微服务认证 [英] Microservices authentication

问题描述

上下文

我有多种服务，例如:

• 用户(LDAP或活动目录等...)
• 计费
• 计划
• 等...
• 身份验证

首先，我需要使用OAuth2.0连接我的微服务，并使用标准的登录名/密码(我使用自己的数据，而不是使用第三方服务器)

I need to connect on my microservices Using OAuth2.0, for beginning, using the standard login / password (I use my own data, and not gettint a third leg server)

问题

根据这些图片:

第1步

第2步

我如何在authmicroservice以外的其他服务中处理access_token控制或授权控制?

How can I handle access_token control or authorization control, in my other services than authmicroservice ?

推荐答案

为了在微服务架构中管理身份验证，您必须具有不同的观点.

In order to manage authentication in a microservices architecture, you must have a different point of view.

请记住，当您处理整体时，您只有一个身份验证过程.

Remember when you worked on a monolith, you had a single authentication process.

以PHP应用程序为例，您在具有相应凭据的数据库中找到您的用户，然后创建了一个会话，该会话的用户已通过身份验证".

As an example in PHP app, you find your user in a database with it's corresponding credentials, then you created a session a the user is "authenticated".

使用微服务，工作流程大致相同.现在唯一更改的是您无法在其他服务中打开会话.此外，您不需要获取经过身份验证的用户.您只需要确保他被授权可以在您的微服务上执行当前调用即可.

With microservices, the workflow is kinda the same. The only thing that changes now is that you are not able to open a session in different services. Furthermore, you don't need to get the authenticated user. You only need to be sure that he is authorized to perform the current call on your microservices.

感谢oauth2，拥有有效的access_token会为您提供此信息.

Thanks to oauth2, having a valid access_token gives you this information.

这应该回答前端部分.在后端部分(我的意思是在api网关后面)，您不应该管理access_token，因为它与微服务无关.您可以使用功能键在微服务(例如uuid)中查找与用户相关的任何信息.

This should answer the frontend part. In the backend part (I mean behind the api gateway), you should not manage access_token because it is not relevant to microservices. You can use a functional key to find any information relevant to the user inside microservices like a uuid for example.

为了在使用oauth2时获得uuid，我建议也使用openid connect.使用此协议的用户可以管理特定的用户信息，并可以访问特定的终结点"/userinfo".

In order to get a uuid while using oauth2 I suggest to use openid connect too. It is user with this protocol to manage specific user information and it gives you access to a specific endpoint "/userinfo".

希望这种模式可以使答案更清楚.

Hope this schema will make this answer clearer.

这篇关于微服务认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！