Need design suggestions about role-based authorization
Below is the architecture of a project that I am working on. And I have some questions about how to implement role-based authorization.
What do I want to do here?
I want to make a shared system to authorize each request to the post and profile services.
Why do I want it to be shared?
- I want a central place to specify the what permission are granted to a certain type (admin, student, teacher) of user.
- If the number of services grow in the future I don't want to write the same auth logic in each of them.
What have I thought of doing?
To share a SECRET key in both the auth service and API gateway. Auth Service encrypts data using the key, and the API gateway uses it to decrypt on each subsequent request. The token will have a roles: [] to inform other micro-services about the permission.
The benefit:I am assuming that this will eliminate averify tokencall to the auth service, reducing the load on it.The drawback:I might have to implement my own API gateway rather than using GCP's API Gateway cause I can't find good resources on how to do this.
What I ask?
- Is this idea good?
- How to do develop this in a fast and secure way?
- Is there any better approach to do this?
Note: I am building something with a micro-service architecture for the first time, so any type of guidance related to the project will be great.
I would say that it is almost good. Instead of a secret key, use a pair of public/private key. The authentication service signs the JWT with the private key. The authentication service is the only one to know the private key. All microservices know the public key and use it to verify the JWT.
First benefit : the API gateway does not need to know the secret key because it does not verify the token, so you can use a default API gateway.
Second benefit : with this method, you will have in-depth security, because every microservice verify the roles. If a microservice invokes another microservice, it will forward the JWT, and the second microservice will check the JWT again. That is more secure than if they trust blindly what have been verified by an API Gateway.
Have you considered using Keycloak as the authentication service ?
- This module is declared with using 'export =', and can only be used with a default import when using the 'esModuleInterop' flag
- How can you make a node server running on WSL2 forward over LAN so that it can be accessed by a phone?
- How to limit bucket upload size in Backblaze B2 (S3 COMPATIBLE API)?
- Is there really a way to send payment to another stripe account user?
- Blocked by CORS policy despite domain name present in server side file
- ts-node and ESM: unknown file extension '.ts'
- EJS Rendering Error: "allChats is not defined" Despite Data in MongoDB
- AWS Cloudwatch Alarm Issue
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- sequelize error: missing index for constraint
- updating firestore document multiple times from event trigger function overwrites or stops updating after few triggers
- throws an error while running my custom rules in ESlint 1:1 error Definition for rule 'D:/Sports/eslint-rules/no-log.js' was not found
- Python analog code for crypto npm package (ENCODE/DECODE)
- Getting undefined for file upload in node js using multer
- Sequelize select * where attribute is NOT x
- Error: secretOrPrivateKey must have a value
- Can't run my Node.js Typescript project TypeError [ERR_UNKNOWN_FILE_EXTENSION]: Unknown file extension ".ts" for /app/src/App.ts
- Error: Cannot find module 'next' in Docker / Next 14 / Node 20 / React 18
- Retrieve last inserted id with Mysql
- Accessing Firestore via Cloud Function
- React, Node.js, jwt Login process. I can't stay the state with accessToken
- How to publish a website made by Node.js to Github Pages?
- Uncaught Error: Invalid date: 21/01/2023 in react using DateTIme Picker
- When should I use (or not use) the keepAlive option of the Node.js http Agent?
- Access variable from NPM outside of NPM internal function
- Getting CAN_NOT_GET_GATEWAY_SERVER exception on joining a call
- How to resolve the "cannot find module ./response" error in Node.js Express?
- How do I determine the current operating system with Node.js
- Error [ERR_UNSUPPORTED_ESM_URL_SCHEME]: Only file and data URLs are supported by the default ESM loader - Vue 3
- I'm getting and unhandled promise rejection that I need correct syntax for in nodejs