1. Single sign-on (SSO)
This solution means that every user-facing service must interact with the authentication service, which will generate a lot of very trivial network traffic and Repeated work, when there are dozens of micro-applications, the disadvantages of this solution will be more obvious.
2. Distributed Session Solution
The principle of distributed session solution is mainly to store information about user authentication in shared storage, and usually the user session is used as the key. Implementation of a simple distributed hash map. When a user accesses a microservice, user data can be retrieved from shared storage. In some scenarios, this solution is good, and the user's login status is opaque. It is also a highly available and scalable solution. The disadvantage of this solution is that shared storage requires a certain protection mechanism and therefore needs to be accessed through a secure link. At this time, the implementation of the solution is usually quite complex.
3. Client Token scheme
The token is generated on the client side, signed by the authentication service, and must contain enough information so that the user can be established in all microservices identity. The token is attached to every request, providing user authentication for the microservice. The security of this solution is relatively good, but authentication logout is a big problem. Ways to mitigate this can be using short-lived tokens and Frequently check authentication services, etc. For the client token encoding scheme, Borsos (David Borsos) prefers to use JSON Web Tokens (JWT), which is simple enough and has good library support.
4. Client Token combined with API gateway
This solution means that all requests pass through the gateway, effectively hiding the microservices. On request, the gateway converts the original user token into an internal session ID token. In this case, logging out is not an issue because the gateway can revoke the user's token upon logging out.