Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should the Auth Server be combined with the User Service in a microservices architecture?

Tags:

authentication

spring

oauth-2.0

microservices

I am currently building a microservices based application in spring boot with the following services

  • Auth server (Distributes access tokens)
  • User service (User info like username, password, email, etc.)
  • Various other unrelated services

When a user sends their credentials to the auth server, the auth server should verify that they are correct and then return an access token.

My question is, should I combine the auth server with the user service so looking up credentials is a simple database call, or should I keep them as separate applications and have them both point to the same shared database? Is there a better alternative?

like image 627
StackOverflower Avatar asked Jul 03 '17 13:07

StackOverflower

People also ask

Should authentication be a separate microservice?

Central dependency—authentication and authorization logic must be handled separately by each microservice. You could use the same code in all microservices, but this requires that all microservices support a specific language or framework.

How do you integrate oauth authentication in microservices?

User login into the system using basic authorization and login credentials. User will got token if user basic auth and login credentials is matched. Next, user send request to access data from service. the API gateway recive the request and check with authorization server.

Why have a separate auth server?

By building the authorization server as a standalone component, you can avoid sharing a database with the API servers, making it easier to scale API servers independently of the authorization server since they don't need to share a common data store.

2 Answers

What I usually do is keep them separate. Account information (first name, last name, contact data, affiliation, sex etc) is not related to authentication/authorization. Also, an account can have multiple authentication methods (i.e. OAuth, uname-pass, private key), which isn't really related to account data. So, I take them as separate entities. I know auth and account data seem the same, but they represent two very different things, with very different responsibilities, so I keep them separate. If one user should have to see some other user's first and last name, I wouldn't like to get other user's credentials out of the database (a lot can go wrong).

If you are thinking of UserService from Spring Security, it goes with Auth server.

From security stand point, having a single point of truth (auth server) and be able to fix an issue in one place is a huge advantage.

Anyhow, IMHO, account and auth can share some properties, but they are two different things - hence I keep them separate.

Hope this helps.

like image 176
Stefa Avatar answered Sep 17 '22 08:09

Stefa

You should keep them separated, oauth is not related to identity management but to authorization delegation.

In oauth2 there are 4 roles (resource server, resource owner, client and authorization server) you are currently asking if the authorization server must be part of one microservice of the resource server which has absolutely no sense.

If I correctly got your case what you name a user corresponds to the resource owner role in oauth2 terminology, some oauth2 flows (e.g. client_credentials) directly allow a client to get an access to the resource server and there will be no users implied in any way.

like image 23
Gab Avatar answered Sep 17 '22 08:09

Gab
Sign in to Comment

Related questions

How to get/set the principal and session attributes from Spring 4 stomp websocket methods
Spring boot: how to set a common path for multiple RestControllers
Searching An object from @ElementCollection
Basic spring boot app not working, showing: Failed to refresh live data from process xxxx
Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout
Dependency injection, Scala and Spring
How do I get Spring to print out the bean definitions it is picking up via component scanning?
Spring request mapping wildcard exceptions
Eclipse, Spring, Wildfly log4j logging
HibernateException: Couldn't obtain transaction-synchronized Session for current thread
How to setup spring-boot to allow access to the webserver from outside IP addresses
spring-boot redis : How to invalidate all sessions of a user?
Spring Specification and Pageable
Primary/Secondary failover DataSource in Spring Boot
Swagger+Spring: is it possible to preserve the fields order in the payload?
Waiting for all threads to finish in Spring Integration
How can localized messages in Thymeleaf be processed using SpEL
Conditional Spring configuration
no matching editors or conversion strategy found
Spring Boot package web application to .jar

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!