I am trying to migrate an existing monolithic application to microservice applications. But get confused with the authentication and authorization strategy with oauth2.0.
Take the order service as an example; I want to determine the user who places the order.
1. User login and receiving access token from a separate authentication service.
2. The user (client) sends a request for a placement with an access token as an authorization header.
3. The order service sends a request to the authentication server to verify the access token, and then receives information about the user.
Questions:
1. Each time the order service processes the request, it must interact with the authentication server, does this increase the risk of failure? for example, the Order Service does not accept orders if the authentication server is down.
2. What is the test strategy for integration / functional tests, should I fake the authentication server, and if so, how to do it?
3. Some articles mention the JWT token to make the authentication server idle, does this approach make things easier, and what is a workflow?
source
share