Authorization between microservices

Chapter Comments
1

I’ve hit a wall when trying to design a decoupled replacement for an aging monolith API. I’d like to break it down into microservices as it was becoming difficult to add new features.

My issue i’m having is surrounding authorization. I will try to illustrate this the best I can so bear with me.

I have these two services Project, Document.

  • The Project service can be simplified to group users that can have access to a list of documents.
  • The Document service can be simplified to just document retrieval by ID.

By design documents should be able to exist on their own or as part of a project. My issue is that I don’t know where to authorize a user to have access to a specific document.

My ideal API endpoints would look like this:

/projects/{id}
/documents/{id}

Should I decide where a user is authorized to access a document in the documents endpoint? This creates a cross-cutting issue where the documents service would have to contact the project service to see if the user can access a particular document.

Any suggestions would be hugely helpful.

2

I think you should use auth across both the services. Use the IAM roles to restrict only authenticated users to access these endpoints. For example in the guide we do this:

    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"
      ],
      "Resource": [
        "arn:aws:execute-api:YOUR_API_GATEWAY_REGION:*:YOUR_API_GATEWAY_ID/*/*/*"
      ]
    }

Here we are explicitly deciding users authenticated with our Identity Pool (and associated User Pool) have access to the above endpoint. https://serverless-stack.com/chapters/create-a-cognito-identity-pool.html

Hope that helps.