Microservices Service-to-Service-Communication Need-to-Know principle

Question

Are there any best practices to minimize the exchanged data between (internal) microservices when calling the API of a service (aka Need-to-Know)?

How to achive something like this:

There are three services:

• User
• Notification (let's assume just email)
• Shipping

When the notification service needs the email address of a user it queries the API of the user service and should get the email (and NOT the full data set).

When the shipping service needs the shipping address of a user it queries the API of the user service and should get the shipping address (and NOT the full data set).

Question:

Should this be handled inside the user service with kind of an ACL (what service "XYZ" is allowed to see)?

Using JWT for authentication, there is a need to exchange keys at all, so during the setup-phase these ACLs could be discussed between the teams.

Answer 1

Should this be handled inside the user service with kind of an ACL

I think this is the best option. You could delegate the actual authorization to a separate service which the User service can call with the identity of the caller and the "claim" the caller is making (eg "I am allowed to see Email Address for User"). The claims can be evaluated on a per call basis.

However, is is arguable whether you actually need to query the user service at all. It would mean a change to your design but imagine for a minute that the Notifications service already knew about the user, for example the user ID and email address, then the notifications service would not need to query anything to be able to do it's job.

In order for the notifications service to have the user data already, it is necessary for that data to have been sent to the notifications service at some point in the past. A good time to do this would be when the user is first created, or any time a user details are changed. The best way to distribute this kind of information is in the form of an event message, although you could have the distribution based on an http POST to the notifications service.