Auth Server是否应与微服务架构中的用户服务结合? [英] Should the Auth Server be combined with the User Service in a microservices architecture?
问题描述
我目前正在使用以下服务在Spring Boot中构建基于微服务的应用程序
I am currently building a microservices based application in spring boot with the following services
- 身份验证服务器(分发访问令牌)
- 用户服务(用户名,例如用户名,密码,电子邮件等)
- 其他各种不相关的服务
当用户将其凭据发送到auth服务器时,auth服务器应验证其正确性,然后返回访问令牌.
When a user sends their credentials to the auth server, the auth server should verify that they are correct and then return an access token.
我的问题是,我应该将身份验证服务器与用户服务结合使用,以便查找凭据是一个简单的数据库调用,还是应该将它们保留为单独的应用程序并使它们都指向同一个共享数据库?有更好的选择吗?
My question is, should I combine the auth server with the user service so looking up credentials is a simple database call, or should I keep them as separate applications and have them both point to the same shared database? Is there a better alternative?
推荐答案
我通常要做的是将它们分开.帐户信息(名字,姓氏,联系方式,隶属关系,性别等)与身份验证/授权无关.另外,一个帐户可以具有多种身份验证方法(即OAuth,不通过密码,私钥),这些方法与帐户数据并没有真正的关系.因此,我将它们视为独立的实体.我知道auth和帐户数据似乎相同,但是它们代表了两种截然不同的事物,职责也各不相同,因此我将它们分开.如果一个用户必须看到其他用户的名字和姓氏,我不想从数据库中获取其他用户的凭据(很多情况可能会出错).
What I usually do is keep them separate. Account information (first name, last name, contact data, affiliation, sex etc) is not related to authentication/authorization. Also, an account can have multiple authentication methods (i.e. OAuth, uname-pass, private key), which isn't really related to account data. So, I take them as separate entities. I know auth and account data seem the same, but they represent two very different things, with very different responsibilities, so I keep them separate. If one user should have to see some other user's first and last name, I wouldn't like to get other user's credentials out of the database (a lot can go wrong).
如果您想到的是Spring Security的UserService,它将与Auth服务器一起使用.
If you are thinking of UserService from Spring Security, it goes with Auth server.
从安全的角度来看,拥有单个真点(身份验证服务器)并能够在一处解决问题是一个巨大的优势.
From security stand point, having a single point of truth (auth server) and be able to fix an issue in one place is a huge advantage.
无论如何,恕我直言,帐户和身份验证可以共享一些属性,但是它们是两个不同的东西,因此我将它们分开.
Anyhow, IMHO, account and auth can share some properties, but they are two different things - hence I keep them separate.
希望这会有所帮助.
这篇关于Auth Server是否应与微服务架构中的用户服务结合?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
