Single Sign-On in Microservice Architecture

security cloud single-sign-on microservices paas

Solution 1:

While implementing a microservice architecture at my previous job we decided the best approach was in alignment with #1, Add identity service and authorize service access through it. In our case this was done with tokens. If a request came with an authorization token then we could verify that token with the identity service if it was the first call in the user's session with the service. Once the token had been validated then it was saved in the session so subsequent calls in the user's session did not have to make the additional call. You can also create a scheduled job if tokens need to be refreshed in that session.

In this situation we were authenticating with an OAuth 2.0 endpoint and the token was added to the HTTP header for calls to our domain. All of the services were routed from that domain so we could get the token from the HTTP header. Since we were all part of the same application ecosystem, the initial OAuth 2.0 authorization would list the application services that the user would be giving permission to for their account.

An addition to this approach was that the identity service would provide the proxy client library which would be added to the HTTP request filter chain and handle the authorization process to the service. The service would be configured to consume the proxy client library from the identity service. Since we were using Dropwizard this proxy would become a Dropwizard Module bootstrapping the filter into the running service process. This allowed for updates to the identity service that also had a complimentary client side update to be easily consumed by dependent services as long as the interface did not change significantly.

Our deployment architecture was spread across AWS Virtual Private Cloud (VPC) and our own company's data centers. The OAuth 2.0 authentication service was located in the company's data center while all of our application services were deployed to AWS VPC.

I hope the approach we took is helpful to your decision. Let me know if you have any other questions.

Solution 2:

Chris Sterling explained standard authentication practice above and it makes absolute sense. I just want to put another thought here for some practical reasons.

We implemented authentication services and multiple other micro services relying on auth server in order to authorize resources. At some point we ran in to performance issues due to too many round trips to authentication server, we also had scalability issues for auth server as number of micro services increased. We changed the architecture little bit to avoid too many round trips.

Auth server will be contacted only once with credentials and it will generate the token based on a private key. Corresponding public key will be installed in each client (micro service server) which will be able to validate the authentication key with out contacting auth server. Key contain time generated and a client utility installed in micro service will validity as well. Even though it was not standard implementation we have pretty good success with this model especially when all the micro services are internally hosted.

Related

How to change default directory in Bash for Windows 10? [closed]
Difference between console.log and sys.puts in node.js?
Why declare a function argument to be final?
Why should return parameters be named?
How can I send a GET request from my flask app to another site?
End of Central Directory record could not be found
How to extract HTTP status code from the RestTemplate call to a URL?
antlr4-Can't load Hello as lexer or parser
cannot catch SQLAlchemy IntegrityError
ReferenceError: module is not defined - Karma/Jasmine configuration with Angular/Laravel app
Equivalent to LINQ's Enumerable.First(predicate)
How to add jQuery to JSfiddle