Misunderstanding about microservices authentication and authorization

Misunderstanding about microservices authentication and authorization


0

I have three graphql microservices

  • gateway (@mercurius/gateway)
  • user-service
  • travels service.

My thoughts for implementation.

When a client (react-native app) send a request to register a user, the api gateway allows
it to hit user-service without authentication. Once at the user-service, the user is
created and token is issued and send back to the client. (This phase is okay for me).

The second phase is when the client send a request to travel-service that need to be authenticated.
The request arrives at the api gateway, THE API GATEWAY SHOULD VALIDATE THE TOKEN BEFORE
DIRECTING THE REQUEST TO THE CORRESPONDING SERVICE.

My Problem

If the api gateway must validate the token, it means that it will use the same
library that issued token in user-service (jsonwebtoken) and it will check if the user
sending the request belong to the user database which is located at the user service.

If the api gateway uses the user-service database, the separation of concern
of microservices features is broken because the api gateway will use the same library the
user-service uses to issue the token and it will hit the user-service database everytime
a request arrives. (That is my thought)

is it the best practise to implement this ? or there is another best way to do.

Share
Improve this question


Load 5 more related questions


Show fewer related questions

0

Reset to default



Browse other questions tagged

or ask your own question.

Leave a Reply

Your email address will not be published. Required fields are marked *