0

We want to establish SSO between microservice apps,

Eg: In a e-commerce site if user logins to main app,user should be automatically allowed to access cart app connected to it, which is a micro service.

I searched Oauth spec but I could find any relevant answer specific to my case. some of things which differ wrt Oauth are

  • User need not to authorize resources(cart app) against Identify provider.it should be done seamlessly in backend.
  • we don't want to use outside Identify provider like facebook,google,Main app(from eg above) should act as identity provider.

Questions

1.Is there a standard way(procedure) defined in oauth to handle these kind of authentication/authorization.?

  1. If not what are the most popular alternatives ?

Other info: Ours apps are build using Ruby on Rails,if you know any good gems please suggest.

I found couple of questions(1,2) related to this but they much broader. Even google is also not helping,so please don't mark this question as duplicate.

Community
  • 1
  • 1
user1222729
  • 1
  • 2

1 Answers1

0

If you do want to use SSO, let all your services accept the same token, returned by Authorization server when user log in. Encrypt it and put to cookies for example - in this case your web frontend will authenticate user by validating that token against Authorization server and return user-specific content.

The same applies to cart service - it can get username by token and return user-specific cart items.

Pros: User can't access other user's data by design, user logout disables every service.

Cons: You will need "superuser" or additional API for background or analytical tasks.

Sergey Alaev
  • 3,851
  • 2
  • 20
  • 35