How to implement an authentication service in an SOA project

0

I'm developing a project using SOA where I have a web application made in Angular 2 and several micro services in Spring Boot, among the services there are the authentication and notification services that could be shared among other applications. On implementing the authentication service I have the following doubts:

  • What is the best authentication method for this scenario? how does it work?

  • Using token authentication would it be recommended to check the token with the authentication service on requests made for other services? (eg create a filter in other services in which the header token is extracted for each request, then it is sent to the authentication service and if it is correct, the user information is returned, otherwise the status 401)?

  • Should user information be persisted in the authentication service?

asked by anonymous 28.03.2017 / 21:46

1 answer

1

As you are working with Angular using the SPA (Single Page Application) standard your HTTP conversation system directly with the server.

Today the most used protocol for this scenario is OAuth 2.0. Auth 2.0 focuses on the simplicity of the client developer while providing authorization flows specific to web applications, desktop applications, mobile phones and devices.

For more information on OAuth 2.0:

link

As for your question, OAuth 2.0 for running the APIs does Token validation. However, this validation service is on the OAuth server and can be run by any application. The ideal for this scenario is that you have an API gateway up front doing this proxying and security role (by applying OAuth policies). Since you are using Spring Boot the Spring Zuul project works as an API gateway.

Regarding the OAuth server you can have the OAuth feature server itself using dependencies of the Spring itself:

link

If you can outsource authentication you can use the OAuth feature providers of Facebook or Google as many web / mobile applications do today.

If you are to create your own OAuth standard methods, you must implement it and access the client information for authentication / authorization. Therefore, the customer information must be persisted in some way. How OAuth accesses this information depends on the structure that exists within your current architecture.

    
29.03.2017 / 19:39