Server-2-server authorizaton in microservice architecture

1
votes

It's clear for me about users authorization in microservice architecture (API Gateway for handling auth, SSO, authorization microservice and so on). Now i'm thinking about authorization request between microservices. And there is one question - which options i have in case when i have not got a user?

For example - analytics service, which requests data from billing and builds complex reports. There is no user, but do i need authorize request from analytics service to billing?

I know that there can be endless tokens, but i think its not good idea. What another options for authorization request between services?

1
microservicesapi-authorization

1 Answers

0
votes

In OAuth2 specification there is such thing called machine-to-machine token. Which is different than password credentials flow which is refering to your user authorization.

To create a machine-to-machine token you should implement a flow called client credentials flow. In this flow basically all services have a specific client id and client secret and with those you are making a call to your central oauth-server to get a token. As it is also required to configure client details in the central service you will have the authorization in between client calls in terms of which client could call which others. There is also configurations for the time to live for each token.

If you already have the OAuth2 setup on your side it might be easy to introduce this new flow. But if you don't to implement such a thing on your side with your own setup could be tricky. Please check https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2#grant-type-client-credentials