How to implement an authentication service in a SOA project

Asked

Viewed 651 times

0

I am developing a project using SOA where I have a web application made in Angular 2 and several micro services in Spring Boot, among the services there are authentication and notification services that could be shared among other applications. About implementing the authentication service I have the following doubts:

  • What is the best authentication method for this scenario ? how it works?

  • Using token authentication would it be recommended to check the token with the authentication service in the requests made for other services? (for example creates a filter in other services where for each request the header token is extracted, then it is sent to the authentication service and if it is correct the user information is returned, but the status 401 )?

  • User information must be persisted in the authentication service?

1 answer

1

How you are working with Angular using the SPA standard (Single Page Application) your HTTP chat system directly with the server.

Today the most widely used protocol for this scenario is Oauth 2.0. Auth 2.0 focuses on customer developer simplicity while providing specific authorization streams for web apps, desktop apps, mobile phones, and devices.

For more information on Oauth 2.0:

https://spring.io/guides/tutorials/spring-boot-oauth2/

As for your question, Oauth 2.0 to run the Apis validates Token. However, this validation service is on the Oauth server and can be run by any application. Ideal for this scenario is that you have an API gateway at the front playing this role of proxying and security (applying Oauth policies). How you are using Spring Boot Spring Cloud’s Zuul project works as an API gateway.

As for the Oauth server you can have the Oauth resource server itself using Spring’s own dependencies:

http://www.baeldung.com/rest-api-spring-oauth2-angularjs

If it is possible to outsource authentication you can use the Facebook or Google Oauth resource providers as many web/mobile applications do today.

If you are creating your Oauth standard methods should be implemented and for this you should access customer information for authentication / authorization. Therefore, customer information must be persisted in some way. How Oauth accesses this information depends on the structure that exists within its current architecture.

  • Is there any graphic representation or sequence diagram of this method ? This way all requests to other servers would be forced to validate the token with the authentication server ?

  • The definition of the authorization flow comes from the Oauth 2.0 protocol itself. Here is an interesting link with the step diagram: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

Browser other questions tagged

You are not signed in. Login or sign up in order to post.