Ask HN: How do you handle authentication and authorization between microservices - somtum
======
exabrial
Take a look at the Microprofile JWT specifications. It provides a standard set
of jwt claims:
[https://www.eclipse.org/community/eclipse_newsletter/2017/se...](https://www.eclipse.org/community/eclipse_newsletter/2017/september/article2.php)

------
jwhitlark
[https://istio.io](https://istio.io)

------
codegladiator
A central server which maintain all authorization information. The client can
request token to access a particular service. The service verifies the token
by calling the central server and gets in response the permissions available
for that token. Also, a TTLed cache on the servers.

~~~
hkarthik
I assume the "central server" is actually an HA cluster of servers with
consistency checking of the token data. Otherwise it sounds like a pretty bad
SPOF. Any lessons you learned along the way with setting this up?

~~~
codegladiator
You are correct, single would be disaster. One of the lesson learnt, every
network call is going add at least 10ms.

------
nickserv
System user permissions with public/private keys for lower level APIs (SSH
tunnels, basically).

Centralized token services for ReST APIs

------
exabrial
I used to work for a company that has a solution for this exact problem:
[http://www.tribestream.io](http://www.tribestream.io) Great product and the
people couldn't be a more diverse and all around good group of people.

~~~
jhoh
Your www link doesn't work for me.

[https://tribestream.io](https://tribestream.io)

------
Rjevski
Client certs for service to service communication.

Auth tokens validated by a central entity (a bunch of servers really) for user
(mobile apps, etc) to service communication.

------
borncrusader
JWTs are a good approach. I've also seen folks using mTLS with gRPC.

------
carlosdp
JWT tokens are a decent approach

------
toomuchtodo
Vaulted API keys with lifecycle management.

------
steve_taylor
Docker secrets.

------
matchmike1313
API keys typically

------
segmondy
keycloak

