I recently read some information about Microservices and especially around AuthN and AuthZ. For the most part, all this makes a lot of sense, and I see how it all should work.
For what I'm playing with, I am going with delegated authorization, so I have to transfer tokens from the client to the service, and then transfer the same token from service to service. I also have an endpoint in the OAuth2 service that will accept the token and return the details of the token - user ID, beginning and end of the validity period, the scope of the token acting on, etc.
The problem that I encountered is that for the token to be correctly issued, there must be some communication with the User Service to ensure that the User on which the token is valid is really valid. In order to verify the token, you need to have some communication with the User Service to ensure that the User is still valid. Nevertheless, in order to safely contact the User Service to obtain information about the user, a token is needed that gives permission for this access.
I assume that there is some standard practice for resolving this circular dependency between OAuth2 and User Service, but I have not seen a mention of this at all. Is this a common problem? Or am I just missing something obvious?
(Note. For now, I only use Credentials Credentials Credentials and Resource Owner Credentials credentials, as I only play to see how it all works, and it's easier to call using cURL. Know that it matters, though)
source
share