Authentication and authorisation in microservice architecture
I have multiple services:
- User
- Post
- Comment
- Authentication
- GraphQL endpoint
And let's say they are connected together like this:
All services are communicating through gRPC on a closed nettwork and the Authorization is done using jwt tokens
Approach 1: The graphql service is responsible for user authentication and making sure that the user is authorized to run the specified procedure. There is no user authentication between the services, but there is TLS authentication. There are no authorization checks done by the services.
Approach 2: Each individual service makes sure that the user is authorized to run a specific procedure. An example could be voting on a post where you would need to be signed in and have over 15 in reputation. Here it would be the Post service's responsibility to check whether the user is signed in or not (authenticated) and whether it's authorized to vote. This will result in large overhead since every procedure call needs to check user authentication and authorisation through the Auth service.
Is there a better approach that still preserves the security of approach 2, but creates a small overhead like approach 1?
-----Update-----
Approach 3: Same as approach 2, but user authentication is only done in the GraphQL service using the Auth service. The authorization is done by checking metadata passed around. And there is TLS authentication between the services.
Let's consider a request that travels from the authenticated user to service A and on to service B. The JWT should be passed on each of these calls.
Both services would first authenticate the user which is simply done by validating the JWT. Then each service would extract all information necessary to authorize the user from the user, for example the sub claim. It would use this information to decide if the user is authorized with respect to the operation that the service shall perform on behalf of the user. Only after successful authorization would the service actually do anything.
This would not be overhead but necessary to allow service B to both authenticate and authorize the user. Not passing the JWT from sercice A to service B would make it impossible for service B to know anything about the user.
- hooks.server and page.server authentication infinite loop
- how to use bitbucket access token with JGit instead of user / pass
- Where to store the refresh token on the Client?
- PostgreSQL error: Fatal: role "username" does not exist
- OpenID Connect /Node /React
- AWS Amplify Auth with Cognito User Pool not returning nonce or at_hash claim in JWT id_token
- Best practice for id_token vs. access_token use in AWS Lambda
- Revoking JWT with No Expiration
- How to implement user authentication in Blazor Server with Entra External ID?
- MSAL for non-SPA? Server side authentication?
- Passing authentication from Blazor to API, losing some claims
- How to guard nestjs swagger endpoint
- Google API access without using a private Google account
- How to Validate Current Password Against User Input Using Laravel Validator?
- getPocket API - iOS
- Is it a good idea to add UTC timestamp for API authentication
- Which HTTP response code should I give my application to say that authentication was successful?
- Error:Request failed: bad request (400) login via afnetworking in swift
- What is an API token
- Can you get your Twitter email using the API?
- Keep getting CallbackRouteError fired when trying to use signIn function in (next-)authjs v5
- Navbar not showing the changed value when a state changes
- I tried to change postgresql md5 to scram-sha-256 and I get FATAL password authentication failed
- Google Authenticator on Apple devices, certain secrets are not valid
- Tiktok client key
- REST API Authentication
- robin_stocks Robinhood Authentication Stopped Working
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- Jboss 7 custom authenticator
- How do the ASP.NET Core 5 OpenIdConnect authentication cookies work in theory?