Circular dependency in microservices architecture for Authentication

microservicesoauth2

We are planning on using OAuth2 / OpenID-connect for Authentication & Authorization and I'm looking at what services would be required. So far I've identified that I need at a minimum:

An OpenID-connect authorization service, e.g. implemented using Identity Server
Service(s) for registering and managing users
Service(s) for registered and managing client applications

(My assumption here is that I'm better off having these as separate services rather than bundling all of these into some sort of authentication mini-monolith)

When servicing auth requests Identity Server will need to lookup the client id, and may also need to lookup user details. To me, it seems like the simplest solution would be a REST / HTTP request, e.g. something like this (where the password is contained in the body)

POST https://users.api/users/justinp/authenticate

It also seems to me that I want requests to this API to be authenticated, however, that creates a sort of circular dependency whereby the authorization service depends on the user service to fulfill requests, but the user service (and similarly the client app service) depend on the authorization service for authorization. This doesn't cause issues at runtime as the authorization server can, of course, generate its own valid authorization tokens, but the design still doesn't seem "quite right".

I can see how I could avoid this in various ways, e.g. by using CQRS / Event Sourcing – have the user and client app services push changes so that the authorization service can maintain its own internal list of users and clients, however this does up the complexity and I'm not entirely sure that it's necessary.

Is this "circular dependency" actually fine in this case, or is this architecture a bit wonky?

Best Answer

Before you do anything else, you should read this introductory article on HTTP authentication to get started.

Oath2 protocol flow is shown below as described in The OAuth 2.0 Authorization Framework:

 +--------+                               +---------------+
 |        |--(A)- Authorization Request ->|   Resource    |
 |        |                               |     Owner     |
 |        |<-(B)-- Authorization Grant ---|               |
 |        |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |--(C)-- Authorization Grant -->| Authorization |
 | Client |                               |     Server    |
 |        |<-(D)----- Access Token -------|               |
 |        |                               +---------------+
 |        |
 |        |                               +---------------+
 |        |--(E)----- Access Token ------>|    Resource   |
 |        |                               |     Server    |
 |        |<-(F)--- Protected Resource ---|               |
 +--------+                               +---------------+

                 Figure 1: Abstract Protocol Flow

The abstract OAuth 2.0 flow illustrated in Figure 1 describes the
interaction between the four roles and includes the following steps:

(A)  The client requests authorization from the resource owner.

(B)  The client receives an authorization grant, which is a
     credential representing the resource owner's authorization

(C)  The client requests an access token by authenticating with the
     authorization server and presenting the authorization grant.

(D)  The authorization server authenticates the client and validates
     the authorization grant, and if valid, issues an access token.

All the resource services need to be able to validate the token. There are "many different and valid ways" to do OAuth2 but I would recommend using cryptographic signatures on the tokens. Then your resource servers can validate the token without reaching out to anything else. Revocation may be a concern however. I gather that initially the token specification was vendor specific but that there is now a standard around this.

As far as username recovery and password resetting goes, I would not consider that part of the authentication service. I would separate that out into it's own process and set of services that is independent of the authentication service.

First, you will need HTTPS.

HTTPS = HTTP + SSL/TLS.

It creates a security layer on top of your HTTP and prevent a lot of attacks. For that layer to work you will need to trasmit and receive credentials in a form of an certificate. see HTTPS

HTTPS can be configured in One-Way or Two-Way.

One-Way: In the One-Way scenario only you send your server certificate to the client. He will verify it, and if it is ok, he will start the communication right away.

Two-Way: It happens after the one-way, but the client send his certificate to your server so you can get a chance to verify it. Only when you respond that you trust the certificate the communication will begin.

This is a configuration that you do on the servers. Your application/API will use HTTPS on your server to send/receive information.

Second, Here is a complete flow in OAuth2 with all steps.

In the picture above:

User: Is the host (end-user or server) requesting something to you on you application server.
Client: Is an application server that is connected to your Auth Server.
Auth Server: Server that you OAuth Authentication Server is running.
Resource Server: Is the API server used to access the user's information.

Once this flow is complete your 'user' is autenticated and have a token. By 'user' i mean user in an application or an api.

The 'user' then use the token in every request till the token expires.

In your case,

Your Rest Api will receive the token, in the Authorization header of the HTTP request rfc scpec link section 14.8 Authorization.

Authorization: Bearer mF_9.B5f-4.1JqM <- (token is here)

Then you need to check the token in your OAuth server to validate it.

This is happening on the last request between Client and Resource Server in the above picture.

GET /resource(access_toke)
200: response <- (token is valid)

If the token is valid then you can grant acess to the requested resource. If not you deny the request by returning a http status code of 401 (Unauthorized) see discussion on stackOverflow.

Third, you will need to protect your server against replay attacks.

see discussion on securityExchange.

SOA/Microservices: How to handle authorization in inter-services communications

I advise you to have an internal channel of communication between the microservices.

For example to use some message broker like RabbitMQ internally to send/receive or publish/subscribe the messages between microservices.

Then your first end user facing service "in your example the Booking service" will be responsible for validating the token and authorize the customer to do this specific operation may be by communicating with IdentityServer.

Then it will communicate with Services service through Message broker and in that case, there is no need to validate the token again.

I guess this model will be simpler and give you better performance.

Best Answer

Related Solutions

Architecture for OAuth2 – BackendServer – FrontendServer

First, you will need **HTTPS**.

Second, Here is a complete flow in OAuth2 with all steps.

Third, you will need to protect your server against replay attacks.

SOA/Microservices: How to handle authorization in inter-services communications

Related Topic

First, you will need HTTPS.