How to do authorization in an authentication microservice?

I am developing an auth service (NodeJS) that handles authentication and authorization.

I have two endpoints:

/auth-token

Client apps can fetch auth tokens (JSON web tokens) via POST. The auth service stores each generated JSON web token in its database.

/authorize

Other services within the SOA will verify auth tokens (from Authorization headers) at this endpoint.

Implementation of /authorize

I am not sure about the logic behind the /authorize endpoint.

Method I

  • Get auth token from Authorization header
  • Do a DB lookup of the token and see if it exists and not expired
  • Method II

  • Have a user database within the auth service and store all user info coming to /auth-token endpoint.
  • During authorization via /authorize , if the token has not expired, decode the token.
  • Get the user info and do a DB lookup to see if they exist in the user db.
  • Or some other way. Please let me know.

    链接地址: http://www.djcxy.com/p/3788.html

    上一篇: 我该如何禁止浏览器的验证对话框?

    下一篇: 如何在身份验证微服务中进行授权?