I'm starting to write a few microservices that will have independent web clients, a centralized authentication and authorization service, and an organization service. The organization service will keep track of who belongs to what organization and what that organization has paid for. This will tell me who can access which web client and what parts of each individual microservice. I've only developed authentication using Devise in a single Rails monolith, so I'm exploring how to do it in a multi microservice and web client ecosystem. I've come up with this: Web Client makes a request to a microservice and is denied because lack of session information sent in the request. Web Client makes a login request to the Authentication service. The Authentication makes a request to the Organization service to see what organizations the user is a part of as well as the services paid for. The session info is stored in the Web Client for future use in requests. Web Client makes a request to the Microservice. The Microservice validates the session information (from 2) against the Authentication service, which in turn reaches out to the Organization for the user's organizations and the organization's services. The response from Authentication is stored in the Microservice. The response back to the Web Client is granted if the two sets of session information match. Web Client makes a request to the Microservice, including the session info (from 2). The Microservice validates the session info against the stored session info (from 3). The response back to the Web Client is granted if the two sets of session information match. Is this the proper way to authenticate? Is there a better way to do it? Are there small tweaks I should make? Additionally, should I treat Authentication from the Web Client to the Microservices differently than Authentication between Microservices?

Reputation: 768

Microservice Authentication Architecture

I'm starting to write a few microservices that will have independent web clients, a centralized authentication and authorization service, and an organization service. The organization service will keep track of who belongs to what organization and what that organization has paid for. This will tell me who can access which web client and what parts of each individual microservice. I've only developed authentication using Devise in a single Rails monolith, so I'm exploring how to do it in a multi microservice and web client ecosystem. I've come up with this:

Web Client makes a request to a microservice and is denied because lack of session information sent in the request.
Web Client makes a login request to the Authentication service. The Authentication makes a request to the Organization service to see what organizations the user is a part of as well as the services paid for. The session info is stored in the Web Client for future use in requests.
Web Client makes a request to the Microservice. The Microservice validates the session information (from 2) against the Authentication service, which in turn reaches out to the Organization for the user's organizations and the organization's services. The response from Authentication is stored in the Microservice. The response back to the Web Client is granted if the two sets of session information match.
Web Client makes a request to the Microservice, including the session info (from 2). The Microservice validates the session info against the stored session info (from 3). The response back to the Web Client is granted if the two sets of session information match.

Is this the proper way to authenticate? Is there a better way to do it? Are there small tweaks I should make?

Additionally, should I treat Authentication from the Web Client to the Microservices differently than Authentication between Microservices?

Upvotes: 2

Answers (2)

Aydin Homay

Reputation: 325

Here you are, ready out of the box, Identity Server based on Open ID and Auth2.0 that is all what you need.

welcome-to-identityserver4

If you were interested in the topic of Microservices Architecture the following links are a set of articles that published about microservices in code-project, you can read and comment on your questions if you like.

https://www.codeproject.com/Articles/1264113/Dive-into-Microservices-Architecture-Part-I

https://www.codeproject.com/Articles/1264113/Dive-into-Microservices-Architecture-Part-II

https://www.codeproject.com/Articles/1264113/Dive-into-Microservices-Architecture-Part-III

Upvotes: 1

Rob Conklin

Reputation: 9446

Do yourself a huge favor, and don't try to invent this yourself. Many, many people have written a fully functional auth & auth system, and a few of them have done it right. Unless you are a security specialist (which you likely aren't if you are asking this question), use a framework.

Start by looking at OAuth 2.0 and OpenId Connect providers, it is the de-facto standard in distributed authentication. Whichever language/platform you are using, likely has an implementation that you can leverage out-of-the-box. This will dramatically speed you up, and will likely avoid all the things that you will be doing wrong in your implementation.

Upvotes: 1

Microservice Authentication Architecture

Answers (2)

Related Questions