Reputation: 3270
Microservices OAuth2/OpenID Connect flows
I'm building a new application platform using Microservice Architecture but I've been reading alot about different kinds of Authentication/Authorization to use.
I'm settling for OAuth2/OpenID Connect but just to make sure my assumptions is right.
I like to know if my flow is right to handle the authentication/authorization of my application. Secondly, for my trusted Apps, how can I prevent OAuth from asking user for consent ?
Upvotes: 2
Views: 1549
Answers (1)
Reputation: 57698
In terms of protocols/standards, going with OAuth 2.0 and OpenID Connect for a system like the one you described is the right decision. They are in active use, have plenty of library and third-party providers support and they were also designed taking in the consideration the heavy reliance on HTTP that present day systems exhibit.
In terms of choosing the correct flow for each application the decision is not influenced by the application being perceived as a third-party or trusted application; it's more about the deployment characteristics of the application and also if the applications wants to access resources on behalf of an end-user or on behalf of the application itself.
Check Auth0 - Which OAuth 2.0 flow should I use? for a good illustration of this decision process.
The distinction between third-party application and trusted application is something left at the discretion of the identity provider/authorization server. This is usually supported so that consent is not explicitly asked to an end-user if the application is trusted; in these cases flagging an application to skip end-user consent is seen as an administration step where someone unilaterally and administratively decides that consent was granted to this application and as such it's not necessary to ask for it to end-users.
If you do indeed decide to support administrative consent for some application have in mind that if the characteristics of these applications don't allow them to be confidential clients (support a secure mechanism to authenticate the client application itself) or have some other way to ensure the client identity then an hostile application may try to fake a trusted application in order to skip the user consent step.
Upvotes: 3
Related Questions
- Microservices Authentication best practices and security (OAuth 2.0 and OpenIdConnect)
- Authorization and Authentication in microservices - the good way
- How to implement OpenID Connect authentication with 3rd party IDPs in a microservices architecture
- Centralized identity management with different providers
- MicroServices Authentication / Authorisation
- Open Identity and OAuth
- Securing communication between backend microservices using JWT
- OAuth 2.0 Flows for Microservice Architectures
- How to architecture Microservice & OpenID connect?
- OpenId Connect authentication for UI and service access