4

I have 2 internal Rails services, which need to speak to each other. I need an advice how to make it secure enough and with minimum effort.

Currently service A sends Authorization HTTP header to service B, which contains secret token. Simple HTTP Token-based method, nothing special. But I also need somehow to communicate a user token, so service B will know, which user is talking to it.

My current solution is following:

  1. send Authorization Token token=blabla user_token=blabla2
  2. use existing in Rails methods to parse it
  3. identify user by provided user_token
  4. inspired by this StackOverflow post

Alternatives:

  1. Amazon way with something like: Authorization: MY-APP-V1 Token=blabla Credential=user_token, but I need custom parser for it.
  2. Custom HTTP header like X-USER-TOKEN, but seems like RFC is not in favor of this idea.
  3. Your proposal or suggestion

Thank you very much for any help.

Andrii Skaliuk
  • 428
  • 1
  • 6
  • 14

1 Answers1

1

I'm curious as to why the user token is not enough, can you elaborate on this?

But assuming you want to continue with the double-token approach, something like JWT could be used to encode the user token with the secret token. That way you will just have 1 token and can send it simply as Authorization: Bearer xxxxxx.

Orhan Toy
  • 459
  • 1
  • 4
  • 5
  • Thank you for answer. Secret token plays role of secure authentication for service-to-service communication. Not all API endpoints need user token. User token plays role of authorization here. – Andrii Skaliuk Oct 14 '19 at 17:03