The need for Centralized Authorization Controls
Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.
One of our clients had similar requirements in their SaaS platform where they needed to call multiple APIs from a single frontend using ID Token. The ID Token was obtained using a conventional OAuth2 Authorization Code flow from an external provider such as Auth0. While OpenID Connect serves as an excellent standard for sharing verifiable user identity across microservices, we did not find a standard approach for enforcing authorization controls before a request hits a backend microservice.
