OAuth2, microservices, and "keep me logged in" feature

I'm trying to learn more about authentication in microservices using OAuth2.

I've been reading about OAuth2, and while I understand the basics, I have great difficulty understanding how everything works together.

Let's start with an example:

I have a website, which is built on two microservices:

  • auth service: basically an auth2 service that uses resource-owner based password authentication.
  • album: once a user is authenticated, he can create photo albums and share it with other users of the site.
  • website has a "remember me for 30 days" option during login.
  • user should be able to see from which devices and locations he is logged in, and able to terminate them (in case of unauthorised logins). This is similar to functionality that FaceBook and DropBox provide.

Let's start with the authentication app, a typical auth2 response looks like this:

{"refresh_token": "aEMpqJsg6aotX9HaeVnFqqRBaQn7Bo", "access_token": "aSAX21mzmYRnizwhn1ltFZWDsIbif4", "expires_in": 36000, "token_type": "Bearer", "scope": "read write"} 

The login-button of my website just does an OAuth2 request my auth service, and receives the response above.Now, what do I do with this information in order to use this? Do I just store this JSON response in a cookie? I need some form of persistence, in order to use this token for subsequent requests.

Next question: Can I just create a token which expires in 30 days, or is this considered a bad practice? If yes, how can I mitigate this without losing this functionality?

Now to the next part: My album service needs to know who the user is. I assume that the API gateway has the responsibility of making sure the token is correct, and also include the user-id in the request? What if the album needs additional information about the user? Should it just contact the auth app for this?

I tried to find the answers to these questions myself, but it's very hard to find actual good information on this. Most of the stuff I found on the net just gave me vague answers, like "read the oauth2 specs" or "use JWT". While I realise a good understanding of oauth2 is necessary, it would be helpful to me if got some explanation by someone who has actual experience in building something like this. (Book recommendations are also welcome).

Replay

Category: oauth Time: 2016-07-30 Views: 0
Tags: oauth

Related post

  • How to use different domains for multilingual sites and keep users logged in? 2012-11-23

    I have a site that is in French and English. I am able to successfully setup so that users can switch back and forth between the two domains to view either language, however I cannot seem to keep users logged in. When they are logged into the english

  • Modsecurity Whitelist and keep logging 2016-01-20

    I am white listing a tag and I am curious if there is a way to white list this and keep the logging to this at the same time. SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION" !ARGS:/^fallout/ Would something like this work? SecRuleU

  • Adding an extra WFE and keeping spthemes.xml and docicon.xml in sync 2011-10-19

    In our farm we have several features that add extra themes. These features automatically update the spthemes.xml file in the template\layouts\LCID directory on activation (and remove the lines on deactivation) All the 'file updating magic' happens in

  • Detailed logs and keeping code clean (not AOP) 2011-07-19

    I have two quite mutually exclusive desires - detailed logs and keeping my code clean. It appears that you can only get either of these. By "logging" I mean logging and not tracing, so AOP adepts wouldn't appreciate it. What I want to have is re

  • Cloudflare and phpBB forum: users keep getting logged out 2013-09-23

    Yesterday, I added the free CDN services CloudFlare offers to my forum. I used all of the recommended settings. The used bandwidth dropped drastically and the site loaded a lot faster so I was pretty happy. But then (a small) percentage of the users

  • How to disable the OpenVPN Web UI and keep tunnelling feature 2014-12-05

    I installed OpenVPN server according to DigitalOcean's manual (https://www.digitalocean.com/community/tutorials/how-to-install-openvpn-access-server-on-ubuntu-12-04). I prepared all that I need and VPN works fine. Now I do not want the Web UI any mor

  • How to move posts in featured category on top and keep pagination 2015-04-25

    I want to move every post from category_id = 11 and 10 on top of the list and then query every other post which is only in 10th. I thought that making two loops will do the trick but there is a problem, such solution will generate two paginations. So

  • Is there any program which will keep a 'log' of what I do on my computer? 2009-12-19

    I want to keep a log of what I do (yes, this is for me). I want to know the websites i've been to, the files i've opened, the programs i've started, etc.. Ideally I would want to be able to search this by date range, text, etc.. Probably asking too m

  • Keep transaction log size under control during batch processing 2011-12-12

    tl;dr I think my verbosity has obscured the real question I'm asking here, so I apologise for that. My main issue is that the checkpoint command appeared to be working for at least 800 iterations of the loop. The log size remained static at around 1G

  • Rules and advice for logging? 2012-09-21

    In my organization we've put together some rules / guildelines about logging that I would like to know if you can add to or comment. We use Java but you may comment in general about loggin - rules and advice Use the correct logging level ERROR: Somet

  • How do webmasters store and keep track of their passwords 2013-03-08

    I'm developing a site for the first time, and I'm trying to work out the best way to store and track all the accounts/passwords e.g. Server passwords, ftp passwords, API passwords (FB, Google, Twitter), Email account passwords. There's a lot! If any

  • Staying productive by keeping focus on a feature while developing 2015-02-11

    This question already has an answer here: How to stop gold-plating and just be content to release working developments [closed] 4 answers As a hobbyist developer I'm quite keen on the git-flow way of working. But I keep having a problem that I can on

  • Microservices and production uptime 2015-05-15

    I have a question for people who implemented microservices in large enterprises. There are obviously huge amount of benefits to microservices (comparatively to monolith architecture). However, there is one thing which is problematic. It's harder to d

  • Does InstallShield keep a log during installation? 2009-09-03

    Just want to know if InstallShield keeps a log during installation of an application. I already checked C:\Program Files\InstallShield Installation Information{GUID}, but there isn't a log file there. The reason is that the installation of a 3rd part

  • How to copy text from the cmd console and keep the formatting (with color)? 2009-12-02

    I want to cut and paste from cmd and keep the color information when pasting to another application. It's similar to pasting in most applications with formatting information. Is there a way to do this? Or can it be done with an app similar to cmd? --

  • Can I upgrade to maverick and keep my kernel? 2010-10-29

    I have been using Ubuntu since 9.04 without many (serious) problems, I installed the 10.10 CD and put it on a flash drive (after a while or looking through the web to realize that the startup disk creator breaks with maverick. Anyway, when I booted f

  • Is it legal to not keep server logs? 2011-02-28

    I am creating a website where users can have anonymous discussions about personal topics. In order to protect our users, I would like to avoid keeping Apache logs. This way, even if the website is hacked, everyone will still remain anonymous. Is it l

  • Copy publishing page between site collections and keep data 2011-03-23

    Does anyone know if you can copy a publishing page (programmatically), based on a custom layout and content type, from one site to another in different site collections and keeping all the data in the fields or webparts. Basicly to create a feature r

  • Duplicate database and keep it up to date - Replication or SSIS? 2011-05-04

    I would like to duplicate a database, on the same server, and keep it up to date either by running a scheduled service once a day or having SQL Server 2008 take care of this internally. We don't need to transform data, just copy from DatabaseA to Dat

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 2.168 (s). 13 q(s)