Access Tokens or alternatives with microservices for determining User Access to Database resources

Question

Hi I have following structure :

Client App (layer 1) Business logic Services ( Layer 2)

Business Logic layer consists of many microservices . Access token can be created and passed from APP layer to business logic layer. Business logic layer could validate the access token and allow access to required operations.

But Scenario is : user A logged in can access Resource 1 but not Resource 2 ( here resource means Individual records in database ) . How would I manage this situation ? These checks to resource is quite expensive and ideally would require to be done once.

However, Should each of my business layer microservices cross check always if user can access resource ? Or Should there be a separate access token created when user tries to open each resource and pass to business logic layer so that it can trust and allow?

Answer 1

Ideally, you should have an API Gateway between your Client and all the underlying microservices. This Gateway would check the user token, validate it and decide if the user can call the backend service based on the user's claims.

Answer 2

Consider this design:

1. User accesses web client
2. Web client sends request to the gateway.
3. User isn't authenticated in gateway, so gateway in some way (OpenID, form, basic Http, etc.) prompts authentication.
4. Client sends authentication to gateway.
5. Gateway stores authentication in security context. Authentication also contains authorization (gateway knows who user is and what user can do).
6. User accesses resource.
7. Web client requests from gateway.
8. Gateway verifies authentication and authorization.
9. Gateway sends request to service (if user has authority) or sends error to client.

You can have additional checks in services, if you'd like.

One application might look like React -> Spring Security (Spring Boot RESTful API) -> NodeJS Server -> SQL or NoSQL storage.

But your question specifies

But Scenario is : user A logged in can access Resource 1 but not Resource 2 ( here resource means Individual records in database ) . How would I manage this situation ? These checks to resource is quite expensive and ideally would require to be done once.

Maybe you need to be more specific. Often we pull from tables without pulling ALL records using comparators and checks within the database.

If you're saying you'd like to NOT test each record (NOT include something like a WHERE clause), then consider creating specific services (and tables) based on authorization (which can be checked in the gateway) and then calling specific services based on the user's authorization.