微服务认证策略 [英] Microservice Authentication strategy
问题描述
我很难为微服务架构选择合适的/安全的身份验证策略.我在该主题上找到的唯一 SO 帖子是:)
当您的用户登录您的应用程序时,他们将获得一个令牌,并且他们将能够使用此令牌发送到其他服务以在请求中识别他们.
链式微服务设计示例
资源:
- http://presos.dsyer.com/decks/microservice-security.html
- https://github.com/intridea/oauth2
- https://spring.io/guides/tutorials/spring-security-and-angular-js/
I'm having a hard time choosing a decent/secure authentication strategy for a microservice architecture. The only SO post I found on the topic is this one: Single Sign-On in Microservice Architecture
My idea here is to have in each service (eg. authentication, messaging, notification, profile etc.) a unique reference to each user (quite logically then his user_id
) and the possibility to get the current user's id
if logged in.
From my researches, I see there are two possible strategies:
1. Shared architecture
In this strategy, the authentication app is one service among other. But each service must be able to make the conversion session_id
=> user_id
so it must be dead simple. That's why I thought of Redis, that would store the key:value session_id:user_id
.
2. Firewall architecture
In this strategy, session storage doesn't really matter, as it is only handled by the authenticating app. Then the user_id
can be forwarded to other services. I thought of Rails + Devise (+ Redis or mem-cached, or cookie storage, etc.) but there are tons of possibilities. The only thing that matter is that Service X will never need to authenticate the user.
How do those two solutions compare in terms of:
- security
- robustness
- scalability
- ease of use
Or maybe you would suggest another solution I haven't mentioned in here?
I like the solution #1 better but haven't found much default implementation that would secure me in the fact that I'm going in the right direction.
Based on what I understand, a good way to resolve it is by using the OAuth 2 protocol (you can find a little more information about it on http://oauth.net/2/)
When your user logs into your application they will get a token and with this token they will be able to send to other services to identify them in the request.
Example of Chained Microservice Design
Resources:
- http://presos.dsyer.com/decks/microservice-security.html
- https://github.com/intridea/oauth2
- https://spring.io/guides/tutorials/spring-security-and-angular-js/
这篇关于微服务认证策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!