一种针对许多其他API微服务的身份验证API

Question

My plan is to build some separated WebApi backend apps in .Net Core 2.1. I would like to have also one big fronted application (built in Angular), which will use calls for the above microservices.

So, in Frontend app I will have some modules: Login , MicroSrv1 , MicroSrv2 , ... etc

Login GUI will use LoginApi. After logging I want to show MicroSrv1 GUI (connected to MicroSrv1 Api) , MicroSrv2 (to MicroSrv2 Api) , and so on.

My idea is:

• open LoginGUI click Log in
• call to LoginApi to authenticate in Azure AD (with using JWT) and download User data and also roles for the user and return to LoginGUI
• after Authenthication I will go to next panel with MicroSrv1GUI, MicroSrv2GUI
• and next calls to MicroSrv1 Api or MicroSrv2 Api should be Authorized (so also send token , maybe stored in cookie)

Is this a good practice? To have only one separate microservice to authentication? Or every microservice should have built-in their own? How I can share authentication token between microservices and use only one Login Api app? Could you please provide me some examples?

Answer 1

I didn't get why you have a GUI for each micro service, however you can achieve this by adding authentication for each one with a shared data protection key.

You can make this by configuring the data protection to use shared folder as key store, or implement your own one to have one shared store.

Answer 2

From authentication service, you would return a JWT token based on the user role and permissions associated to it.

On the client side, you would parse the JWT Token and based on the permission, you will only show the screens that are applicable to the user, and on the server side, you would read access rights in each REST call, and through unauthorized error if user tries to access a service without right access rights