Authentication and Authorization in Microservices
When we talked about microservices it is all about being independent and loosely coupled. Which means it does not have any dependence between services. If you authenticated monolithic application there is not that much problem because monolithic applications are tightly coupled if once authenticated it is done. But when you start to build microservice architecture then you get some problem when you are doing it for first time or you do not have experience about this. One of the main problem is where should I authenticate in microservice because it is not tightly coupled and kind of distributed architecture in which place authentication should be done is a one of the first problem may occur and how should we do this is another problem.
When we compared authentication between microservices and monolithic there are some significant difference that we can address and some of them are mentioned below,
Microservice means there are large number of services which means there is large area to secure in compare with monolithic because monolithic need to secure by itself and it is convenient. But in microservice developers need to care about all the weaknesses that may uncovered by there microservices.
Another main point is communication between services since microservices architecture is loosely coupled there is only way to communicate between services are API calls because of this there should be more attention toward security rather that monolithic because monolithic does there communication between components by method calls.
It is hard to share resources between microservices like user session so in microservices these things must be handle explicitly but in monolithic all internal components can share one user session among the application.
In this article you can get answers for these kind of problems facing by microservices architecture and microservices authentication should handle differently in compare with monolithic. Before we dig deep first we should understand what is authentication and authorization.
What is Authentication?
Authentication is process that validating users and give access to them which means authentication in simple work “who you are” so user need to supply the login details in order to authenticate. Giving someone permission to get view of his profile or giving access to download a file can be example for authentication. There are some different ways to get authentication process done some of them are,
- Username, password are most common and well known authentication aspect. If user enters credential correct server assumes the users is valid one and give access to the resources.
- There is another effective way of giving access to systems are users biometrics which means users fingerprint or eye scan.
- We can use some third party application to generate security codes and inside our application able authenticate users.
- In some scenarios systems required more than one authentication factors which means multi factor authentication. Some systems require multi factor authentication in order increase more security.
What is Authorization?
Authorization is a process after a user get authenticated whether that user authorize to access this resource or allow to do certain operations. In simple terms authorization mean “What you can do” in application. Authorization should always happen after the authentication.
The Authentication methods in microservices
When we are moving from monolithic to microservices thing should understand is how to manage security and understand about the security methods in microservices architectures. There are several approaches to implement authorization and authentication in microservices. There are certain pros and cons with certain approaches not every approach suits it all depends on requirement and this is about to mention what are the ways to authenticate microservices.
- Authentication and authorization in each service.
In this method each microservice implement its own security and enforce authentication in access point of that service. This approach will give control to the developer to decide different approach to microservices but this approach is not recommended and there are several downsides some of them are,
- The authentication and authorization logic need to implement in each and every microservice and this is not practical to implement security in every service.
- The microservice all about to build services domain specific which mean break entire application to pieces and build small pieces by teams. In this approach development team distract from their main domain.
- And it is hard to monitor and maintain.
- Globalized dedicated microservice.
In this method there is a separate service to handle these authentication and authorization service. Each and Every service should authenticate by authentication microservice before they are doing there secured resource. Even this looks like perfect solution but this also has some problems and some of them are,
- Authorization is business concern process because what authorization does is securing the microservice resources therefore authorization should not be handle in centralize authentication service.
- This method increase latency of processing request.
- Authentication in API Gateway
When get into microservice some concern what is the way to communication happen between user and microservices. One way is giving direct access to each and every this approach create tight coupling between user and microservice. As a solution for this problem we can use an API gateway a single entry point to the all of the services then client can send request to the API gateway and it will works as centralize point and it will route the request to the intended.
API gateway works as single entry point so we can use API gateway to authentication process and it ensure that authentication before entering to the microservices. We can enforce authentication in API gateway and we can pass the user identity details and route the request to the relevant service.
- Third party Authentication for application
In this scenario instead of user authenticating from our application we can redirect to other authentication application to get authenticated to user. User can get authenticated by that third party application and that application send a token to our application. Then from our application side we can access some details of the users from that third party authentication application which are user permitted to share with our application. For example you can see there is sign in and signup methods in some applications like “sign in with google”, “sign in with Facebook”. The main advantage of this method is user does not need to share his credential and details with all the application which he interact with instead of that he can share one his details in one authentication application and give permission to other applications. This method also called OAuth
There are many ways to implement authentication and authorization in microservices architecture but which strategy going to use is depend on actual requirement and you should decide what you need and how you should implement authentication to the microservice architecture.