> Am 22.07.2016 um 11:47 schrieb Holger Freyther <hol...@freyther.de>: > > >> On 22 Jul 2016, at 16:17, Norbert Hartl <norb...@hartl.name> wrote: >> > > > Hi! > >> Taking the assumption of having 20 service images, every image would need to >> get back to A in order to check authorization information. The more services >> images you have the more load it will put on A. In a JWT use case scenario >> the same would look like >> >> 1. client C authenticates and receives a JWT containing authorization >> information. The token is signed by A >> 2. client C hands out JWT to service S >> 3. S checks the signature of A and knows that the authorization information >> contained is valid. >> 4. S grants C access > > thank you for the information! I have one rather specific question. How is > the token normally transported from C to S? Part of the body/data of a > POST/PUT/GET? A custom header inside the HTTP request?
It is up to you how you like to do it. It could be: - Client C asks A for authorization and gets back a JWT in the response body - Client C adds the JWT token as HTTP Header "Authorization: Bearer [token]" to ask the service in a usual fashion - Service S checks signature of token and extracts permission set and grants them or - Client C asks service S to do something - Service S redirects C to A giving a redirect_url as query parameter in the url - A checks authorization with C and then redirects the request to the request_uri having the token as query parameter of the uri or - Client C asks service S to do something - Service S redirects C to A giving a redirect_url as query parameter in the url - A checks authorization with C and then redirects the request to the request_uri having an exchange code in the query parameters - S exchange at A the exchange code with authorization token There are plenty of scenarios possible. It depends if it is about authorization or authentication and which "standard" to use. You can always roll your own. If you have many services it could be feasible to combine all permissions you need into one JWT then send it to A. If your claims are valid you get back the signed token from A. You could then use the same token for all your services…. Hope this helps, Norbert
