In this third article discussing the AuthenticationService, we focus on the implementation of the core logic found in the AuthenticationService class and the JWTAuthorizationFilter, which intercepts service requests and verifies that each request has sufficient privileges to access the resource.
Most applications require some form of authentication to restrict access to secured various service features. Additionally, we need a mechanism to register users and recover a user's forgotten passwords. To fulfill these requirements, this will be the first of a four-part series of articles cover the construction of the AuthenticationService. In this article, we introduce the basic components of the AuthenticationService.
Photo by Anita Jankovic on Unsplash
Monolithic applications resources share the same execution environment. This attribute allows the application's resources to share a common authentication and authorization mechanism. However, in a microservice, each service runs in its own execution environment and cannot share a common authentication and authentication mechanism. This article introduces an approach that divides the authentication and authorization responsibilities in the application. Authentication is handled by an Authentication Service that verifies a user's credentials and issues the caller a JSON Web Token (JWT), representing the authenticated user. Any service that contains secured resources is responsible for handling access authorization. The service performs access authorization by comparing claims contained in the JWT against the required resource privileges.