4

I am fairly new in microservices architecture. I've been trying to build a microservices stack using Spring Boot, Spring Cloud and Netflix OSS libraries. I want to know what is the correct way and place to store session.

Here is an overview of the infrastructure that I created:

  1. OAuth2 backed Authorization/Authentication Server
  2. UI Service (Spring Boot, Front end service)
  3. Backend Service-1
  4. Backend Service-2
  5. Redis Server to store session and other cachable data
  6. Discovery Server (eureka)

Currently, I'm trying to store session in Redis by configuring UI service to perform it. It seems to be working fine, although I haven't had the chance to try it for multiple service instances. However, I'm already having serialization/deserialization issues while developing. By the way, trying to store the session on front end app is the correct place to do or it should be done in Authorization/Authentication service as authentication is processed in that service?

Here is my Session config in UI service (front end service)

@Configuration
@EnableRedisHttpSession
public class SessionConfig extends 
AbstractHttpSessionApplicationInitializer {

    public SessionConfig() {
        super(RedisConfig.class);
    }
}

To sum up, I'm expecting to achieve and use best practices on this project. Your kind assistance would be appreciated.

eray
  • 93
  • 1
  • 1
  • 9

1 Answers1

4

The idea of a general server side user session and a microservices style architecture don't go together well. The reason being that you are likely to break the separation of concern that you use separate the domain boundaries of your services.

Remember, every service is supposed to service a specific domain problem autonomously - including all required data persistence. So for example if there is anything to remember for a users connected devices you would do that in the one service that is responsible for those device connections and nowhere else. The service would be responsible for processing those request and persisting any status that the devices require. Similarly when there is anything to remember about he users authorization you would do that in the authorization service.

And regarding the question to use Redis or not - In a microservices architecture the choice of storage system would be up to the service architect. Maybe one service stores its data in a relational database, maybe another uses a key-value-store and yet another may use an event queue system or a time series database.

So in summary you have to ask yourself what your session really is used for and make the corresponding services responsible to persist that information in a domain specific way. (If you give some more details in your question about this, I can give you my opinion).

Oswin Noetzelmann
  • 9,166
  • 1
  • 33
  • 46
  • Thanks for the detailed response. In brief, I'm trying to store HTTP session in Redis which is stored in the server by default. The part that I get lost in my sample project is that I don't see any point in using user session and OAuth token together since they all serve the same purpose when it comes to retrieving user information. Please correct me if I'm wrong. Or maybe I should store tokens and user data in Redis instead of trying to inject Http Session directly in it. – eray Jan 18 '19 at 07:25
  • Yes you are already on the right track. JWT tokens should be able to replace server side sessions for most use cases. Especially if you chose the contained data wisely. You may need to do a few things differently than with sessions. For example add some data to your user persistence, like last PW reset date in order to be able to invalidate previously valid tokens etc. – Oswin Noetzelmann Jan 18 '19 at 09:05
  • That clears the things up. I will define and specify the things that are needed to be cached/stored in token and establish a proper system design. Thank you very much for your reply and helpful guidance. – eray Jan 18 '19 at 11:58
  • Also check out the following for some thinking about limitations etc.: https://stackoverflow.com/questions/34280049/could-jwtjson-web-token-totally-replace-session – Oswin Noetzelmann Jan 18 '19 at 20:14