3

So let's take the basic e-commerce microservices.

  1. Identity and access . This microservice will take care of user accounts, roles
    and authentication. The authentication method will be the based on the usual
    token based flow (user enters username + pass and server returns a unique and
    random token via cookie). This service can also be used to get the user profile.
  2. Cart microservice. This microservice can be used to put products in a cart.
    Check what products a cart has. Etc ...

Asuming that "Identity and access" microservice will be used for generating the random token as a result of a succesful authentication, and for linking this token to a user, how will this token be used to make the user's identity available to the cart microservice? For example, when a user will add a product to his cart, he will send along the authorization token and the cart microservice will have to identify the user based on that token.

Could a distributed database be an option? A database which has these tokens stored and links to user built, and to which all microservices have access?

Or should all microservices get the user's identity from a special identity and access API which will expose users based on the access token?

Geo C.
  • 755
  • 6
  • 18

1 Answers1

1

A distributed data base definitely conflicts with the following basic principle of micro services:

A micro service owns its data and exposes it via well defined interfaces. No other micro service may access data owned by another micro service directly.

So one solution in this case would be to have a token micro services or the last solution you have described.

vanthome
  • 4,816
  • 37
  • 44
  • Thanks. Accepted and upvoted. Ended up using having an identity and access service. Having a database from where a service could find information about a user, or an API in a way are the same thing. The downstream service (which only reads the user info) will never interfeer with how the user database is structured. Same thing goes for the API structure , if an API is used. I think there are alot of misleading articles all over the web regarding what should be considered a good practice when it comes to service decoupling. HTTP API or database API are the same – Geo C. Jul 05 '16 at 13:06
  • To continue : it all depends on the conventions you agree on. Both http API or the database are simple interfaces to access data for the downstream service. So they are equal from a design point of view. You can even leverage the rdbms security concepts in order to restrict certain actions/data from the downstream service, instead of building your own for the HTTP API – Geo C. Jul 05 '16 at 13:07