I think yes. This is not a good idea, because assuming only the Authorization (middleware ) microservice has access to sessions and other database related to Authentication/Authorization.
With my point of view, "Products" or "Orders" microservice(s) cannot have access to Authorization data.
Isn't it a bad idea to have every microservice be able to access this central session store?
I think yes. This is not a good idea, because assuming only the Authorization (middleware ) microservice has access to sessions and other database related to Authentication/Authorization.
With my point of view, "Products" or "Orders" microservice(s) cannot have access to Authorization data.
Thank you.
You can think of it as an isolation concern alright. However, session data is supposed to be shared, right?
This is complex issue. Finally I prefer the option 1:
Each microservice should receive token with permissions from middleware authorization microservice and handle Authorization of Permissions by himself.
And Other microservices, such as "Products", "Catalogs", "Orders" not have access to Authorization database (redis or other db no mater).
Thanks!