Our application is made up of a number of Laravel micro-service API apps, that make up our entire API.
The main micro-service app is called api-app
it handles authentication, and a number of other critical tasks.
All user baed authentication is using JWT. Its very simple, easy and secure.
Although now our other services / apps are sending requests to each other we are stumpped as to how to approach authentication. Well.. kind of.
We have a working system where where the other apps have access to the same secret to sign their own JWT so they can send valid tokens when making a request. We then have the following roles within the token as a claim:
- NULL
- ORGANISATION_USER
- ADMIN
- SUPER_ADMIN
- SYSTEM (special role for app to app requests)
The thing that i struggle to get my head around is this: In Laravel it seems I MUST have a user associated with these app-to-app requests. With things like Policies, FormRequests.. Basically Laravel is littered with User
logic. Do i just need to let go of my struggle against this and accept in a sense that one app communicating with another app is in essence a user? Thus it needs a user model with the SYSTEM role?
via AndrewMcLagan