[keycloak-dev] Microservice to Microservice calls, authorization from a queue message

[Ignacio Ocampo]

Hello Team,

*Context:* I'm creating a cloud platform to support multiple applications
with SSO. I'm using *Keycloak for authentication* and *Netflix Zuul for
authorization* (API Gateway) thru *Keycloak Spring Security Adapter*.

Each microservice expect an Authorization header, which contains a valid
JWT, from which it will take the username (sub) to process the request.
Each microservice-to-microservice call should go thru Netflix Zuul first,
passing the Authorization header to maintain a stateless validation. That
strategy allow to every microservice to know who is the user (sub) who is
invoking the microservice indirectly.

*Problem/Question 1:* What happens if a microservice is invoked from a
queue message? One idea that I had is to storage in the queue the
information related to the message + userInfo, and, create a dedicated
microservice to process that kind of messages, with that approach this
special microservice should read the userInfo from the queue and process
the message.

*Problem/Question 2:* But, what happens if the previous special
microservice wants to call another normal microservice which expect to
receive a JWT in a header? Should this special microservice create by
himself a JWT to impersonate the user and be able to call the regular
microservices?

Another solution that I thought was to storage the original JWT in the
queue, but, what happens if the queue calls to the special microservice
later? Just after the JWT is not valid anymore (it expired) and the
microservice called will reject the request?

I will appreciate very much your help. Thanks.

-- 
Ignacio Ocampo Millán