Microservice Authentication strategy

Question

I'm having a hard time choosing a decent/secure authentication strategy for a microservice architecture. The only SO post I found on the topic is this one: Single Sign-On in Microservice Architecture

My idea here is to have in each service (eg. authentication, messaging, notification, profile etc.) a unique reference to each user (quite logically then his user_id) and the possibility to get the current user's id if logged in.

From my researches, I see there are two possible strategies:

1. Shared architecture

In this strategy, the authentication app is one service among other. But each service must be able to make the conversion session_id => user_id so it must be dead simple. That's why I thought of Redis, that would store the key:value session_id:user_id.

2. Firewall architecture

In this strategy, session storage doesn't really matter, as it is only handled by the authenticating app. Then the user_id can be forwarded to other services. I thought of Rails + Devise (+ Redis or mem-cached, or cookie storage, etc.) but there are tons of possibilities. The only thing that matter is that Service X will never need to authenticate the user.

---

How do those two solutions compare in terms of:

• security
• robustness
• scalability
• ease of use

Or maybe you would suggest another solution I haven't mentioned in here?

I like the solution #1 better but haven't found much default implementation that would secure me in the fact that I'm going in the right direction.

I hope my question doesn't get closed. I don't really know where else to ask it.

Thanks in advance

Answer 1

Based on what I understand, a good way to resolve it is by using the OAuth 2 protocol (you can find a little more information about it on http://oauth.net/2/)

When your user logs into your application they will get a token and with this token they will be able to send to other services to identify them in the request.

Example of Chained Microservice Design

Resources:

• http://presos.dsyer.com/decks/microservice-security.html
• https://github.com/intridea/oauth2
• https://spring.io/guides/tutorials/spring-security-and-angular-js/

Answer 2

Short answer : Use Oauth2.0 kind token based authentication, which can be used in any type of applications like a webapp or mobile app. The sequence of steps involved for a web application would be then to

1. authenticate against ID provider
2. keep the access token in cookie
3. access the pages in webapp
4. call the services

Diagram below depicts the components which would be needed. Such an architecture separating the web and data apis will give a good scalability, resilience and stability

Answer 3

you can use idenitty server 4 for authentication and authorisation purpose

you must use Firewall Architecture hence you have more control over secutiry , robustness ,scalability and ease of use

Answer 4

API gateway pattern should be used to implement this using OpenID Connect. User will be authenticated by IDP and will get the JWT token from authorization server. Now API gateway system can store this token in Redis database and set the cookie on the browser. API gateway will use the cookie to validate the user request and will send the token to the Microservices.

API Gateway acts as a single entry point for all types of clients apps like public java script client app, traditional web app, native mobile app and third party client apps in the Microservice architecture.

You can find more details about it on http://proficientblog.com/microservices-security/