OAuth 2 - datasource to store users

0 投票
最新提问 用户: (120 分)

I'm implementing OAuth2 in my spring app and I have one question.

Well, I have authorization server and resource server. I chose password flow.

Everything works correctly. But I am not sure where I should store users. I have two database - one for authentication server, another one for my RestApi - resource server.

At this moment I store users in my restAPI database. Why? Because I need information about user in my restAPI. What do you think? I wonder if my authentication server has access to the resource database is a good way... I am not sure.

As my resource server has access to the authentication database (to validate user token) - maybe the better way is storing users in that database?

1个回答

0 投票
最新回答 用户: (220 分)

Definitely users should be stored in authentication server's DB. If you need some user info you can call the auth service (you can add controllers to the service as well) or you can use JWT tokens storing necessary info in the tokens to be read from resource server.

发表于 用户: (120 分)
Ok, understood. Well, the best way is creating AuthService in authorization server and also creating controller for that service. From resource server I should communicate with authentication server using http service (e.g. RestTemplate). Is that correct? But I have access to auth db in Resource sever (as I said - to validate token). Now I'm not sure if it is properly way. When user entity will be in the auth db I will have access to them using auth db datasource. I think that it's not good idea. :/
发表于 用户: (220 分)
Yes. You can call authentication server from resource service.
发表于 用户: (120 分)
Sorry, I updated my comment. Can You see on that again?
发表于 用户: (220 分)
DB should be isolated. If you need info about user you can either ask auth service (e.g. RestTemplate call) or wrap the info to JWT token and extract the info from the token.
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...