PHP Microservices: Authentication and Authorization
With the complexity of microservices, security becomes a harder issue to address because there are so many areas to tackle the issue:
- At the network layer that normally involves private networks, VPNs, etc
- If Restful API, at the endpoint and is usually performed with OAuth or JSON WebTokens
- At the application layer that checks communication between microservices
This tutorial will ONLY focus on securely transmitting information between microservices using a token authentication. Token will be a single-use token and also authorize actions.
Run The Code
The code for this tutorial is available at: https://github.com/ProdigyView-Toolkit/Microservices-Examples-PHP
Use the folder named
security and follow the README.
Learning From Prior Tutorials
This tutorial is a build-up from prior tutorials that cover PHP and Microservices. It is suggested to have an understanding of the concepts while trying to learn the information discussed here.
- Socket Programming with emails as an example
- Using A Queueing System With RabbitMQ
- Create A Restful CRUD API
Authentication vs Authorization
First, we are going to briefly summarize authentication and authorization. Authentication is the process of validating a users credentials. Is the user is in the system and does their username match their password? Authorization is what permissions do they have in the system. Can they create a user, send an email, access sensitive data?
The authentication and authorization in this tutorial will flow as follows:
- Send a login and password to the authentication service
- Get a token back
- Send that token to the payment service
- The payment service verifies with the authentication service that the token is valid…