I used to work for a company that has a solution for this exact problem: http://www.tribestream.io Great product and the people couldn't be a more diverse and all around good group of people.
A central server which maintain all authorization information. The client can request token to access a particular service. The service verifies the token by calling the central server and gets in response the permissions available for that token. Also, a TTLed cache on the servers.
I assume the "central server" is actually an HA cluster of servers with consistency checking of the token data. Otherwise it sounds like a pretty bad SPOF. Any lessons you learned along the way with setting this up?
16 comments
[ 290 ms ] story [ 2455 ms ] threadCentralized token services for ReST APIs
https://tribestream.io
Auth tokens validated by a central entity (a bunch of servers really) for user (mobile apps, etc) to service communication.