Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should the Auth Server be combined with the User Service in a microservices architecture?

I am currently building a microservices based application in spring boot with the following services

  • Auth server (Distributes access tokens)
  • User service (User info like username, password, email, etc.)
  • Various other unrelated services

When a user sends their credentials to the auth server, the auth server should verify that they are correct and then return an access token.

My question is, should I combine the auth server with the user service so looking up credentials is a simple database call, or should I keep them as separate applications and have them both point to the same shared database? Is there a better alternative?

like image 627
StackOverflower Avatar asked Jul 03 '17 13:07

StackOverflower


People also ask

Should authentication be a separate microservice?

Central dependency—authentication and authorization logic must be handled separately by each microservice. You could use the same code in all microservices, but this requires that all microservices support a specific language or framework.

How do you integrate oauth authentication in microservices?

User login into the system using basic authorization and login credentials. User will got token if user basic auth and login credentials is matched. Next, user send request to access data from service. the API gateway recive the request and check with authorization server.

Why have a separate auth server?

By building the authorization server as a standalone component, you can avoid sharing a database with the API servers, making it easier to scale API servers independently of the authorization server since they don't need to share a common data store.


2 Answers

What I usually do is keep them separate. Account information (first name, last name, contact data, affiliation, sex etc) is not related to authentication/authorization. Also, an account can have multiple authentication methods (i.e. OAuth, uname-pass, private key), which isn't really related to account data. So, I take them as separate entities. I know auth and account data seem the same, but they represent two very different things, with very different responsibilities, so I keep them separate. If one user should have to see some other user's first and last name, I wouldn't like to get other user's credentials out of the database (a lot can go wrong).

If you are thinking of UserService from Spring Security, it goes with Auth server.

From security stand point, having a single point of truth (auth server) and be able to fix an issue in one place is a huge advantage.

Anyhow, IMHO, account and auth can share some properties, but they are two different things - hence I keep them separate.

Hope this helps.

like image 176
Stefa Avatar answered Sep 17 '22 08:09

Stefa


You should keep them separated, oauth is not related to identity management but to authorization delegation.

In oauth2 there are 4 roles (resource server, resource owner, client and authorization server) you are currently asking if the authorization server must be part of one microservice of the resource server which has absolutely no sense.

If I correctly got your case what you name a user corresponds to the resource owner role in oauth2 terminology, some oauth2 flows (e.g. client_credentials) directly allow a client to get an access to the resource server and there will be no users implied in any way.

like image 23
Gab Avatar answered Sep 17 '22 08:09

Gab