Authentication of Users in Custom Microservices

Owned by Team Kolibri (Unlicensed)
Last updated: Apr 07, 2022 by Technische Redaktion
1 min read

Your custom microservice is always located inside the microservice infrastructure. If your service is called by a client, that is proxied by using the gateway, or if your service gets called by another microservice, the HTTP request contains always an 'Authorization' HTTP header.
If your service likewise is calling another microservice, e.g. by using a feign client, the 'Authorization' header should, in most cases (see below), forward this header to the other microservice. By forwarding the header, the call to the other service is done in the context of the user, who has originally executed the request.

If your service is running an automatic task, there is no authenticated user available. In this case, if you must call another microservice, there is no 'Authorization' header available to forward and the call is done in the context of the internal system user. This internal user has automatically full access rights. This works, if you use the dmssidecar to route your request.

You can also decide to omit the forwarding of the 'Authorization' header if you explicitly want your call to be executed in the context of the system user. If you do calls, that update or create objects, the system user will be the creator or modifier of the object and is recognized in the audit history of the object.