Issue
I am working on microservice architecture, but I am facing some challenges in that.
First let me give you a brief about the architecture.
User logs in and get a signed token which will be used to call all REST APIS.
There will be lot of API server where APIs are secured using Spring security and Authorized as per the user roles.
Services have to interact with each other to get/update information.
Every service will have the power to validate a token issue by auth server.
Problem:-
Everything works fine if User logs in and the same token is used and passsed to every service which is validated across.So, services dont need to trust each other as the token is passed.
Now, the problem is there are some services which needs to be called from server itself without logging in. Lets say a server to server call. How will a service authenticate and authorize the call from other services.
I read about spring Microservices but Zuul is also not the saviour here as every API server has spring security embedded and not just the API gateway.
One solution can be that every service has its own default user with certaing roles which is used to Login->Fetch a token->call other server api with token.
Can you please give me some pointers in server to server calls where each server is authenticated and authorized using spring security.
Thanks.
Solution
In OAuth2, there is a flow dedicated to server-to-server authorization (Client Credentials Grant Flow). The calling service is a regular client for the second (the resource server), so it must get a token and use it.
In a nutshell, the client tells the authorization server who is he (using its client id / app id), the authorization server gives it a token, which can be used to query the resource server.
I have a resource in french here, the sequence diagram is in english and should be helpful. You can find more information about this flow easily.
For the Spring Security specific stuff, see the spring-security-oauth2 doc.
Answered By - cdelmas
Answer Checked By - Marie Seifert (JavaFixing Admin)