The general design of the Headstart Framework makes it flexible to implement an Identity Access Management (IAM) service. Then, we could use the service with both monolith or distributed applications. Also, we could turn a Headstart application into an Identity Access Management (IAM) service for Microservices authentication and authorization. Microservices can authenticate requests via JWT tokens and control access with the same set of authorities (permissions) across services. Note that Headstart does not authorize users on roles because they are merely containers of permissions.
Headstart Framework Checks User Authorization Across Microservices
Authentication and authorization go hand-in-hand to ensure users have the proper access and permissions to resources or services. They are easy to implement in monolith applications, but not across Microservices. With the Headstart Framework, we can check for a user’s permissions using standard Spring Security annotations like @PreAuthorize across Microservices.
For instance, we have Microservice A and B, where A directly uses B. A concrete example could be a Product Catalog service that uses an Inventory service. A user could have all permissions to the Product Catalog service. However, he could have limited access to the Inventory service.
Turn A Headstart Application Into An IAM Service
The Headstart framework allows us to turn an application into an IAM service using only one Headstart Maven dependency. First, we can create a Spring Boot application via Spring Initlzr with Maven dependency on Spring Security, among other dependencies. Then, update the pom.xml to include Maven dependency whose codes do not access shared security configuration files or databases.
1 2 3 4 5 | <dependency> <groupId>com.turreta.headstart.iam.adapter</groupId> <artifactId>headstart-iam-adapter</artifactId> <version>0.0.1-SNAPSHOT</version> </dependency> |
Then, configure the service to point to our Headstart IAM service using the following property.
1 | headstart.api.app.authentication.url |
For example, we can have this configuration.
1 | headstart.api.app.authentication.url=http://localhost:9090/api/app/authenticate |
Assume our Product Catalog service has a controller, as shown below.
1 2 3 4 5 6 7 8 9 10 | @RestController @RequestMapping("products") public class MyController { @GetMapping() @PreAuthorize("hasAuthority('find_product')") public ResponseEntity<String> getAllProducts() { return ResponseEntity.ok().body("All information on products"); } } |
We can get all the production information using the following technical details. The Product Catalog service sends the received token to the IAM service for validation. Overall, the whole picture would be what the diagram below portrays.
If the JWT token is valid, we get the information on products.
1 2 3 | HTTP GET HTTP://localhost:8080/products Headers Authorization: Bearer <JWT-TOKEN> |
Similarly, the Product Catalog service can send the same token in requests to the Inventory service for data or additional processing.
