Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Passing user identity and authorization between microservices

Tags:

oauth

authorization

jwt

microservices

I am confused - what is best way to pass user identity (authorization information) between microservices in asynchronous way?

Lets say I already have entry point (api gateway) that handes authentication and issues JWT tokens. Then user calls some API endpoint with this token. Up to this point everything is clear. Now - this endpoint needs to communicate with another microservice. That microservice must get authorization information (roles, etc). Also - this channel is asynchronous (JMS/Kafka), which means processing might be dalayed...

I was also thinking about other case: we have two services A and B. both expose API that might be accessed by external user (JWT token auth), but they also need to cooperate asynchronously (by JMS). They both need user identity context. Again - how to pass it?

I can:

  1. pass JWT token along with queue message - is it safe? what if tokens expires before target service starts processing?
  2. convert information from JWT token and pass it as HTTP headers - what if target service returns information - I need to regain authorization context from that response (it must be still processed in context of specific user), but this makes me handle two types of authorization: JWT and the one returned from asynch process...
  3. ...?

all of them have cons for me and I cannot find universal solution...

--Edit

Consider case: there is product catalog service and ordering service. Both expose public API. User places order, it is queued for processing. First step is to verify if products are ok and user was allowed to order them. Processing may call product catalog service but has to pass user context. This is the part that I am talking about.

like image 373
redguy Avatar asked Feb 15 '19 15:02

redguy

People also ask

How do you authenticate between two microservices?

To perform authentication based on entity context, you must receive information about the end-user and propagate it to downstream microservices. A simple way to achieve this is to take an Access Token received at the edge and transfer it to individual microservices.

How do you communicate between two services in microservices?

The synchronous call is the simplest way to communicate two services. It also bonds them together, since the calling microservice needs to wait for a response from remote. This kind of coupling can sometimes be prevented by using asynchronous communication.

What is the best way to communicate between microservices?

The most common type is single-receiver communication with a synchronous protocol like HTTP/HTTPS when invoking a regular Web API HTTP service. Microservices also typically use messaging protocols for asynchronous communication between microservices.

1 Answers

You have

  1. Gateway -> MS1 -> Kafka -> Kafka Consumer -> MS2
  2. Gateway -> MS2

In the second case, MS2 is acting on behalf of the user and therefore JWT of the user makes sense here.

In the first case, Kafka Consumer is just syncing the actions that has already taken place in MS1. It is not acting on behalf of the external user. The external user doesn't have any control here. The user cannot read or write anything wrong at this stage. User interaction ends in MS1 itself.

Therefore, the external user JWT is not required in the Kafka Consumer for authorization purpose. However, in the message you may pass the user context like username and other relevant details for processing. Based on these information, you need to decide whether you would go ahead with the order or not.

Kafka consumer will, however, need it's own access tokens that will be used across all different user orders. The OAuth 2.0 grant type you need to use here for the communications between the Kafka consumer and MS2 is called "Client Credential" grant type.

Here, the Consumer will directly contact with the Authorization server with appropriate credentials and client id to get an access token

like image 64
Saptarshi Basu Avatar answered Oct 19 '22 05:10

Saptarshi Basu
Sign in to Comment

Related questions

Login with Linkedin
Facebook - OAuth Token - redirect_uri isn't an absolute URL
Oauth provider behind reverse proxy
OSX OAuth redirect_uri in WebView
Omniauth-twitter in rails: OAuth::Unauthorized 401
OAuthWebSecurity Facebook ominous message: app "would like to access your public profile, friend list and email address"
OAuth Secrets and Desktop Application
Google oauth2.0 405 error
Web Api 2 with OWIN OAuth Bearer tokens
User info using OAuth with Google App Engine
LTI Launch Authentication with Node.js
Firebase $onAuth has wrong authData after $authWithOAuthRedirect from Facebook
403 Response From Adobe Experience Manager OAuth 2 Token Endpoint
Invalid signature. Expected signature base string, JAVA
Override Flask-Security's /login endpoint
Is there a way to generate an access token from within Identity Server without using the endpoints?
Google OAuth 2.0 invalid_request, Missing Scheme
OAuth2 Password Grant vs OpenID Connect
Netlify CMS, Gatsby and GitHub authentication without Netlify
Why does download captions return Login Required?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!