I'm having a hard time choosing a decent/secure authentication strategy for a microservice architecture. The only SO post I found on the topic is this one: Single Sign-On in Microservice Architecture
My idea here is to have in each service (eg. authentication, messaging, notification, profile etc.) a unique reference to each user (quite logically then his user_id
) and the possibility to get the current user's id
if logged in.
From my researches, I see there are two possible strategies:
In this strategy, the authentication app is one service among other. But each service must be able to make the conversion session_id
=> user_id
so it must be dead simple. That's why I thought of Redis, that would store the key:value session_id:user_id
.
In this strategy, session storage doesn't really matter, as it is only handled by the authenticating app. Then the user_id
can be forwarded to other services. I thought of Rails + Devise (+ Redis or mem-cached, or cookie storage, etc.) but there are tons of possibilities. The only thing that matter is that Service X will never need to authenticate the user.
How do those two solutions compare in terms of:
Or maybe you would suggest another solution I haven't mentioned in here?
I like the solution #1 better but haven't found much default implementation that would secure me in the fact that I'm going in the right direction.
I hope my question doesn't get closed. I don't really know where else to ask it.
Thanks in advance
Based on what I understand, a good way to resolve it is by using the OAuth 2 protocol (you can find a little more information about it on http://oauth.net/2/)
When your user logs into your application they will get a token and with this token they will be able to send to other services to identify them in the request.
Example of Chained Microservice Design
Resources: