We need a way to make authenticated calls from one (self-owned) service to another (self-owned) service.
We can start with a simple setup, where both services know the used secret.
It is a good practice to implement endpoints to request new secrets which have an expiration time. Another possibility is to set up JWT authentication using an asymmetric algorithm (such as RS256) where the authentication server has a secret key, and the application server has a public key.
Ruby gem: https://github.com/jwt/ruby-jwt
- https://jwt.io/introduction/
- https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
- https://www.codementor.io/omedale/simple-approach-to-rails-5-api-authentication-with-json-web-token-cpqbgrdo6
- https://medium.com/@maison.moa/using-jwt-json-web-tokens-to-authorize-users-and-protect-api-routes-3e04a1453c3e
More advanced topics: