I want to build a microservices architecture. It's supposed to have 13 microservices and 3 clients (2 web and 1 mobile).
In our scenario we have:
- Employees: Access to specific and shared services and their credentials are stored in Active Directory;
- Administrators: They are employees with full access. They have specific and shared services and their credentials are stored in Active Directory;
- Customers: Access to specific and shared services and their credentials are stored in the Identity microservice.
We're going to have an API Gateway.
Every request is handled by API Gateway which should (or invoke the responsible for) check if the token of the request is valid, identify if it is a customer, employee or admin and check if this user has permission to access request API/microservice.
I have some misconceptions about this solution, so I'd appreciate some help for:
- What are API Gateway responsibilities?
- What are Identity microservice responsibilities?
- How to manage to define which APIs/microservices can an employee, a customer and an admin can access or not?
- How to identify if given user is a customer, an employee or an admin?