[QUESTION] How would you manage authentication/authorization?

[matteoPhre]

Hi!
I really appreciate your work on this project.
I would like to ask you something, how would you handle authentication in this type of architecture?

Like an IdentityServer or a microservice delegated to authentication (implementing also AspNetIdentity Core)?

Thanks in advance

[madslundt]

Hi,

For authentication, I would most likely use an Identity provider eg. Azure AD, AWS Cognito, or Auth0.
If you want to roll out your own I would look into IdentityServer from Microsoft. I would, however, recommend using one of the above.

Once the identity provider is up and running the token is validated in the ApiGateway and/or each microservice.

[mkojoa]

So should the identity server be integrated in all the microservice or only the Gateway ???
If its only the Gateway, then if an attacker manage to find the other microservices endpoint. then they should be able to access the resources without been authenticated.

Please @madslundt can you help as soon as possible ?
I already have an identity server setup, how do I authenticate users before accessing the resources.

This is how I configured the swagger in the other service (movies and review, users)

"SwaggerOptions": {
    "enabled": true,
    "reDocEnabled": false,
    "name": "v1",
    "title": "Movies Service",
    "version": ".Net Core 3.1 v1",
    "routePrefix": "docs",
    "Description": "Services for something endpoint",
    "TermsOfService": "https://something.com/terms",
    "IncludeSecurity": true,
    "SecurityOptions": {
      "xmlDoc": true,
      "apiName": "somethingapi",
      "apiId": "somethingcode",
      "tokenUrl": "http://something/somethingAuth/connect/token",
      "authorityURL": "http://something/somethingAuth/connect/authorize",
      "authority": "http://something/somethingAuth",
      "clientSecret": "PeRstRe*$^",
      "issuerUri": "http://something/somethingAuth",
      "requireHttpsMetadata": false,
      "Folder": "",
      "filterClassName": "AuthorizeCheckOperationFilter",
      "Contact": {
        "Name": "Michael Ameyaw",
        "Email": "something@something.net;something.something@something.net",
        "Url": "https://www.something.net"
      },
      "License": {
        "Name": something Systems Ltd",
        "Url": "http://www.something.net/"
      },
      "Scope": {
        "Name": "somethingstoreapi",
        "Description": "The Scope needed to Access something API"
      }
    }
  },

[jbonnett92]

So should the identity server be integrated in all the microservice or only the Gateway ???

It depends, if you are wanting to program logic based on the user being "authorised" to do something. If this is the case then you will need to handle authentication in the gateway and authorisation in the service.

If you are looking to control this based on urls e.g. not allowing people to create movies post -> /movies, then you can just add the authentication and authorisation in the gateway itself. This is what I would recommend as it makes things easier and is less of a performance hit! though if it can't be avoided to add programmed logic, then I would actually use a combination of both e.g. authentication and authorisation in the gateway and authorisation on the service, though this will come at a performance hit!

When it comes to performance, you can predetermine how much of a hit it is by thinking how soon in the process can I stop people e.g. if someone can query the api, lets say create a movie, if the request is stopped at the gateway then that is only two services (identity service and the gateway) processing that request, otherwise if it is at the services side you are using three services (identity, gateway, movies) and possibly four services the fourth being the users service, depending on where the logic ends. Though it could be more than that again depending on logic.

So the best way depends on how your services are laid out as a whole. If almost every service is using programmed logic, go the services route, if little services are programmed logic go the gateway and services route, if no services are programmed logic go the gateway route. It's just finding the balance.

Saying this, I hope you know the difference between authorisation and authentication!

If its only the Gateway, then if an attacker manage to find the other microservices endpoint. then they should be able to access the resources without been authenticated.

Not true, the gateway is the only thing that is front facing, all other services are inaccessible to the outside world. If you would like an analogy, the gateway is a form of firewall if you like.

By the way, Ocelot (the gateway) has options for identity server https://ocelot.readthedocs.io/en/latest/features/authentication.html#identity-server-bearer-tokens
this takes the services auth route and is upstreamed to the gateway and essentially acts as both gateway and services, you will have to understand Ocelot to get your head around it.

[mkojoa]

Thanks for the clarification.