I have an application which is implemented using microservice architecture. There is an authentication service (A) which uses jwt standard, and there are other services in the application like S1, S2, S3 and so on. Now for example S1 receives a request, it should validate the token to see if the user is authorized or not. The validation can be achieved by:
I'm not asking about how these approaches work exactly. The questions is, which one of them is better? Or what is the best practice in this situation?
I would recommend keeping your authentication service packaged up in another microservice and communicating with it to authenticate. (Basically your first option.)
In a microservices ecosystem, you're likely to have 10s if not hundreds of applications running (ideally) pretty independent of one another. With the second option, you have added boilerplate every time you spin up a new service. But perhaps more importantly, you've coupled all of your microservices to your current authentication scheme. Best to put all of your auth behind an interface and hide all your auth logic in one, separated place.
I think you need to consider both solutions and think what are the tradeoffs.
Having a single service handling authorization:
Implementing authorization on each service:
Gives more independency to each service (which is the nature of "microservices")
Gives flexibility on how you want to secured each of your services. Could vary depending on the intend of each of them.
At the end, you need to find what's your need and take a decicion based on what gives you more benefits. I just listed a few of pros and cons, but I think the idea is to invest time on this topics and then take the decision based on what you consider is best for your team.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With