auth as a microservice
TRANSCRIPT
CREATE TABLE todos (
id INT NOT NULL,
text TEXT NOT NULL,
user_id INT NOT NULL,
PRIMARY KEY (id),
CONSTRAINT todos_fk_1 FOREIGN KEY (user_id)
REFERENCES users(id) ON DELETE CASCADE
);
What about everything else?
● Works on SPAs and Mobile● Session ID is the user identifier● Generally hard to steal or forge● Uses simple HTTP cookies
The Pain
● Stateful● Potentially requires session replication● Session pinning● Harder to scale since every instance runs everything● One big database
{
"user": {
"id": 42,
"name": "Brian Pontarelli",
"email": "[email protected]",
"roles": ["admin"]
}
}
Tokens● There must be a User -> Token mapping● In memory or in database● Makes the User API slightly stateful● Can be very chatty● Couples the User API to EVERYTHING (almost)
JWT● JSON Web Tokens● Signed with a public/private key pair● Can be validated by Todo API without calling User API● Contains roles
JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0
ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZ
S5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy
0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM
3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9s
ZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP
04kZo
JWT Body{
"iss": "inversoft.io",
"exp": 1300819380,
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Brian Pontarelli",
"roles": ["RETRIEVE_TODOS"]
}