Ask HN: How do you handle authentication and authorization between microservices

43 pointssomtum7y ago15 comments

15 comments

Take a look at the Microprofile JWT specifications. It provides a standard set of jwt claims: https://www.eclipse.org/community/eclipse_newsletter/2017/se...

jwhitlark7y ago

https://istio.io

codegladiator7y ago

A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.

hkarthik7y ago

I assume the "central server" is actually an HA cluster of servers with consistency checking of the token data. Otherwise it sounds like a pretty bad SPOF. Any lessons you learned along the way with setting this up?

codegladiator7y ago

You are correct, single would be disaster. One of the lesson learnt, every network call is going add at least 10ms.

nickserv7y ago

System user permissions with public/private keys for lower level APIs (SSH tunnels, basically).

Centralized token services for ReST APIs

exabrial7y ago

I used to work for a company that has a solution for this exact problem: http://www.tribestream.io Great product and the people couldn't be a more diverse and all around good group of people.

jhoh7y ago

Your www link doesn't work for me.

https://tribestream.io

Rjevski7y ago

Client certs for service to service communication.

Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.

borncrusader7y ago

JWTs are a good approach. I've also seen folks using mTLS with gRPC.

carlosdp7y ago

JWT tokens are a decent approach

toomuchtodo7y ago

Vaulted API keys with lifecycle management.

steve_taylor7y ago

Docker secrets.

matchmike13137y ago

API keys typically

segmondy7y ago

keycloak

j / k navigate · click thread line to collapse

15 comments

exabrial7y ago

Take a look at the Microprofile JWT specifications. It provides a standard set of jwt claims: https://www.eclipse.org/community/eclipse_newsletter/2017/se...

jwhitlark7y ago

https://istio.io

codegladiator7y ago

hkarthik7y ago

codegladiator7y ago

You are correct, single would be disaster. One of the lesson learnt, every network call is going add at least 10ms.

nickserv7y ago

System user permissions with public/private keys for lower level APIs (SSH tunnels, basically).

Centralized token services for ReST APIs

exabrial7y ago

I used to work for a company that has a solution for this exact problem: http://www.tribestream.io Great product and the people couldn't be a more diverse and all around good group of people.

jhoh7y ago

Your www link doesn't work for me.

https://tribestream.io

Rjevski7y ago

Client certs for service to service communication.

Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.

borncrusader7y ago

JWTs are a good approach. I've also seen folks using mTLS with gRPC.

carlosdp7y ago

JWT tokens are a decent approach

toomuchtodo7y ago

Vaulted API keys with lifecycle management.