We are currently working on application having micro-service architecture with following components as shown in below image and everything is working fine.However need some clarification on following points.
To overcome first problem we could pass access_token to microservice rather than idtoken however we need to call /userinfo
end point each time for getting user information from provider and considering high concurrency is it a good practice to proceed with ?
Or we are missing something here and there are better alternatives to fix this problem ?
Any help would be much appreciated
Spring boot OIDC Properties in application.yml file
security:
oauth2:
client:
registration:
pingIdentity:
scope:
- openid
- profile
- email
- phone
- job_title
- scoped_entitlement
- authorization_group
- entitlement_group
- organizational_data
- basic_start_authorization
client-id: <Client ID>
client-secret: <Client Secret>
provider: pingIdentity
provider:
pingIdentity:
issuer-uri: <Issuer URI>
I think there is a problem of concept using open id connect.
Open id connect is not an authentication/authorization protocol as oauth2, it is a layer on top of oauth2 to provide user information to a client.
So the intended audience for the information contained in an idtoken is the application which is trying to consume a resource (frontend) and not the resource server (microservice). As you can see here
https://openid.net/specs/openid-connect-core-1_0.html
The token that must be send to the microservice is the access token that is issued along with the idtoken, because this is the token that must be used to authorize the action.
Other problem is that you may need user information to perform some action in the service but this is not part of the same flow.
The authentication/authorization flow only assures that one user is valid and has privileges to do certain action on certain resource server(microservice)
If then, when the auth proceess has ended, you need to obtain user information, I suggest you three possible solutions:
you can use a jwt token (self encoded access token) as access token instead of an opaque one, so you can obtain the user id in sub claim, and with that, query the user service to obtain the other information.
Like the point one, you can use jwt acces token and in addition add custom claims to store additional user information
if you are doing the acces token validation in zuul gateway, you can get user information in the gateway and pass a custom jwt to the microservices with the info you need. This token does not need to be an access token because the authentication/authorization operation has been done by the gateway.
This way you can refresh your access tokens without problem