Ask HN: How do you handle authentication and authorization between microservices

43 points by somtum ↗ HN

16 comments

[ 290 ms ] story [ 2455 ms ] thread
(comment deleted)
System user permissions with public/private keys for lower level APIs (SSH tunnels, basically).

Centralized token services for ReST APIs

JWT tokens are a decent approach
Vaulted API keys with lifecycle management.
JWTs are a good approach. I've also seen folks using mTLS with gRPC.
A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.
I assume the "central server" is actually an HA cluster of servers with consistency checking of the token data. Otherwise it sounds like a pretty bad SPOF. Any lessons you learned along the way with setting this up?
You are correct, single would be disaster. One of the lesson learnt, every network call is going add at least 10ms.
Client certs for service to service communication.

Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.