Microservices - Communication between APIs with User token

ferreira.dany.1998 · February 27, 2020, 3:55pm

Hi everyone,

I am writing because our development team is having problems with the following micro-services situation:

We want to implement an Authorization/Authentication service, for example, in this case it’s Auth0.
But before we move to a paying plan, we would like to be able to see how it would work and how it would be to setup by UI the following situation:

User authenticates by credentials (ex. login) → Gets JWT Bearer token with the user information and the roles/permissions he has → Makes a request to API A with Bearer token he got from the authentication → API A verifies that the token contains a permission X and a role Y → API A return a response because user is authorized and authenticated → User wants to make a request to API B → Uses the same token got in the second step → API B verifies the same token for permission XY and role ZY → returns a response because he is authenticated and authorized.

Basically, the user, with a single token can make requests in all APIs, because they will check the permissions and roles inside of the token.

The problem here is the following: We are using the Spring Framework (Java), and we tried using .antMatchers().hasRoles and .hasAuthority(), and it works if the token is a machine-to-machine token. But when we try to use the token gotten from the User login, we get a 403 HTTP error, because it does not have “scope”:“read:messages”.

The JWT I get at the moment is the following:

    {
  "xxxxxxxxxx": {
    "groups": [],
    "roles": [
      "ROLE_MainUser"
    ],
    "permissions": [
      "read:messages"
    ]
  },
  "iss": "xxxxxxxxxx/",
  "sub": "xxxxxxxxxx",
  "aud": [
    "xxxxxxxxxx",
    "xxxxxxxxxx"
  ],
  "iat": xxxxxxxxxx,
  "exp":xxxxxxxxxx,
  "azp": "xxxxxxxxxx",
  "scope": "openid profile email", <--- read:messages should be here?
  "permissions": [
    "read:messages"
  ]
}

How can we implement a flow that will work like I described in the 3rd paragraph? At the moment I can get an answer from the APIs for only authentication requests, for the other ones that request authorization (roles, permissions) I can’t get it to work.

Any help will be appreciated!

Thanks!

King Regards,
Dany

mathiasconradt · March 7, 2020, 10:26pm

Hi @ferreira.dany.1998,

the problem comes down to you using the RBAC (Role Based Access Control) approach, which puts the permissions into the permissions claim, while the Spring library expects to check the scope claim in the JWT.

This question came up before; there’s a way to put the user’s permissions into the scope claim via Rule (rule code in the thread):

Note though that this always calls the Auth0 Management API (which is rate limited) on every login.

(The alternative is to make changes to the Spring classes, let it check for permissions instead of scope claim. Not too familiar with the latest Spring Security, but maybe there are ways to add custom verifiers that can check any given claim.)

Apart from that, I’d like to point you to this docs page, which is about representing multiple APIs, but it seems that you’re already following this; just wanted to make you aware that there’s a documentation around that as well.