User registration across multiple services [closed]

  softwareengineering

I have multiple web services that need to be integrated into one solution. One frontend would provide access to features from all services.
Each of the services has its own native authentication, and keeps its own users’ data. Services don’t support OAuth or SAML.
What I need to achieve is that when a user gets logged in, he can actually access all services with one central account. (However, each service needs to have corresponding user data).

When a user is created, he will have an account created in some central authentication service, as well as in all other services.
So when the user authenticates against the central authorization service, it would be good if somehow the right credentials would be attached to requests to a certain service.

Lets say I have

  • A – authentication service
  • B – some service
  • C – some other service

When a user is created/registered on A, accounts on B and C are automatically created (with the same password). When the user tries to access a resource on B or C, if not authenticated, he will be redirected to authentication. After the authentication is successful, the original request will have credentials attached for that service so that native authentication on the service B can be performed.

  • authentication
  • users
  • sso

3

You need three components:

  1. Identity provider. A typical identity provider service supports authentication, authorization, user management and so on. There are plenty of them out there, commercial and Open Source. Your central authentication service (service A) might fit this role.

  2. Authentication / authorization gateway. Intercepts the request to your services B and/or C and decides what to do from there. The request uses a standard protocol such as SAML or oAuth. Nowadays this is one part (or a whole of) of an API Gateway or a similar-purpose component. Namely, you want the gateway to perform at least three tasks:

    • authentication. On failure, redirect somewhere
    • token translation. On successful authentication, translate from standard token to proprietary format required by your target service
    • authorization: authenticated user X is authorized to use service B but not service C, for example

  3. Glue. Sticky material that affixes #2 to your target services B and C. Based on your threat model, make sure that parties can only access services B and C via your gateway.

Good discussion of this topic: https://medium.com/tech-tajawal/microservice-authentication-and-authorization-solutions-e0e5e74b248a

LEAVE A COMMENT