How can I authorize an OAuth2 machine-to-machine token between a microservice and its authorization server?

Question

I have an OAuth2 server that is able to give me an access token based on my client ID & secret.

I have a microservice where other servers can perform actions respective to its job.

However, I need to authorize the token to ensure it has the permissions to do that.

Is it common for the server to forward the access token to the auth server and get a response back that includes the details such as scope? etc.

Answer 1

Yes and no.

For the entry point, you definitely need to check the access token's scope by asking it to oauth2 provider, but you probably don't want to do it everytime it's following code to call the provider whenever it requires scope check.

In Spring framework, that authorized information is stored in SecurityContext, and any code in the same VM can access it by calling SecurityContextHolder.getContext().getAuthentication(). Probably you can implement similar thing with your language and platform you are using, so that authorized information can be shared by others, with thread-safe way.

However, in microservice world, each microservice could or could not have the scope its client used. For example, let's say there is client A, calling microservice B's C method, and B's C calls another microservice's H's I method.

Depends on what scope is required for the method Bc() and Hi(), even if your code can propagate the OAuth2 scope to the following microservice, client A's call could end up having insufficient scope exception and fails. If you are lucky, then yeah client's call will succeed.

I had the same issue, and there wasn't any clear silver bullet or best practice for what to do with OAuth2 scope in Microservice world. I feel like it just all depends on what's your service topology look like and how it is designed.