Some thoughts about auth/ in microservices

Couple of years ago we were designing this multi-tenant system where multiple organizations could read and write data. We needed authentication and authorization and didn’t know how to solve the issue. We come up with a centralized service with a relational database with users, groups and access tokens. Now each service request has to go through the auth service. That never sounded good engineering.

Today it is clearer to me that:

• You can use PKI and validate each request from each service: assign a public key to the auth service, let the auth service sign some data that says the user is who’s they’re claiming to be and let every other service to validate the user’s claim using that public key. The auth service won’t be loaded with validation requests and the other services don’t need to pass through the auth service every time. You don’t need to store access tokens. (With OIDC the data that says… is a JWT).
• You must assign permissions to groups not to users.