skip to Main Content

I am developing a web application and I am trying to design and implement a microservices architecture.
I’ve been reading a lot about authentication and authorization and I would like to know if with my design I am on the right track.

I have an API gateway that manages all the communication flow between the frontend application and the back end services.
Behind the gateway I have two microservices called identity provider and frontend microservice respectively.
The identity provider manages things as login, registration and deliver access tokens. The frontend microservice contains an angular app.
So, in a normal flow the user would authenticate with the identity provider that, in turn, open a login session stored in redis and gives the session id back as a cookie. The identity provider redirects the user to the frontend service that check the login status stored in redis and, only if authenticated, returns the angular app.

So, I am not using OAuth because I think I don’t really need it at this very moment. Also I am not managing authentication at gateway level.
Is it a good approach to have a microservice for the login and redis to store the session, so that all the other microservices can authenticate the user when needed? I see a lot of examples to implement authentication at gateway level, so is it a bad approach to delegate the microservice to authenticate the user? In a way that the gateway only works as a router.
What do you think about this?

2

Answers


  1. Storing user session on Redis is not bad practice, however using Redis for authorization/authentication purposes could result in security issues. In an ideal microservice architecture, services need to be as stateless as they can. By giving the authorization job to redis you are creating an extra layer that you need to manage on every request. What will happen when user info changes? You will need to update redis too and when it is out of sync with the Authorization server, then problems will start to emerge. It is also not bad practice to use separate Authorization server behind your gateway.

    Login or Signup to reply.
  2. When you are using an API-GATEWAY,you must keep in mind that in Microservice architecture we have to handle cross cutting concerns in Api-Gateway.Means,once you put some functionality like security,logging,user tracking in one place to perform to entire application zone and when you want to change them,you change one place not entire microservices!!!!So,you can use oauth2 with spring cloud gateway or zull as a oauth2 client and use Oauth2 provider.After successful login,gateway performs TokenRelay(removes cookie from request and replace it with jwt token and send it to your microservices).Now you can use Redis as a HttpSession management in your gateway.Also with this approach you can use multiple instance of your services.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search