So I've looked into microservices a lot and I'm starting to get a bit confused. I'm working on building a full stack microservice setup webapp. Also, I will be using Nginx to act as reverse proxy.Microservices (all are internal):1) User Auth Service (simple login, get a jwt, and users are assigned roles for authorization)2) Service A3) Service BNOTE1: Service B will have a functionality where it will need to refer to the database Service A is connected to in order to assign stuff (ex: Service A: /GET all). HOWEVER, the USER with the JWT, is NOT allowed to access Service A's /GET all, BUT the Service B ALLOWED to since it needs to do so in order to fulfill the assignment feature.NOTE2: I do plan on in the near future to incorporate API token access so 3rd party (such as my users wanting to create their own Client), to access our "webapp" so they don't have to use our own Client's UI Webapp. Basically integrating our features to their site.2 Options:1) No API Gateway(sub-option 2a) Authorize in each service when called upon. (Let each service handle authorization)Questions:Referring back to the "NOTE1", because Service B is going to talk to Service A (unless I directly call their database without going through Service A), and that in this setup, authorization is handled per service, how would I bypass or allow Service B to access Service A's /GET all route? When the user creates a new /POST to Service B, Service B processes the data and requests from Service A's /GET all to assign some data from A to B, but the User will never see the /GET all data, only the end result from the assignment. Because again, if the service is handling authorization, how does it know Service B is authorized?...or should I just have Service B skip accessing /GET all from Service A, and directly access Service A's database? I'm very hesitant on this route because that would basically ruin the "database per service" architecture I have going.(sub-option 2b) Each service calls the User Auth to verify when service called upon. (Let's annoy the User Auth service about Authentication AND Authorization every time, we, the services, get called upon)Questions:I guess it's same situation as 2a, so refer to 2a's questions2) API GatewayNOTE: I'm using SPA client, and I don't have any complicated pages where I would have to access multiple services to populate a single data's page, so API Gateway will serve more of a unnecessary bottleneck to me. Yes, it would mean the backend structure would be more exposed to the public, but hmm.In the API Gateway scenario, everything Authorization wise I think would be handled here or maybe I would convert my User Auth into a API gateway of some sort behind the Nginx Reverse Proxy. In this scenario, I wouldn't have any authorization logic in each of my Services (e.g. Service A and Service B), which would make intercommunication amongst each services to be super simple since they're internal. Unwanted intruders wouldn't be able to see A and B in the first place since the Authorization manager would kick 'em out.Confused?I'm mainly concerned about the intercommunication of microservices regarding Authorization internally if each were to handle Authorization checks.Thank you for your time and wisdom. They are greatly appreciated.Status of Post: [Still Open for Some Answers]
Submitted October 08, 2019 at 06:16PM by nathangonz17
No comments:
Post a Comment