Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should you deal with auth and sharing Users info across microservices?

TLTR: What is a good way to communicate across services for Auth and User Info regardless of location of server or technology used

I'm trying to learn about microservices and I'm a little bit unclear as to how I should approach accessing user information and control access with multiple services. Please let me know if I am approaching this completely wrong.

For example I have a basic service for Blog CRUD operations and a Service for uploading and storing images and videos. I haven't done anything with Authorization or Users yet (except I am accounting for UserIds eventually being present in my Models (e.g. in my blog model ObjectID's for author, commenters, etc).

I want to keep this as separated as possible (for learning purposes more then anything) and while at the moment I am building it all in Node.js I hope to be able to swap in and out different technologies such as nginx, a java/go/python service or a different storage (currently mongo, but would like to be able to switch to sql as an option )

How I currently have these structured is I have both services built as Express.js apps and currently I am using node-http-proxy to proxy to the express services (this is just to save with setting up nginx for now but I don't want to be dependent on nginx either).

How should I approach:

  • Authenticated user or some of the routes (e.g. when creating a new post or updating/deleting) and Not when getting the post to Read (eventually I would like to incorporate roles too)

  • populating the User information e.g. from the user's ID stored in the blog author and replacing it with the user information (in a single app I could just use mongoose populate

The main aim is I would like to keep the Auth and Users in separate services that could be called in any other service and stored in another DB for example if they were located on different physical servers.

someone had suggested to me I could do this using HTTP/S but is there a better way to do this and can anyone point me to any implementation examples, Node.js would be preferable but not essential

This likely requires some service registry but I am a bit lost as to how this would be implemented

like image 726
jonnie Avatar asked Jul 09 '15 12:07

jonnie


Video Answer


1 Answers

An authentication layer as its own application fits pretty well in SOA design. There is an HTTP endpoint with no direct access to the micro-service database which what SOA best practice is:

For us service orientation means encapsulating the data with the business logic that operates on the data, with the only access through a published service interface. No direct database access is allowed from outside the service, and there’s no data sharing among the services.

-- Werner Vogels, Amazon CTO

Reference to http://martinfowler.com/microservices/

What is an authentication layer or service and how does one server confirms the authentication has been established yet? One kind of client based persistence is HTTP cookie which hooked strictly to a domain name, therefore it is not easy to reuse same cookie among multiple domains without an explicit authentication step.

If you are able to pass a certain key or header http_request can provide unobtrusive authentication, this module became a built in Nginx core since version 1.5.4: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

location /upload {
    auth_request /auth;
    ...
}

location = /auth {
    internal;
    proxy_pass http://auth_service.localhost;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
}

The endpoint accessible through http://auth_service.localhost (choose your own URL) is isolated and has its own database and does only one thing - to authenticate user or not. A mechanism can rely on a certain key or header or even IP address. To suppress to much subsequent request you can cache the response.

SOA is hard but I recommend to read this thoroughly: https://www.nginx.com/blog/introduction-to-microservices/

like image 107
Anatoly Avatar answered Oct 18 '22 14:10

Anatoly