0

How can one enforce authorization/authentication for micro service apps? And also, how to achieve SSO (single sign-on) from an end user's perspective?

E.g: Assume a shopping site which has many micro services. Once a user is authenticated in one micro service app, then that user should be able to access other microservice apps on that site seamlessly.
Like the cart app, suggestion/recommendation app, search app etc.

  1. How to implement this kind of authorization/authentication ?
  2. Will Oauth, SAML fit into these scenario ?
S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
user1222729
  • 11
  • 1
  • What research have you done already? Why doesn't a cookie-based session work? – Neil Smithline Jul 20 '15 at 01:51
  • @NeilSmithline cookie based authentication is most vulnerable to attacks,even if you do encryption it will still it is vulnerable to replay attack. – user1222729 Jul 20 '15 at 17:25
  • OK. But it is used by most web sites as it is well understood and well supported by browsers. Even sites that use OAUTH, 2FA, or something else to authenticate, frequently fall back to cookie-based identity for non-authentication operations. – Neil Smithline Jul 20 '15 at 18:17

1 Answers1

1

This sounds different from what I've heard about previously. My understanding of a typical microservice architecture is that you'd have a variety of fine-grained microservices, composited together into one or more coarse-grained applications.

In that view, you would probably have a single E-Commerce Web App, which utilizes a variety of microservices in the backend (the cart service, suggestion service, search service, etc.).

If that's the case, then there's only one "App" that the user interacts with: the Web App. The user would sign into the Web App, and then the user's ID would be delivered to the various back-end microservices.

If the Web App talks to the backend services using a private interface, then you can just pass the user ID directly - it's not really any different from passing, e.g., a user ID into a database query. If you've got a public interface that you're using, then you might need to pass something like a session key around - although, that would depend on exactly what sort of public interface you have.

Note: all of this assumes that you're talking about a server-side microservice architecture, since you cite list "rails" as a related technology, but not anything specifically client-side. Using web APIs over Ajax is something that I'd consider to be a separate topic.

Soron
  • 2,809
  • 1
  • 12
  • 19
  • Your assumption about microservices is partially correct,when I say microservices there are 2 different fine grained microservices 1)microservices without UI,they just use API to exchange data eg:may be suggestion service 2)with UI may be product catalogue displayer, I am talking abt 2nd case where user needs to interact with different apps with UI – user1222729 Jul 19 '15 at 13:56