API Gateway, Microservices forwarding user context


Let me describe our setup. We have a number of frontend SPAs that access Microservices via an API Gateway. In some instances we have “aggregator” services that call several microservices to collate data into a useful response. The API Gateway therefore either proxies to a core microservice or an aggregator.

In terms of authorisation we have a number of requirements:

  1. Role based access control - Depending on the role of the user they should be able to access specific endpoints.
  2. Attribute based access control - In some circumstances, RBAC is not enough. Users are grouped into accounts. Users should be able to see their own data and any data in the account. A user can be a member of multiple accounts.

The question is - how should we build the 2nd requirement (ABAC). Users can authenticate with Auth0 and pass the access token to the API Gateway. The API Gateway does not have the information needed (which accounts the user is a member of) in order to authorise the request. Therefore, my feeling is that the API Gateway should “forward” the token to the respective core microservice (or potentially aggregator which would forward it again). This would mean that the core microservice receives the end users token and can decide whether or not they should access the data. However, I can’t see how to implement this with Auth0 - how would this be setup? Would we create APIs for all microservices?

This is not an uncommon scenario so I wonder how other people are achieving the same thing.

Any help much much appreciated.