I will outline a simple application that will contain three loosely coupled services: Authentication (using OAuth2 under spring security), profiles and settings, data collection. I am trying to determine the best way to protect or archive secure calls between these services. Consider the following two user cases. In each case, the user has already authenticated and the requests will contain a valid JWT token for the initial service endpoint:
Case 1: The user wants to edit his preference for the preferred fruit. The application will make an authenticated call to the Profile / Preference service to GET their preference, and then POST back the updated preference.
Case 2: They call the data collection service, which will try out the fruit storeβs API store. This requires finding the preferred fruit from the profile and service preferences.
The question I have is the best way to protect the profile and preference service for case 2 above. I believe that there are three possible approaches:
- Each internal request must include any authentication header that passes through the current user context.
- Each internal request must be authenticated in some others as an API user.
- Each internal request will need to hit another endpoint that has not been published or connected in the load balancer for internal traffic only
Is this something out of the box aspect of spring boot?