Best Practice Microservice Authorization

2018-06-07 06:19:16

Hi I was hoping some clarification on the proper way to handle Micro Service Authorization. I have been trying to research the structure but haven't found a lot of great resources. From my understanding there is 2 possible flows.

Flow 1- Authorization server provides a token to the user on log in. All other API services requested then check for a token. Once seeing a token it would request the authorization server to check it is valid and ask if it is valid what user it is.

Flow 2- Authorization server provides a token. All API request for other services go to the Authorization server which then hits the other API service and returns the needed data.

My questions on this are:

Which flow is best standard practice?

What is the best way to structure user data in the other API services? Should they just have the standard user_id on a table and once the token is proven good ask for a user_id from the Authorization Server

(Flow 1) - Is there any way to skip going back and fourth between APIs and Authorization server every request. Such as storing an id or a marker for that user in a session or is this bad practice and unsafe?

I know this is a lot of questions but want to make sure I have a firm handle on the structure and flow. Thanks for any help

链接地址: http://www.djcxy.com/p/22280.html

上一篇: 微服务的授权和认证

下一篇: 最佳实践微服务授权