I'm currently working on a project using microservices for the first time. Here is the architecture I came up with:
- A Laravel Web Application Server
- An Api Gateway
- An Authentication server
- Protected Micro Services
First I thought about using Oauth 2.0 and OpenID Connect Protocoles, with the Laravel Web App Server being the Oauth 2.0 Client ( OpenID Connect Relying Party ), and the protected microservices being the resource servers.
Oauth 2.0 is for authorizing access to protected resources, using an access token ( and a refresh token optionally ) and the OpenID Connect is an authentication protocole built on top of Oauth2 in order to provide third-party clients with access to basic user data ( through the user-endpoint ) and allow them to verify the user identity, and it uses ID Tokens, which contains claims about the user, unlike the access token who does not have any information about the user.
That is clear and understandable for the case where clients are third-party applications, but when the client is a first-party application, like a Laravel web application that I am developing for example, I am a bit confused about how I should approach the authentication procedure. I have two options, so please let me know if I am misunderstanding something.
Option 1: Implementing the Resource Owner Password Grant Flow ( Following the Oauth 2.0 and OpenID Connect )
I can use this flow since the client ( The Laravel Server ) is not a third-party application and can be trusted with the users credentials, so basically, the flow is like the following:
- The user enters his email and password, which are sent from the Laravel Server to the Auth Server through the API Gateway.
- Auth Server returns an Access Token and an ID Token.
- When the user tries to access resources available in the protected resource servers ( micro service 1, 2 and 3 ), the request is sent from the Laravel Client to the API Gateway and before it's sent to the micro service, the API Gateway forwards the request to the Auth Server to validate the token.
- If it's valid, the request is sent to the target micro service, with the ID Token and the micro service can identiy the user.
Option 2: Using only one JWT Token.
This one seems easier to me and makes much more sence than implementing OpenID Protocole and Oauth 2.0 by using the Resource Owner Flow.
The user tries to log in, the request is sent to the Auth Server. The Auth Server returns a JWT Token containing informations about the user. Then requests are sent directly through the API Gateway to the micro services.
Maybe I am misunderstanding something but if I am not and the two options are possible, my question is why bother following the resource owner password credentials flow if you trust the OpenID Connect Relying Party ( Oauth 2.0 Client ) with the user credentials. Why not just provide it with a token that has user informations instead of an access token and an id token ? Maybe it's a more secure approach ?
I look forward to some clarifications.