I’ve hit a wall when trying to design a decoupled replacement for an aging monolith API. I’d like to break it down into microservices as it was becoming difficult to add new features.
My issue i’m having is surrounding authorization. I will try to illustrate this the best I can so bear with me.
I have these two services Project, Document.
- The Project service can be simplified to group users that can have access to a list of documents.
- The Document service can be simplified to just document retrieval by ID.
By design documents should be able to exist on their own or as part of a project. My issue is that I don’t know where to authorize a user to have access to a specific document.
My ideal API endpoints would look like this:
/projects/{id}
/documents/{id}
Should I decide where a user is authorized to access a document in the documents endpoint? This creates a cross-cutting issue where the documents service would have to contact the project service to see if the user can access a particular document.
Any suggestions would be hugely helpful.