My Application design is something like below:
Browser---calls----> Web MicroService ----calls---> REST micro service
REST Client --calls--> REST micro service.
I wanted to use spring security as an entry point for the application to authenticate user/session/client and reuse the information about the user in underline microservices. I was thinking to have a security service for it.
Browser-->Security Service ----> Web MicroService ----> REST microService
REST Client ---->Security Service ----> REST Service.
Questions:
how the security service would pass the required information about user to other services?
If Spring security needs to be integrated with in the Web Service and REST service, how would token validation work when REST micro service is called by web service or directly by rest client?
What should be the client id and secrect key while generating JWT tokens for question 2?
NOTE: All services would have access same database
If I understand this correctly, you view the security service as a proxy that handles auth and calls trough to the rest service? Why not restrict network access to the REST service to make sure all requests go trough the security service ? You can then make the username and other info regular parameters being sent by the security service to the REST because you can trust the values you are getting. Otherwise you could have another rest service that handles auth and sends back JWT tokens that are used to call other services