Is it worth taking the authorization server out of the application?

T

tamtakoe2014-10-21 19:55:56

OAuth

tamtakoe, 2014-10-21 19:55:56

The idea itself has many advantages. A separate authorization server appears, which is responsible for issuing and verifying tokens. The code is split. It can be transferred to a separate machine. Requests to the server are made via http.
Downside in performance. Since for each request you need to check the access token for validity, then instead of a direct request to the database (Reddis, for example), you will have to make an http request to the authorization server (and it will search the database itself). How much will it slow down the work and how to speed up access, given that the channel between the application server and the authorization server is fast (they are on the same machine or in the same rack)? Maybe not http but something faster to use?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

StrangeAttractor, 2014-10-21
@StrangeAttractor

The idea itself has many advantages...

That's it, everything is correctly described. The more modular, the more distributed, and the cleaner the interaction scheme between modules, the better.
Depends on the architecture, maybe a plus.
Try it. You can try pure TCP, why not...

M

Mikhail, 2018-03-28
@TokiTori

Author, JWT technology will save you. Inside the token, you can pass the necessary data. The token can be signed in two ways:
1. HMAC - the same secret phrase for signing and for verifying the signature on the authorization server and the application server
2. RSA - the authorization server signs the data with a private key, and the application server checks the correctness of the signature with a public key