servlet.ServletContainer
What causes a difference between a web service URL and a namespace?
Error accessing a Web Service with SSL
Custom headers for WebSocket JS
Generate Server Side WCF Service automatically from existing API
What to do when property name matches class name
Is it safe to reuse javax.xml.ws.Service objects?
Is there an official API for Google calculator?
What are some good alternatives to a UDDI registry?
JAVA JAX-WS NullPointerException at javax.xml.ws.Service.getPort(Service.java:188)
How to build SOAP client in Spring?
App crash on device HTC M8 with OS Lollipop for web service call
WSDL2Java Throws Could not find main class: org.apache.axis.wsdl.WSDL2Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!