I currently have an admin console that is served a BFF layer and 2 REST microservices - product microservice and user microservice. The user microservice stores information on login users as well as their permissions e.g. which products they are allowed to see, modify, etc. All of this is hosted on AWS.
I am not sure how to design the authentication workflow (using AWS Cognito). I have thought of 2 solutions, but am not sure which is better, or if either are even ideal.
Solution 1:
FE user signs in via Cognito and performs an action -> FE sends token to BFF -> BFF accesses user service using client credentials to get the user's permissions -> if the user's action is permitted, BFF calls the product service using client credentials as well to perform the action.
Solution 2:
FE user signs in via Cognito and performs an action -> FE sends token to BFF -> BFF forwards the token to the product service -> product service calls user service using client credentials to verify the user's permissions -> if user's action is permitted, perform it.
Evaluations:
For solution 1, the logic is very clear, BFF does the gatekeeping and all microservices trust the BFF. But I have also read that having client credentials with full authority and scope is not a good security practice for production systems.
For solution 2, the logic is a bit more convoluted because every service will be verifying the user's permissions. Token-forwarding, I have read, is also possibly bad because it means the FE user can use the token to directly call the microservices.
So I would like to hear some thoughts from people who have designed microservices.
