I have a Microservice architecture that uses GraphQL. It has a GraphQL Gateway, which uses schema stitching to combine all GraphQL schemas.
I'm planning to implement Authentication and Authorization as follows:
- Authentication - Tokens are validated by a third party (AWS Cognito)
- Decoding - I want to do this at the Gateway level. This is a huge benefit. It will eliminate a lot of logic across multiple microservices. This also makes it easy to migrate, in case we need to change the provider (Auth0?). Plus
- Authorization in services - All the services have to manage is Authorization and Business logic
Are there any pitfalls that I'm missing here? Could this be a bad idea?