When moving to microservices, you will come to the conclusion that securing the microservices needs to be tackled in a different way compared to a monolithic application.

While designing the solution, questions like “Where and how do I implement authentication and authorization?” and “How do I authorize users to specific actions?” can popup. In this article, a solution will be introduced to these questions.

First, the differences between authentication and authorization will be explained. Secondly, OpenID Connect and OAuth2 will be introduced as solutions for centralized authentication and authorization for microservice architectures. Lastly, there will be two implementation choices explained for authorization.

---

What are the differences between authentication and authorization?

When talking about securing applications, the terms authentication and authorization will pop up. While the terms are used interchangeably, they represent different purposes in the spectrum of securing applications.

When talking about authentication, it is the process of verifying the identity of the entity he/she/it claims to be. When talking about authorization, it is the process of verifying if the entity is authorized to access specific information or is allowed to execute certain actions.

In regards to the total security flow, both principles fit in and the combination could still make a request fail. In the rule, authentication comes first, authorization second. When a user is authenticated but not authorized, the request will still fail.

#authorization #distributed-systems #microservices #architecture #authentication