We’re planning to use JWT to send the permissions of a user to every microservice. The ID Token (JWT) will be created currently by Okta. But it seems tricky nor a good practice for us to send the data to Okta, that it can create the complete JWT as ID token for us. I found this article (Authentication and Authorization in Microservices - DZone Microservices)(Especially the picture at the end) which sounds to me that they’re requesting an Access Token from their Global Auth module (e.g. Okta) and creating after that their own JWT based on the Access Token and using that for further communication with the Microservices. Would you say, that this is a good practice, or do you have a better approach for me?
JWT structure:
{
"UserData":{
"userId":*{USER_ID},
"email":"*{USER_EMAIL},
"tenants": {
"*{TENANTS_NAME}":{
"permissions": {
"*{PERMISSION_NAME}",
"*{PERMISSION_NAME}"
},
},
},
},
}
Background:
We’re having a decoupled multi-tenant Self-Contained Service structure that is optimized that we can easily integrate every SCS as an own service in another ecosystem.
Microfrontend_1 → Backend-Microservice_1
Microfrontend_2 → Backend-Microservice_2
etc.
For that, we have designed an authorization service that is keeping all tenants and roles. Every SCS manages his own permissions, but not roles. They are register to the authorization service and exposing all permissions to him. Inside the authorization service, the permissions will be grouped into roles, so that we can assign users more easily the permissions and the SCS don’t have to bother about the application roles. For that, we thought to have a JWT that contains all tenants and associated permissions per SCS.