Reputation: 256
Micro Services OAuth2.0 Scope implementation
What is the best way of implementing such scenario for OAuth 2.0 implementations.
My backend is designed in micro services architecture.
I have client “Mobile” which will make call to ServiceA.
I can add “ScopeA” scope to “Mobile” client which is fine.
Then let's assume tomorrow ServiceA will call ServiceBs authorized endpoint to complete request.
My question is
Which option is right
- When ServiceA will start call ServiceB I should add ServiceB scope to Mobile client
- I mean propagate 'Mobile' client access token to all micro services with all required scopes in token.
- Instead of using Mobile clients access token to call ServiceB, ServiceA should get its own access token to call ServiceB.
For second options we will lost informations like subject information.
Upvotes: 0
Views: 56
Answers (1)
Reputation: 19961
You have several options here. One option is to use the client credientials flow between ServiceA and ServiceB. In the requests you can pass the user details as normal request parameters.
The advantage with this approach is that even if the user is not logged in, ServiceA can contact ServiceB independently of if the user is logged in or not. For example ServiceA might need to do some background requests to ServiceB.
Another more advanced options is delegated authentication that you can read about in this article
Upvotes: 2
Related Questions
- Authorization and Authentication in microservices - the good way
- Authorization in microservice architecture
- What is scope in IdentityServer
- OAuth 2.0 In Microservices: When a resource server communicates with another resource server
- OAuth 2.0 Flows for Microservice Architectures
- How to architecture Microservice & OpenID connect?
- Oauth2 access token specifications and handling scope
- Authentication and Authorization in Microservices
- Microservices and Spring Security OAuth2
- Oauth2 grant for server-to-server communication