Reputation: 5271
Organize user and authentication in microservice architecture
in our microservices we will have custom authentication / authorization service a.k.a. UAA right? It make me sense to have user controller for login, token verification or creating user.
But there is second use case. We also want have some user administration for adding favorites contacts to user, fill profile with some additional information, user addresses and so on. In second use-case I would like to have second micro-service for that purpose. What do you recommend or what is the best practice in for that?
have one micro-service for user management like his profile, his contacts, credentials and also login / token providing
have two micro-services - one for managing user credentials, token providing (uaa) and second for user additional info
have two micro-services - one for complete separated user management, and second for authentication, token providing, and will consume rest api of user service if it will need some user data, or verify user credentials
For me is 3. option fine for that but I would like to listen your opinions.
Upvotes: 9
Views: 12720
Answers (3)
Reputation: 133
All three are valid approaches. If application has simple user management, first approch is best. If application has additional complex user features, third approch is best. My opinion is little different in third approch implementation. Credentials and User profile should be maintained in auth service like any standard OAuth2 authorization server. Once user complete his registration with auth server his/her profile should be replicated to user service. This replication should be async. Additional profile completion should be done in user service. For Authentication/Authorization Oauth2 grant should be used with JWT.
Upvotes: 3
Reputation: 167
My recommendation is to have two microservices:
One for user management like his profile, his contacts, credentials. On this microservices users will create accounts, send reset password and so on.
one for authorization (ex: Oauth2 with JWT Token). This microservice will be used only for authorization (in case of ouath2 and JWT for generate JWT tokens based on username/mail and password).
When a user will create an account, a request with user credentials and permisions will be made to authorization microservice to notify that a new user was created. Same for user reset password or delete user.
The authorization microservice will receive that request and save user credentials and permisions in own database, example Redis or PosgreSQL. Every user that will login in your service/application will first call authorization microservice, will receive a jwt token that contain user metadata (name, role and other information) and using that token will send request to other microservices of your application/service, example for user management, orders service or other.
Upvotes: 13
Reputation: 49571
in microservice world it is not a good method to have separate auth service for authentication. Because if auth service is down how are you gonna authenticate the user. your entire app will crash.
choose option 1. make user service handle the authentication as well. Imagine you build many microservices, each service should authenticate the user itself without depending on other services.
Upvotes: 1
Related Questions
- Best practice to organize authorization in microservice architecture?
- Microservice Authentication strategy
- Authentication and Authorization Design in Microservice Architecture
- Where is the best place to keep authorization server in microservices?
- Authentication and Authorization for microservices architecture
- How to propagate User's authentication (and authorization) to other microservices
- Microservice Authentication Architecture
- Communication between user-service and auth-service in microservice architecture
- Should the Auth Server be combined with the User Service in a microservices architecture?
- securing user account microservice with spring