The best approach to manage centralized authentication/authorization to in-house mutiple API?

Question

I'm trying to create multiple API for different purposes, I mean a microservice pattern. I have in mind 2 API but in the future, it will increase.

I found that Oauth is recommended to this kind of microservice pattern. But is my own APIs and maybe I'm overengineering this.

(Image below as an example) I'm thinking in create my APIs, centralize the authentication/authorization stuff in another one and just access it from my APIs (thought CORS policies).

If I'm in the SPA 1 and I want to pass to the SPA 2, I will detect maybe a cookie to ask for the user info, send a verification code to the email and auto-login. (The last part can be fulfilled with a Same Domain cookie or maybe 1 SPA fetching data from both APIs)

I avoid OAuth and API Gateway Authorization since I will need to make my own server and could be expensive...

This is a good approach?

Edit 1: "Users" is an API where I will manage all users profiles, permissions, roles, etc to the other API access.

Answer 1

You can make use of JSON Web Token (JWT) in your scenario. You can create JWT for each resource/APIs and exchange them.

CAUTION: JWT has a weakness, reuse of stolen JWT can be a bad situation. You must use JWT in conjunction with another verification, a cookie, and SSL, keep JWT validation for short periods.