I'm planning to make a microservices architecture using Laravel as the backend and VueJs or maybe ReactJs as the frontend. The microservices will consist of
User authentication service (For authenticating user)
User management service (To manage organization member database)
Event management service (For creating organization event)
Etc.
All of the services will require user request to be authenticated, but using central user database, which is located on User authentication service. Eventually, on each web application, it will use at least 2 of the services.
How am I able to authenticate the user before making the request to the specified services? Thanks in advance!
Think carefully about your reasoning for developing a distributed system with a microservice architecure. Developing such a system can be complicated and might introduce more problems than it solves for you. You should consider things like code base management, data synchronisation and service availability for example. A standard monolithic architecture with the frontend (Vue/React) and backend (API) as separate projects will be simpler and may provide the flexability you need. Should the need arise in the future to develop a service orientated architecture arise, worry about it then.
That said, typically you wouldn't allow direct access to your services. There would be an API gateway which users access and it proxies requests to the relevant service. So your users would make a request to api.domain.tld/auth/login which would then be forwarded by the gateway to your auth service, process the request and then provide a failure response, or a success response which would include some sort of auth token which would be used to authorise subsequent requests to your other services. Sometimes services are aware of each other and can communicate directly if require, other times they use the API gateway for service communication.
Related
In my project, there is a mobile app, an angular web app, 4 micro services and one api gateway. The users with role 'agent' can enroll customers using the mobile app. The web app is for users with role 'manager' to see the customer data and finalize on the customer enrollment.
Here, if I want to set up Keycloak for authentication, should I add
every micro service as a separate client ?
Should I add mobile app and web app as separate clients in keycloak ?
CLIENTS
The web and mobile app must be registered as separate OAuth clients. They will have a client ID but no client secret since they are public clients. They will use PKCE and have different redirect URIs, eg:
Web: https://www.example.com/callback
Mobile: com.example.app:/callback
APIs
By default APIs do not need to be registered as clients. In most setups related microservices can just forward JWT access tokens to each other, as explained in the scopes article. This is a secure way to maintain the user identity.
APIs sometimes act as clients though, eg if they need to do something like create users in Keycloak programmatically. Identity systems provide User Management Endpoints to enable this.
So one of your APIs, eg a Users Microservice, may need to be registered as a client. It would use the client credentials flow to get an access token with a SCIM related scope.
GATEWAY
It is common, and recommended, for a gateway to act as an introspection client. This enables data in access tokens returned to internet clients to be kept confidential. Read more about this in the phantom token pattern.
Spring Cloud Zuul is most commonly used with JWT to authorize/decide if a user has access or not to a particular service. But this seems to be quite high level.
What I mean is, if there are services to which users can have full or part access, how to go about it. As an example, if there is PhotoAlubum service - which allows
certain users to view photos/albums,
certain users to edit tags/albums etc,
certain users to create new alubums and
certain users to add photos
Now from my understanding, Zuul, will either allow or deny a users access to a service. If the user has no access to the service then denying is fine. But what about above situation, if the user has access to the service but has limited authorisation, the user can still perform any of the above actions. How to handle this situation using ZUUL or Spring Security.
Edit - as a related Q - Does zuul allow url and method based access apart from service based access.
Hello fellow programmers.
I hope there are some keycloak experts out there that can help me to solve my question.
So my situation is that we have microservice platform with ~20 services which in the future should be secured using keycloak jwt tokens.
The idea is that we offer an interface for our clients where they can register themselves with a password/key pair within one realm and they should be able to use that account to access all the
services through a public facade/api.
Now to the question - how to handle the client id - in all examples each service has its own specific client id - should this in our case be the client id of the public api//facade which allows the inner services or is there better approach how to handle this without forcing the user to log in for each service...
Thanks in advance for all help and I hope you are all doing well...
Gerrit
P.s. Maybe to clarify my question further - my current understanding is that for each. service i should add a new client to my realm but my users then would need to get a token for each service/client as each client owns his own secret... and I want my users to be able to use one token for all our services.
So after wrapping my head around this issue and reading the docs:
clients
Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak.
I think to use one client for my user accounts for the whole platform is the proper way to go.
Would be perfect if one of the keycloak experts can acknowledge this.
Our current API use seesionID for the authentication. We plan to use Azure API management to manage our web api. However Azure web api management has their own authentication. How can we link those two together. Our customer can use the same logon information.
Conversations about authentication and identity in Azure API Management can get tricky because there can be three different identities and then there are the different contexts of runtime requests vs management requests. So, to be sure I'm answering the right question, let me try and get some terms defined.
The three identities:
API Provider: This is the Azure user who has created an API Management instance.
API Consumer: This is a developer who is writing some client software to consume the API.
End User: The user of the application written by the API Consumer and will be the one who actually initiates runtime requests to the API.
I am assuming that you are the API Provider. What I'm not sure about is whether your customers are the API Consumers or the End Users.
Azure API Management provides identity services for API Consumers. Consumers can either manually create a username/password account or use some social identity provider to create an account. They then can get a subscription key that will allow Azure API Management to associate requests to the API Consumer.
I think you are asking if you can connect the sessionID, which I am guessing you use to identify End Users, to a subscription key used to identify API Consumers. If that is correct, then the answer is no (except for the scenario described below), because we need to identify the API Consumer key before any policies are run to ensure we run the correct policies.
You can change our Api Consumer subscription key. So, if you only have a low quantity of customers/End Users you could create an Api Consumer account for each End User. However, you would only be able to map sessionID to API Consumer Subscription Key if sessionID was a constant value. I'm presuming based on the name, that value changes at each login.
Although Azure API Management provides identity services of API Consumers, it does not provide full identity management for End Users. We leave that to external partners like Azure AD, Thinktecture Identity Server and Auth0. I'm assuming that your existing system is already using some kind of identity provider to generate the sessionId. What you can do with Azure API Management is validate that sessionId using policies in the API Management Gateway. To do that we would need to know more about the format of the sessionId.
Sorry for the long post but it is a confusing topic and I wanted to be as clear as possible.
I am setting up an API for a mobile app (and down the line a website). I want to use oAuth 2.0 for authentication of the mobile client. To optimize my server setup, I wanted to setup an oAuth server (Lumen) separate from the API server (Laravel). Also, my db also lives on its own separate server.
My question is, if using separate servers and a package like lucadegasperi/oauth2-server-laravel do I need to have the package running on both server?
I am assuming this would be the case because the oAuth server will handle all of the authentication to get the access token and refresh access token functions. But then the API server will need to check the access token on protected endpoints.
Am I correct with the above assumptions? I have read so many different people recommending the oAuth server be separate from the API server, but I can't find any tutorials about how the multi-server dynamic works.
BONUS: I am migrating my DB from my API server, so I would assume I would need the oAuth packages migrations to be run from the API server also. Correct?