In our environment (as in many others), it is common for one microservice to call another to perform a task.
In our environment, authentication is clear enough: we have a signed JWT containing a list of permissions and roles, as well as a user ID, a client ID, and so on.
What we understand less is authorization – ensuring that the authenticated client can (or can not) do the right job, but that the underlying services have all the access they need to do their job. work (even if the client does not do it). to be able to do the same things directly).
We examined different options:
- Each service performs its own authorization and, if an elevation of privilege is required, it generates a "God mode" token with an otherwise unchanged payload and a different key pair and makes the call for help of it. The main concern here is the copy / paste permission code, and the fact that there will be a strong incentive to always enable the God mode during inter-service calls (which makes it whatever little redundant).
- Each service makes its own authorization and only transfers the user's token when it has to make a call. The concern here is code duplication as in Option 1, as well as the fact that it may create a complex interdependent network of permissions that involve other permissions that involve other permissions that … (ad nauseam ), creating a maintenance headache the number of services increases.
- A lightweight API gateway service that performs a "simple" authorization (nothing more advanced than "is this client allowed to use this endpoint?"), Attaches a user object to the payload, and lets behaviors more specific to the underlying services, which accept any call as being allowed out of the door. Performance and stability is the main problem with this option: the API Gateway service creates a single point of failure that can render the entire system inaccessible in the event of a malfunction, in addition to creating a frequently modified dependency for each service.
The question here is twofold:
- Are there any additional pitfalls to the three models described above that we did not take into account?
- Which of them is the most common in nature?
Note that this question is do not on meshed service offerings like Istio, because we consider them somewhat orthogonal to this question.