Microservices Architecture has been gaining a lot of ground as the preferred architecture for implementing solutions as it provides benefits like scalability, logical and physical separation, small teams managing a part of the functionality, flexibility in technology etc. But these benefits come at a cost of simplicity since microservices are distributed the complexity of managing them increases.
One of the key challenges is how to implement authentication and authorization in microservices so that we can manage security and access control.
In this blog, we will try to explore a few approaches that are available and see how we should implement it.
There are three approaches that we can follow
- Local Authentication and Authorization (Microservices are responsible for Authentication and Authorization)
- Different authentication mechanisms can be implemented for each microservice.
- Authorization can be more fine-grained
- The code gets bulkier.
- The probability of each service using different authentication is very low so code gets duplicated.
- The developer needs to know the permission matrix and should understand what each permission will do.
- The probability of making mistakes is quite high.
- Global Authentication and Authorization (It is All or None approach if the authorization for a service is there then it is accessible for all else none)
- Authentication and Authorization are centralized so no repetition of code.
- A future change of authentication mechanism is easy as only one place to change the code
- Microservices code is very light and focuses on Business Logic only.
- Microservices have no control over what user can access or not, finer level permissions cannot be granted.
- Failure is centralized and will cause everything to stop working.
- Global Authentication and Authorization as a part of Microservices
- Fine-grained object permissions are possible as Microservice can decide what user will see or not.
- Global Authentication will be easier to manage as less load.
- Since Authorization is owned by Microservice no network latency and it will be faster.
- No centralized failure for authorization.
- Slight more code for developers as they have to focus on permission control.
- Needs some effort to have an overview of what you can do with which permission
In my opinion, the 3rd Option is the best one as most of the applications have a common authentication mechanism so Global authentication will make perfect sense. Microservices can be accessed from multiple applications and clients and they might have different data needs so global authorization becomes a limiting factor on what each application can see. With Local authorization, microservice can make sure that client application is only authorized to see what it needs to see.
In one of the projects that we were working on we implemented the same approach. We build an Authentication service that was mainly responsible for integration with the LDAP system for verifying the user and then contacting the RBAC (Role Based Access Control) service to populate the permission matrix based on the role user is playing in the context of the application e.g. the same user can be a normal user in one of the applications and an Admin in another. So we need to understand the context from which the user is coming in and RBAC is the place where we decode the context and populate the relevant set of permissions. The permission matrix was then sent to the microservice as a part of claims in the JWT token. Microservices only
Conclusion: The above solution where Authentication is global and microservices control authorizations of it content based on permissions that are passed to it is one of the possible solutions for handling authentication and authorization module in microservices. Also, we can enhance this solution by building a side car in service mesh kind of architecture where we offload the authorization to side car. The best benefit of this approach will be that we will take authorization as a cross cutting concern and our microservice will be kind of pure.