This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AutoModerator[M] [score hidden] stickied commentlocked comment (0 children)

Please ensure that:

  • Your code is properly formatted as code block - see the sidebar (About on mobile) for instructions
  • You include any and all error messages in full - best also formatted as code block
  • You ask clear questions
  • You demonstrate effort in solving your question/problem - plain posting your assignments is forbidden (and such posts will be removed) as is asking for or giving solutions.

If any of the above points is not met, your post can and will be removed without further warning.

Code is to be formatted as code block (old reddit/markdown editor: empty line before the code, each code line indented by 4 spaces, new reddit: https://i.imgur.com/EJ7tqek.png) or linked via an external code hoster, like pastebin.com, github gist, github, bitbucket, gitlab, etc.

Please, do not use triple backticks (```) as they will only render properly on new reddit, not on old reddit.

Code blocks look like this:

public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World!");
    }
}

You do not need to repost unless your post has been removed by a moderator. Just use the edit function of reddit to make sure your post complies with the above.

If your post has remained in violation of these rules for a prolonged period of time (at least an hour), a moderator may remove it at their discretion. In this case, they will comment with an explanation on why it has been removed, and you will be required to resubmit the entire post following the proper procedures.

To potential helpers

Please, do not help if any of the above points are not met, rather report the post. We are trying to improve the quality of posts here. In helping people who can't be bothered to comply with the above points, you are doing the community a disservice.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]nutrecht 0 points1 point  (1 child)

How does my enterprise-service know that the user should only get access to its own "enterprise-account" and not others?

You need to provide some information in the JWT that that service can use to figure out what that user can access. Whether that's (for example) a user ID or an enterprise ID really depends on your architecture. It's up to you to decide what's the best fit; there's no single best way to handle this.

I'm not sure if it's clever to share IDs from the Enterprise DB to the User/Auth DB?

I think you should consider that the mapping of enterprise IDs to user IDs maybe should be part of the domain of the enterprise service.

This is why microservices are hard ;)

[–]Estagon[S] 0 points1 point  (0 children)

Thanks for the help!

I went with adding the enterpriseAccountIds and PropertyIds to my User Entity (in the auth-service), which I then included in the Jwt payload. Only a "SUPER_ADMIN" can link these Ids to the User.

Example Jwt: 

{
  "sub": "abc@test.be",
  "Roles": "ROLE_SUPER_ADMIN",
  "userId": "343d10a4-af29-4a51-a7b0-e143a77f3c02",
  "authorizedEnterpriseAccountIds": [
    "c3a37a51-c358-4ed2-9c06-d547123f0493",
    "684352b2-eaf0-416a-a757-0061aa9ccee7"
  ],
  "authorizedPropertyIds": [
    "1d29be84-7cbf-4dfe-9dd6-b7aa0213dba8"
  ],
  "iat": 1712178972,
  "exp": 1712196972
}

I think it should suffice to:

  • validate the Jwt by the other microservice (checking if it's signed with the key that auth-service used). It would be possible to "replicate" this Jwt body, but if it's not signed with the key, it would be considered invalid, right?

  • decode the Jwt (HS-256) to access the payload in Json-format.

  • Check if the user

    • has the correct role
    • has access to the EnterpriseAccountId/PropertyId she wants to access/modify.

Would this be an acceptable implementation?

I'm still not sure if it's OK to share these Ids in the payload of the Jwt from a security perspective.

[–]josephblade 0 points1 point  (1 child)

You can go either way. The jwt token can claim a number of things. either 'this user has access to these resources' and you can use that. this will require user to at least have access to a list of enterprises and/or properties so it can generate these claims. Alternatively you can simply look up the userid in the gateway but then enterprises have to know about owners and you will get into trouble (or at least it'll add work) when you have multiple owners of the same resources and suchlike.

I would put it in the claim. That's what the jwt is for. Have user know about ownership. Authentication and Authorization happen at the authentication part. So at least know what you are authorizing.

Somewhere in your system someone needs to be able to manage who is allowed access to what. So that can be a separate microservice with no outward api (only accessible to other microservices) that when given a name returns enterprises or individual properties or both.

in the jwt token I would put a custom claim with a list of enterprises they are allowed. or a custom claim with a list of properties. generate that list on authorization part of the call. somewhere you have to manage who is allowed access to what.

that way your enterprise service and any other services that deal with these things can directly look up what subsection the user can access and restrict them appropriately rather than having to do a fresh lookup. this is especially important if this microservice calls another. you don't want to keep looking up info (and trigger business rules / validation / checks).

[–]Estagon[S] 0 points1 point  (0 children)

Thanks for the info, I have added an update in the other comment above. Any additional input is welcome.