Federated authentication with Microservices - options pro/con?
Let's say we have an Authentication API (with minimal Angular frontend app) with geo replications in Cloud environment. And we have the main API supporting the user main interface which is hosted in several regions.
Our authentication flow is as the following:
1) user authenticates himself on the AUTH application with username+pw + 2FA
2) upon successful authentication, we request a token from the relevant MAIN application and redirect the user to the relevant endpoint with this token.
3) upon landing, the MAIN application verifies the token and checks with AUTH api if the logging in user is indeed the one the token was generated for.
The objective
We need to ensure that certain components of the MAIN applications are available to certain users.
Some user journey indicates a joint workflow with peers. In this process we send an invitation to the peers, which force them to get through the above auth flow.
Important 1 these peers, may be needed to join again in the future (like weeks/months later) and it is not required that the same peers will join. (maybe fewer, maybe more)
Important 2 there is always a coordinatorwho initiates the workflow. Peers cannot join without the coordinator initiating it.
The business need is, that peers do not need to get through this auth process, but has access to the content of the workflow. But only for that workflow. The business indicates the usage of some federated authentication.
Reason for that, that due to the high intervals between joining the workflow, might end up peers to forget their credentials.
1 Reply
I see three options:
1) dont use federated auth services (like AzureAd, AWS, Google, Facebook, etc), but with the invitation -sent out to the peers-, send a custom token as well with certain expiry, which allows them to go through above process without the hassle of username+pw + 2FA
2) upgrade the auth flow, where we can enforce/optionally enable users to set up additional OAuth options. So during next invite they can use whichever OAuth they have registered earlier
3) demand the coordinator to maintain a Group/Role within their OAuth provider - we store these info and upon requesting access to the workflow content we dynamically check if the given role/group info is provided during cookie authentication.
Question:
- What are the pros/cons of each options?
- What other options there might be?
- Why?
I personally favour 1 or 2, but have my pro/con list for each.
thanks