Earlier this month, I happened to be in a technical discussion with a small team wherein I was being briefed about how authorization works in their microservice-based system.
Here's what a request to one of their protected resources looks like:
Though I've only depicted one Protected Service
, many of those exist. Also notice that there is no API gateway.
The responsibility of the Auth Service
in the figure is to:
This post is about point 2: should the Auth Service validate the tokens or should it be done by the individual services themselves?
Let's look at the pros and cons for this approach. Pros first:
Making the auth service perform token validation comes with it's own drawbacks that need to be considered too:
In this approach, the services that require authorization should validate the tokens. The protected service doesn't have to talk to the Auth Service
at all.
Now this does gives us some advantages over validating at the auth-service:
Protected Service
s are better isolated from the Auth Service
.Now this might not always be possible, so let's look at some of the possible scenarios:
Protected Service
and the Auth Service
.Protected Service
.Protected Service
s' implementations (as opposed to the services themselves) will be a tad more coupled with the Auth Service
. New iterations of the Auth Service
need to be backward compatible with old implementations of the validation logic. This is especially true when using revocable bearer tokens.Communication with the auth-service will be required whenever a datastore access is involved (since the AuthService owns its datastore). This can be reduced however by caching the required data for example.
A hybrid approach can be used to address the last two considerations listed previously. The idea is to let the service handle token validation and use the auth service as a fallback mechanism for token validation.
The Protected Service
's validation implementation could be put behind a configuration toggle and disabled to forcefully use the fallback mechanism if required.
While it's okay to use the Auth Service
for validation when starting out, I think it makes more sense to prefer validation at the individual protected services whenever possible.
At the end of the day, like many things in engineering, this too is about tradeoffs.