不同微服务中的授权检查

Question

I decided to try for the first time to implement a microservice architecture instead of a monolithic one and ran into an authorization problem. In a monolithic architecture, I simply passed the token in the header when accessing the controller on which the [Authorize] attribute was hanging and checked it against the current single database. But in the microservice architecture, each microservice has its own database, how you can check the token when accessing other microservices, I have heard about the implementation of the check in API Gateway, but I think that, anyway, each microservice should have its own check, since, there should be no access to the api if the user is not authorized. Should I use api gateway to make a request to the authorization microservice for verification? How can I implement this?

I have a separate microservice for user authorization (registration, login, issue of tokens) which has a database of users with tokens. That is, I need to make a request to this microservice using API Gateway?

Answer 1

One way - You should try to do authentication/authorization at API Gateway level. Whenever any API call come to API Gateway that needs some permission then check the token. If the access/token is not present then return 401. On frontend, if you get 401 then do authentication at UI.

2nd Way - UI pass token to API Gateway that will further send the token to other microservices.

It depends on, how grain level of permission do you need. If it is at very grain level, then go with 2nd else go with 1st.