Ask HN: How do you handle authentication and authorization between microservices
Take a look at the Microprofile JWT specifications. It provides a standard set of jwt claims: https://www.eclipse.org/community/eclipse_newsletter/2017/se...
A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.
I assume the "central server" is actually an HA cluster of servers with consistency checking of the token data. Otherwise it sounds like a pretty bad SPOF. Any lessons you learned along the way with setting this up?
You are correct, single would be disaster. One of the lesson learnt, every network call is going add at least 10ms.
System user permissions with public/private keys for lower level APIs (SSH tunnels, basically).
Centralized token services for ReST APIs
I used to work for a company that has a solution for this exact problem: http://www.tribestream.io Great product and the people couldn't be a more diverse and all around good group of people.
Your www link doesn't work for me.
Client certs for service to service communication.
Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.
JWTs are a good approach. I've also seen folks using mTLS with gRPC.
JWT tokens are a decent approach
Vaulted API keys with lifecycle management.
Docker secrets.
API keys typically
keycloak