I have WebSocket server to which authenticated users can connect. They authenticate by passing access token, provided by IdP (OIDC) using authorization_code grant. When user disconnects, I need to call other microservices to store some information. But the other microservices also require authentication, but after this long standing WebSocket connection the received access token is expired (and also I don't know if passing access token between microservices is a good idea).
How to deal with such case? I got some ideas:
client_credentials grant type in communication between them, and provide kind of user identifier as a HTTP request parameter. But it doesn't seem really nice option because it ignores the fact that the user gave permission to access some API, and makes the user unable to revoke this access (without implementing additional mechanisms).So, what is the correct approach? (I hope any of these above...)
It is not because you are using websocket that you must not check the validity of the access token. If the access token is expired, then the user must provide a new one. Either he closes the websocket and opens a new one with the new access token, or better he provides the new access token through the websocket.
The service that receives the request(s) from the user must check the access token. That service makes requests to other services on behalf of the user by passing the access token to the other services. The other services will also verify the token. This is the security-in-depth strategy. It ensures that the user has sufficient permissions even for the deepest service that will be involved.