Hey, I currently thinking about a good way to authenticate a user between my microservices. My current solution is that I generate a JWT Token and when somebody makes a API access he has to add the token into the header. Now the API makes a request to another service, and asks if the token from the header is value. The authentication service now gives back that the token is valid or invalid. I don´t think that this is a good solution, so I want to ask if you now a better solution.
To complement @labsvisua's answer, I think a really important point is - to have only a single auth endpoint that handles the jwt signature generation/check and return 200,401 - but to avoid calling the auth from every single other services. That second point is critical from my point of view. All the auth validation should be handled at the API gateway level, and once forwarded to a (micro)service , that service can trust the request. All your auth tests/updates belong to your api gateway, therefore if you have anything to update/fix/improve/add regarding auth, it's done in single one place (and therefore it's much more easier to test)
We're not using Kong , but we usually refer to their doc to explain this: getkong.org All the user-facing common 'boilerplate stuff' (auth, versions, ...) is centralized in an api gateway so that all your other services can focus on their real purpose, and you don't have the risk of having multiple (and possibly outdated) versions of your auth lib all over the place.
So, if I get it correctly, you want a way to authenticate a user when passing information between microservices? Or do you want a way to authenticate the microservice itself?
Terminologies
You don't want to be confused between authentication, and authorization. Let me quickly define it:
The AuthBearer does both. First, it creates a token when the user asks it to; and, when the microservices give it a token, it checks for authorization.
Auth a User Between a Microservice
For this, I'd recommend you create a
AuthBearermicroservice. Now, let this service handle everything (Authentication + Authorization); create REST routes like:/services/auth/token(POST)When a user requires authentication, send his/her data to this service, and it'll return a token; JWT, if you prefer. Now, if he uses some other service, ask him to pass that token as a
Header, and then from within that service, ask the Bearer if it's valid.A quick example; say you have the following microservices:
The first microservice would be
/services/product, the second one will be/services/checkoutand the third one will be/services/auth. Now, to authenticate, the user sends the his/her details to/services/auth, and this microservices returns a JWT. Perfect.He, then, creates a product by POSTing it to the
/services/productroute, with his headerAuth <TOKEN> Bearer. Upon getting this header, the Product microservices asks the Auth microservice if the token provided is valid; if it is, it gives the permission, otherwise a 401.If you need help with anything else, be sure to comment! I hope this helps! :)