Need to know how to authorise a user for each microservice in the given architecture. I.e. deny requests to each microservice if they are not authorised to have that module as per user data in the main db.
I also need to share the user from the main db between each microservice db to maintain data integrity.
Is there a way to do this? Or do I need to re-create a user table in each microservice? Basically meaning that everytime a user wants access to a microservice I have to create a new user (POST from main api) in the microservice (at the loss of data integrity).
I haven't tried anything yet looking for suggestions/a solid and SECURE architecture. Each microservice will be hosted on a subdomain on same PAAS as to avoid transfer attacks and reduce delay.
deny requests to each microservice if they are not authorised to have that module as per user data in the main db.
Assuming you are using OAuth2.0 with JWT access and refresh tokens, you could use the "aud" claim of JWT token to carry the authorizations or entitlements or permissions to access individual microservices. In the "aud" claim, you could provide the individual service URL, or service id that the user is authorized to access. At the individual micro service (or resource server in OAuth terminology) you need to check if the JWT carries the particular microservice UR or id in its "aud" claim. If not, access will be denied.
I also need to share the user from the main db between each microservice db to maintain data integrity.
That's not usually how this is done.
You usually have an authorization server. That is the master of all the user information. Any unauthenticated user trying to access any service will be redirected to the authorization server and asked to provide their authorizations after authenticating themselves. Once the authentication is done and authorizations are given, the user will be redirected to the service page with appropriate access and refresh tokens which will thereafter accompany all user requests. Even when the request goes from User A -> Service B -> Service C. Service B and C would then need to check:
If all the 3 questions are answered as "yes", access is granted and each service can find out the user name from the "sub" claim of the JWT. The user name can be the logged for audit
I also recommend you read this answer.
