I've obviously heard a lot about the Micro-Services Architecture and think it makes a lot of sense (especially with the success stories of Netflix).
I'd like to implement a small Grails application in Micro-Services (although the framework doesn't matter too much). My question is about the "Security" or "Users" Micro Service. My initial thought would be to create an application with a REST interface where my other Micro-Services would query the Security Service's REST interface. However, security would be duplicated in every service. This seems like an inevitable problem, but what is the best way to handle this?
Should I be implementing Spring Security in every service and querying a User Service with simple rights information? Or could a central Security Service work in some way?
Best Answer
as @user454322 says, look up the OAuth2 spec ... it's widely-used and well-supported standard that will work well.
There are (bascially) 2 ways to deploy an authorization server:
1) As a reverse proxy (as shown in @user454322 's diagam). This is when all requests from the outside go through the OAuth2 server and then to your services. This centralizes the authorization concern, so that it's handled before any request reaches the services. This is the same as terminating SSL in the load balancer. In essence, the authorization server becomes a part of your network middleware, like the firewalls and load balancers.
2) As an authorization server. This is a slightly different layout, where each service takes requests directly (from the load balancers, etc.) Each request comes with an access token in the header. The service then makes an HTTP call to the authorization service to validate the token. The authorization server is responsible for authenticating users and granting tokens in the first place, your micro-services don't have to do that part.