I am designing a set of microservices for user management, api gateway, cart & checkout, promotions etc (ecommerce services). Planning to manage authentication and authorization using jwt token. Which service would be the best place to keep the authorization server? I have refered a few designs where its found on the api gateway, but I need a separate user management service and users table is maintained here (other services like cart checkout etc would be resource servers) Grant types: client_credentials and password are required. Are there any existing open source projects I can refer? Any documentation available for best practives?
If you are maintaining user data alongwith with the Authorization server, I woud suggest you to register this as a separate micro-service as AuthService in your RegistryService.
Best practice should be to use a JDBCTokenStore so that user is authenticated even if service instance get stopped or disrupted.
You shall include a dedicated DB for this service that shall include tables for User details, grant authorities, access tokens and refresh tokens.