4

I have 2 internal Rails services, which need to speak to each other. I need an advice how to make it secure enough and with minimum effort.

Currently service A sends Authorization HTTP header to service B, which contains secret token. Simple HTTP Token-based method, nothing special. But I also need somehow to communicate a user token, so service B will know, which user is talking to it.

My current solution is following:

  1. send Authorization Token token=blabla user_token=blabla2
  2. use existing in Rails methods to parse it
  3. identify user by provided user_token
  4. inspired by this StackOverflow post

Alternatives:

  1. Amazon way with something like: Authorization: MY-APP-V1 Token=blabla Credential=user_token, but I need custom parser for it.
  2. Custom HTTP header like X-USER-TOKEN, but seems like RFC is not in favor of this idea.
  3. Your proposal or suggestion

Thank you very much for any help.

Improve this question

1 Answer 1

Reset to default
1

I'm curious as to why the user token is not enough, can you elaborate on this?

But assuming you want to continue with the double-token approach, something like JWT could be used to encode the user token with the secret token. That way you will just have 1 token and can send it simply as Authorization: Bearer xxxxxx.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for answer. Secret token plays role of secure authentication for service-to-service communication. Not all API endpoints need user token. User token plays role of authorization here.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.