微服务的身份验证策略 [英] Microservice Authentication strategy

问题描述

我有一个很难选择的微服务架构一个体面/安全认证策略。唯一的SO张贴我的话题发现是这个：<一href=\"http://stackoverflow.com/questions/25595492/single-sign-on-in-micro-service-architecture\">Single登录微服务架构

I'm having a hard time choosing a decent/secure authentication strategy for a microservice architecture. The only SO post I found on the topic is this one: Single Sign-On in Micro Service Architecture

我在这里的想法是，在每个服务（如认证，短信，通知，配置文件等）的唯一引用每个用户（顺理成章那么他的 USER_ID ），并得到了可能性当前用户的 ID 如果loggued英寸

My idea here is to have in each service (eg. authentication, messaging, notification, profile etc.) a unique reference to each user (quite logically then his user_id) and the possibility to get the current user's id if loggued in.

从我的研究，我看到了两种可能的策略：

From my researches, I see the two possible strategies:

在这种策略中，验证程序是相互之间的一个服务。但每个服务必须能够进行转换的session_id => USER_ID 所以它必须是死的简单。这就是为什么我认为Redis的，那将存储的关键是：值 SESSION_ID：USER_ID

In this strategy, the authentication app is one service among other. But each service must be able to make the conversion session_id => user_id so it must be dead simple. That why I thought of Redis, that would store the key:value session_id:user_id.

在此策略，会话存储其实并不重要，因为它是只由认证应用程序处理。那么 USER_ID 可以转发到其他服务。我想的Rails +设计（+ Redis的或memcached的或Cookie存储等），但有吨的可能性。唯一有问题的事情是，X服务将永远不需要用户进行身份验证。

In this strategy, session storage doesn't really matter, as it is only handled by the authenticating app. Then the user_id can be forwarded to other services. I thought of Rails + Devise (+ Redis or memcached, or cookie storage, etc.) but there are tons of possibilities. The only thing that matter is that Service X will never need to authenticate the user.

如何做那些两个解决方案进行比较方面：

How do those two solutions compare it terms of:

• 安全


• 健壮性


• 扩展


• 易用

也许你会建议另一种解决方案在这里我没有mentionned？

Or maybe you would suggest another solution I haven't mentionned here?

我喜欢的解决方案＃1好，但还没有找到太多默认的实现，将保证我的事实，我在正确的方向我要去。

I like the solution #1 better, but haven't found much default implementation that would secure me in the fact that I'm going in the right direction.

我希望我的问题没有得到封闭。我真的不知道还有什么地方问问吧。

I hope my question doesn't get closed. I don't really know where else to ask it.

在此先感谢

推荐答案

根据在我的理解，一个好办法来解决它使用该协议的OAuth 2的（你可以找到关于这一点的详细信息< A HREF =htt​​p://oauth.net/2/相对=nofollow> http://oauth.net/2/ ）的

Based in what i understood, a good way to resolve it is using the protocol OAuth 2 (you can find a little more information about it on http://oauth.net/2/)

当您的用户登录您的应用程序，他们将得到一个令牌，并与此令牌，他们将能够发送到其他服务，以确定他们的要求。

When your user log in your application they will get a token and with this token they will be able to send to other services to identify them in the request.

链式微服务设计实例

Example of Chained Microservice Design

资源：

• HTTP：//$p$psos.dsyer.com/decks/微服务-security.html安全


• https://github.com/intridea/oauth2


• https://spring.io/guides/tutorials/spring - 安全和角-JS /

• http://presos.dsyer.com/decks/microservice-security.html
• https://github.com/intridea/oauth2
• https://spring.io/guides/tutorials/spring-security-and-angular-js/

这篇关于微服务的身份验证策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！