*Background:*
For now, If Client A wants to call Service B through Gateway G with
authentication, the Authentication Server is AS. The workflow will be as
follows:
Client A (with authentication token) ---> Gateway G ----> Service
B-----> Authentication Server AS
There are two major problem with this workflow:
1. If the interface of Authentication Server changes, all Services have
to change. This is big disadvantage for upgradability and stability.
2. The Authentication code fall apart in every Service and it's hard to
manage.
3. The authentication process happens on most of requests.But the call
chain is too long and the performance is not good.
*PROPOSAL:*
Add an Authentication Handler in Gateway G.
There will be a configuration file in Gateway G which present that whether
an API of an MicroService access any access-controlled resource.
For example:
/shop/good/{id}/inventory_increase resource:inventory.
This means the url accesses the "inventory" resource.
Authentication Handler will call the Authentication Server AS with
authentication token and the demanded resource to check if the current
token has the permission to access such resource.
The proposal approach can better all the 3 problems mentioned in the
Background section.
--
Best Wishes & Regards
———————————————
Alec Zheng
