Rails: Microservice architecture with dedicated authorization and application services using Knock (JWT)
Now I am trying to decouple monolithic application from microservices (dedicated rails application) and would like to know - is there a solution to move the authorization service out of each service?
For example, I have 6 different Rails API services with a 'knock' stone that has a user model for authentication purposes. All of these services share a single user database.
I want to implement a dedicated service with a custom model, but how will other services validate users with given tokens?
Also I want to be able to control which services the user can and cannot use. So, should there be an AccessRole service?
Draft:
- User navigates to "articles" (front-end user interface)
- auth_service validates the token from the client
- access_service somehow got a message from auth_service and checked the user's role to access the article resource.
- articles_service send a response to the client with json data.
Here are some more questions:
- How does access_service link to auth_service? Should they use the same user database to validate user credentials and roles?
- articles_service, etc. - should they become private services without public access and act as black boxes for the user?
source to share
I am playing around with this problem and there are no well-formed solutions out there. I would build a service that manages Users and your Access Control List (ACL).
- Identity Service - This is where the client will authorize to access other API services.
login [POST]
email
password
This will return a JWT token, which in the payload section will have the following information:
- User ID
- ACL
The ACL can be an array of allowed roles. So, when a client makes a request to the API, the service responding to the request can blow up the user id (Knock - current_user) and then you can get the ACL from the payload. It's very easy to think about then add before_action
to check the corresponding role.
source to share