I have a design issue I am not sure of how to solve.
Let's say my main application consists of 6 modules:
- client
- gateway
- auth-service
- forum
- gallery
- messages
The client is supposed to communicate with the gateway-service only.
Should I have my gateway do the user-authentication (which ideally results in a JWT) and the other 3 productive-services (forum, gallery, messages) just verify that token and retrieve permissions and roles they manage themselves for that given user?
To perhaps illustrate my few troubles, I create a sequence diagram:
Click here for the original draw.io graphics if you prefer that.
I do not want to use any 3rd-party auth-services; I just want my auth-service (which is pretty much done) to register users and let them login. Or should I be managing permissions and roles in that service as well?
I tried to wrap my brain around this issue for months, but I simply cannot find a suitable structure so I can let the user register, login/logout and communicate with various productive services. I am currently using Java for the backend stuff, but the good thing about microservices is, that I do not have to use one programming language for them all.
Any help here is welcome!
P.s.: I read Microservice Authentication strategy and Zuul - Api Gateway Authentication, but both did not seem to apply in my case.