9

in our microservices we will have custom authentication / authorization service a.k.a. UAA right? It make me sense to have user controller for login, token verification or creating user.

But there is second use case. We also want have some user administration for adding favorites contacts to user, fill profile with some additional information, user addresses and so on. In second use-case I would like to have second micro-service for that purpose. What do you recommend or what is the best practice in for that?

  1. have one micro-service for user management like his profile, his contacts, credentials and also login / token providing

  2. have two micro-services - one for managing user credentials, token providing (uaa) and second for user additional info

  3. have two micro-services - one for complete separated user management, and second for authentication, token providing, and will consume rest api of user service if it will need some user data, or verify user credentials

For me is 3. option fine for that but I would like to listen your opinions.

Improve this question

3 Answers 3

Reset to default
13

My recommendation is to have two microservices:

  1. One for user management like his profile, his contacts, credentials. On this microservices users will create accounts, send reset password and so on.

  2. one for authorization (ex: Oauth2 with JWT Token). This microservice will be used only for authorization (in case of ouath2 and JWT for generate JWT tokens based on username/mail and password).

When a user will create an account, a request with user credentials and permisions will be made to authorization microservice to notify that a new user was created. Same for user reset password or delete user.

The authorization microservice will receive that request and save user credentials and permisions in own database, example Redis or PosgreSQL. Every user that will login in your service/application will first call authorization microservice, will receive a jwt token that contain user metadata (name, role and other information) and using that token will send request to other microservices of your application/service, example for user management, orders service or other.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

All three are valid approaches. If application has simple user management, first approch is best. If application has additional complex user features, third approch is best. My opinion is little different in third approch implementation. Credentials and User profile should be maintained in auth service like any standard OAuth2 authorization server. Once user complete his registration with auth server his/her profile should be replicated to user service. This replication should be async. Additional profile completion should be done in user service. For Authentication/Authorization Oauth2 grant should be used with JWT.

Improve this answer

Comments

1

in microservice world it is not a good method to have separate auth service for authentication. Because if auth service is down how are you gonna authenticate the user. your entire app will crash.

choose option 1. make user service handle the authentication as well. Imagine you build many microservices, each service should authenticate the user itself without depending on other services.

Improve this answer

3 Comments

If you refrain from introducing a user microservice and let each service handle the whole AuthN + AuthZ directly with the corresponding endpoints, then you eliminate all downtimes of the user microservice from the availability equation. But either way, your AuthN (IdP) and AuthZ server endpoints remain to be single points of failure.
You could make the same argument against this approach. Now if your user service goes down so does your auth service. This could potentially also kill all machine-to-machine interactions as well as preventing new logins to your website and accessing resources that don't require user data.
if entire app relies on auth service, if auth service is down, the entire app will crash. But if each service has its own auth and user service is down, your other parts of app might still work. In microservices, there is not a standard design principle,

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.