Really this is about exposing your microservices individually as opposed to behind a wrapper. I would say that if your services are already 3rd party ready" then simply exposing them would make sense.
However, security and customer friendliness says that you want a single access point that forwards or translates your external API on to the internal service APIs.
I don't think you've given us quite enough info to decide which is "best", but note that if you have a single external API, you can modify your microservices without affecting the API the customer sees. ie if you change one service to use a different API, you can keep the external API unchanged and only modify the calls it makes.
So I'd probably go with option 2, and have it live as a separate project, mostly independent of the microservices. Internally, you bypass this layer completely - its for external access only.
No, you are not using tokens correctly.
The idea is that you have an Auth service which issues tokens and Resource services which can validate the token and read the claims it contains. So the rather than forwarding the bearer token to the auth service each time the flow should be as follows
- Client -> Auth : please give me a token, here is my username and pass
- Auth -> Client : here is a token I have signed it with my private key and it contains the claim "i am an Accounting Agent"
then
- Client -> Resource : hi, please give me a list of accounts, here is my token
- Resource -> Client : I have checked the signature on your token using the Auth services public key. so I know I can trust your claim that you are an Accounts Agent. Here is the list of accounts
then
- Client -> Resource : Please delete this account, here is my token
- Resource -> Client : sorry Account Agents are not allowed to delete accounts
This flow prevents the Auth service becoming a performance bottleneck and leave the various microservices to decide if Claim X can do Operation Y
Roles
To address your second question about roles and permissions. At the end of the day a service has to have a set of Roles or Permissions that it knows about. eg you have to actually code something like:
If(users.Role != "RoleX")
{
return "Access Denied!";
}
Rather than have a whole list of different permissions, 'canEditAccounts' ,' canEditCustomers', 'canDeleteAccounts'... etc etc the modern approach is to instead have a shorter list of Roles 'AccountingAgent' which essentially act as a set of permissions.
If a third party consumes your services though they will have to use the roles that the service knows about. This means that they are stuck with the level of granularity that you provide in your Roles.
ie If your Accounting Agent does too little and your Accounting Manager does too much for your third parties needs you are stuck.
One way around this is to have a dynamic mapping between Roles and Permissions. Have your service know about permissions and query what permissions a role has.
You can then allow your third party consumers to create their own roles, selecting the permissions they want each to have
Best Answer
Describe to me the role of this service. What is the most accurate summation of its responsibilities? Not just of the things it has implemented today, but also factoring in any future features that it would be taking on.
I understand from this that this services will provide all news- and calendar-related data. I do not understand where this data will come from. It could be from its own local database, it could be generating completely random content every time, it could be getting it from Confluence, or it could be getting it from a multitude of external services.
I understand from this that this service will serve the data that comes from Confluence. It may not be returning all data from Confluence, but if we're going to need to fetch additional data from Confluence in the future, this service will be the one providing it.
Pick the name which most accurately reflects the interpretation, because that's exactly what the goal of naming something is: ensuring that the name adequately describes what you can expect from the thing.
It seems "Confluence connector" is the correct name then.
"News & Calendar" might coincidentally also be an accurate summation because that's the only data you currently get from Confluence, but there's no guarantee that this will remain correct in the future.
In either case "News & Calendar" will no longer be an accurate name for your microservice, but "Confluence connector" will still be correct.