PHP Microservices: Authentication and Authorization

With the complexity of microservices, security becomes a harder issue to address because there are so many areas to tackle the issue:

• At the network layer that normally involves private networks, VPNs, etc
• If Restful API, at the endpoint and is usually performed with OAuth or JSON WebTokens
• At the application layer that checks communication between microservices

This tutorial will ONLY focus on securely transmitting information between microservices using a token authentication. Token will be a single-use token and also authorize actions.

Run The Code

The code for this tutorial is available at: https://github.com/ProdigyView-Toolkit/Microservices-Examples-PHP

Use the folder named security and follow the README.

Learning From Prior Tutorials

This tutorial is a build-up from prior tutorials that cover PHP and Microservices. It is suggested to have an understanding of the concepts while trying to learn the information discussed here.

• Socket Programming with emails as an example
• Using A Queueing System With RabbitMQ
• Create A Restful CRUD API

Authentication vs Authorization

First, we are going to briefly summarize authentication and authorization. Authentication is the process of validating a users credentials. Is the user is in the system and does their username match their password? Authorization is what permissions do they have in the system. Can they create a user, send an email, access sensitive data?

The authentication and authorization in this tutorial will flow as follows:

1. Send a login and password to the authentication service
2. Get a token back
3. Send that token to the payment service
4. The payment service verifies with the authentication service that the token is valid…