Microservice to Microservice calls, authorization from a queue message

Question

Context: I\'m creating a cloud platform to support multiple applications with SSO. I\'m using Keycloak for authentication and Netflix Z

Answer 1

One common setup is to have an API gateway that verify all incoming requests by their JWT. The API Gateway validates the signature of the JWT (or decrypt it for encrypted JWT's), checks the the expiry time etc, and extract the scopes and the User ID (sub) from it.

It then compare the scopes with a set of defined scopes for each micrto service, and if the scope provides the user (subject) access, the request is forwarded to the micro service. The User ID (sub in the JWT), along with other needed information stored in the JWT is placed in custom requests headers like X-IGNACIO-SUBJECT