Identity in our microservices application
- As of now we have built two microservices
- catalog service
- basket service
- We need to add some more services
- Order Service
- Payment Service
- We need to build an Web Application which will internally access these microservices and we can also extend this to a mobile app.
- We need a service which will authenticate the user and there are inter service communications which also needs to be authenticated.
- For this we need an identity service which will handle authentication and authorization for user and also services to establish secure communications
- Lets try to understand about OAuth2 and OIDC (OpenID Connect) Specifications
- OAUTH2 Spec Refer Here
- OIDC Spec Refer Here
- OAuth is used for Authorization between services
- To understand oauth better, refer to the classroom video, where we have used the Resume building website as and example
- OAuth Terminologies
- Resource -> Protected Resource
- Resource Owner
- Resource Server => Server that is hosting Protected Resources
- Client => An application trying to access the Protected Resource
Authorization Server => The server issuing access tokens to the client
- Refer Here for the different flows and their difficulty in implementation
Authorization Code Flow
- In the above image in step5 AUTH TOKEN is sent but in implicit FLOW, ACCESS TOKEN is returned directly
- WHich will be used by client to access the protected resource.
- This access token has to be short lived.
Client Credentials Flow
- This is used when your clients are well trusted.
- In microservices each service is confidential client and is well trusted Refer Here
Open ID Connect (OIDC)
- This is built on top of OAUTH2
- Refer Here