Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Authentication and Authorization Concepts for MicroServices

auth with microservices

Authorization and Authentication are hard. when you only have to implement them once (as you do within a monolith) instead of over and over again, it makes the developer happy :-), and maybe leads to less implementation failures.

When you have a bunch of microservices, this is something that has to be considered.

Implement it once or in every microservice, or something in between?

approach 1

do authentication and authorization in every microservice

pros

  • makes developer happy :)
  • less implementation errors
  • less risk of forgetting to handle at all
  • centrally defined and handled
  • smaller micro services
  • less repetition in the code in the micro services

cons

  • service can not have fine grained object permissions
  • all or nothing authorization
  • global auth bottleneck

approach 2

do authentication globally, and authorization in every microservice

pros

  • global authentication is easier to manage/control
  • fine grained object permissions are possible

cons

  • slightly more code in the micro services
  • needs some effort to have an overview what you can do with which permission

approach 3

do authentication in every microservice, and authorization globally

is listed only for completeness. it does not make sense -> worst of both worlds.

no fine grained object permissions and error prone and tedious repetitive authentication

approach 3

do authentication and authorization in every microservice

pros

  • fine grained object permissions are possible
  • different user authentication mechanisms are possible for different microservices

cons

  • error prone
  • many repetitions
  • bigger micro services
  • needs some effort to have an overview what you can do with which permission
  • no happy developer :-(

links

@memphys

This comment has been minimized.

Copy link

@memphys memphys commented Apr 7, 2016

Titles of the first and the last approaches are the same. I believe the first one is about doing it all globally. And there are two of "approach 3" :)

@nezygis

This comment has been minimized.

Copy link

@nezygis nezygis commented Sep 3, 2016

approach 3 is mentioned twice...

@vmwinckler

This comment has been minimized.

Copy link

@vmwinckler vmwinckler commented May 11, 2017

The Second "approach 3" is "approach 4".. ok but ... duplicated too:

approach 1 -> do authentication and authorization in every microservice
approach 3 -> do authentication and authorization in every microservice

@aehlke

This comment has been minimized.

Copy link

@aehlke aehlke commented Oct 13, 2017

I think approach 1 is supposed to be "do authentication and authorization globally"

@nurgasemetey

This comment has been minimized.

Copy link

@nurgasemetey nurgasemetey commented Dec 4, 2018

Approach 5
Istio proxy sidecar with JWT. No security code in microservices

@EtachGu

This comment has been minimized.

Copy link

@EtachGu EtachGu commented Jan 12, 2019

So, Which one is the best practices

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment