Tuesday, March 7, 2017

API to API authentication in Laravel RESTful (non-user auth)

Our application is made up of a number of Laravel micro-service API apps, that make up our entire API.

The main micro-service app is called api-app it handles authentication, and a number of other critical tasks.

All user baed authentication is using JWT. Its very simple, easy and secure.

Although now our other services / apps are sending requests to each other we are stumpped as to how to approach authentication. Well.. kind of.

We have a working system where where the other apps have access to the same secret to sign their own JWT so they can send valid tokens when making a request. We then have the following roles within the token as a claim:

  • NULL
  • ORGANISATION_USER
  • ADMIN
  • SUPER_ADMIN
  • SYSTEM (special role for app to app requests)

The thing that i struggle to get my head around is this: In Laravel it seems I MUST have a user associated with these app-to-app requests. With things like Policies, FormRequests.. Basically Laravel is littered with User logic. Do i just need to let go of my struggle against this and accept in a sense that one app communicating with another app is in essence a user? Thus it needs a user model with the SYSTEM role?



via AndrewMcLagan

Advertisement