What does Social SSO look like in a Microservices Architecture?

0 投票
最新提问 用户: (120 分)

Evening all

I am trying to grasp the concept of how Social SSO (Facebook/Google etc) would work within a Microservices Architecture.

Scenario

Lets say I have 2 backend microservices (Order, User) and one front end (WebApp)

  • User: Holds user profile details, email, name, address.
  • Order: Holds a list of orders which are linked to a user
  • WebApp: Provides a front end which interacts with the two back end services.

Adding Social SSO, is to simplify the process of users signing up to the website http://www.myproduct.com

When a person uses Social SSO, I want to create a user account in the user service.

Questions

Assuming a user clicks "Login with Facebook" on the WebApp and logged in as "John"

  1. What is the best approach to creating an account for John in my User service ?

  2. Once logged in as John, how does the WebApp propagate the identity of John to the Order service ?

  3. How does the Order service validate that John is logged in ?

  4. How can interdependent services Order & User trust each other ?

Concerns

  1. Downstream services will become very "chatty" with the Authorisation Server (Facebook, Google)

Thanks

Daniel

1个回答

0 投票
最新回答 用户: (140 分)
  1. What is the best approach to creating an account for John in my User service ?

There is not much to do here, just get the user details from FB and call your user create endpoint. For a RESTful API you will probably want to do a POST to https://your_api_gateway/users

  1. Once logged in as John, how does the WebApp propagate the identity of John to the Order service ?

One option is to use a token microservice. At login time you would create a long-lived auth token and a short-lived access token. The auth token is the source of trust that you never share. You return the access token to the client webapp. All calls from the client to any of your microservices will send that access token as part of the request. Another option is to simply use the access token generated by FB/Google.

  1. How does the Order service validate that John is logged in ?

Your Order service would receive an access-token in the request. As long as the access-token is valid, you can assume that John is logged in.

  1. How can interdependent services Order & User trust each other ?

The access token is signed by the token microservice - which should be a trusted service - and it can contain additional information that can be further verified by any of your microservices

  1. Downstream services will become very "chatty" with the Authorisation Server (Facebook, Google)

Once you generate the access token, you don't need to call FB or Google again until your webapp decides that the user needs to be authenticated again.

发表于 用户: (120 分)
Thanks @clonq Assuming the token service is a microservice, would this service redirect the user back to WebApp... passing the long lived token as a query param ? Is this safe ? Secondly, assuming this long lived token was actually a JWT. Where would the WebApp store this ? Thanks Daniel
发表于 用户: (140 分)
No redirection is required. The webapp would make an AJAX call to the token microservice and the service would return the token in a JSON payload. It's safe to send the token in the payload as the communication should be over HTTPS anyway. My suggestion is to use a short-lived token for added security, not a long-lived one but in any case the web client can store it either in memory or persist it in the localStorage depending on your "client session" expiry policy.
发表于 用户: (120 分)
Hi @clonq The WebApp and the Token service are different microservices. As such, I want to have the Token service handle the response from the SSO Provider, such as FB or google. Given this, how would I then make the WebApp aware of the long lived token that it generates in a secure way ? Thanks
发表于 用户: (140 分)
If you want to move the call to the SSO provider inside the token service you just return the long lived token to the client. So the flow is something like this: WebApp calls TokenService. TokenService calls SSOProvider which returns a token. TokenService then returns the token to the WebApp. Makes sense?
发表于 用户: (120 分)
Yes thanks. your help is much appreciated!
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...