Authorization and Authentication are hard. when you only have to implement them once (as you do within a monolith) instead of over and over again, it makes the developer happy :-), and maybe leads to less implementation failures.
When you have a bunch of microservices, this is something that has to be considered.
Implement it once or in every microservice, or something in between?
pros
- makes developer happy :)
- less implementation errors
- less risk of forgetting to handle at all
- centrally defined and handled
- smaller micro services
- less repetition in the code in the micro services
cons
- service can not have fine grained object permissions
- all or nothing authorization
- global auth bottleneck
pros
- global authentication is easier to manage/control
- fine grained object permissions are possible
cons
- slightly more code in the micro services
- needs some effort to have an overview what you can do with which permission
is listed only for completeness. it does not make sense -> worst of both worlds.
no fine grained object permissions and error prone and tedious repetitive authentication
pros
- fine grained object permissions are possible
- different user authentication mechanisms are possible for different microservices
cons
- error prone
- many repetitions
- bigger micro services
- needs some effort to have an overview what you can do with which permission
- no happy developer :-(
- https://blog.andyet.com/2015/05/12/micro-services-user-info-and-auth
- http://nordicapis.com/how-to-control-user-identity-within-microservices/
- https://www.appsflyer.com/blog/how-we-solved-authentication-and-authorization-in-our-microservices-architecture/
- http://microservices.io/patterns/apigateway.html
I think approach 1 is supposed to be "do authentication and authorization globally"