I am planning to use microservice architecture in my upcoming project. I am a bit not clear on which mechanism to use for user Authentication and Autorization.
I googled for the same and I understood there are some mechanisms like distributed DB based opaque token, end-to-end JWT token based and combination of opaque token and JWT token.
My primary authentication is OAuth2. User signin using OAuth2 and the tokens are received at backend (@redirect URI) and I store this token for further queries by user.
At first I wanted to use distributed DB based token mechanism as it seemed simple enough for my case (with backend in VPC, i am sure my db is secure enough), where I will generate a unique token(UTKN) and map this UTKN against tokens(Access and Refresh) received from OAuth2 and send this UTKN in cookie to the client( client can be mobile app or an embedded device or a desktop browser). For user logout, I simply delete my session cookie.
Reason Why I wanted to use extra UTKN rather than sending OAuth2 Access token directly in session cookie is I don't want AccessToken which is, in some cases, not opaque and which contain app or user info (in case of JWT kind of AccessTokens) to be visible.
When I came across AccessTokens received for OAuth2,in case of Microsoft O365, are JWT based tokens which I think they might use this token within their internal backend as is to get user data.
Apart from db security and db failure are there any disadvantage or drawbacks for using distributed db based session mechanism over other mechanisms?
Aucun commentaire:
Enregistrer un commentaire