Sascha Preibisch

Microservices secured with OAuth access_token

Blog Post created by Sascha Preibisch Employee on Oct 21, 2015

A microservice should be an easy to maintain and feature oriented API. Nevertheless it needs to be secured. That may be just as difficult as with any other API. Luckily, if OAuth is used, there are many possibilities for securing the service and implementing many kinds of validations by simply requiring an access_token as a credential.

 

If you look at the graphic below you will see how many attributes are associated with a single token (or might be associated, depending on your OAuth product features):

 

Screen Shot 2015-10-21 at 11.44.34 AM.png

Knowing that enables an API developer to verify a few or maybe even all of those attributes to secure access to the service. Here are some ideas of what could be implemented based on this knowledge:

  • access control based on username (resource_owner)
  • access control based on client_id
  • access control based on access_token age and maybe the last usage. A sliding window as with cookies can be implemented
  • limited feature set based on the used grant_type. For token that were issued based on an implicit grant_type the API may be more restrictive than for token being issued via an authorization_code grant_type
  • access control by granted SCOPE, the most obvious choice in the context of OAuth
  • denying access for public clients

 

The next time you hear someone saying: OAuth does not fit into the microservices world, explain the benefits!

Outcomes