How to pass web app end user identity via service-to-service API call?
1
We are designing a solution with the following layered architecture:
A microservice (Service A) that exposes private API (endpoint type = private) via API gateway and stores data into DynamoDB.
A web app backend service (Service B) that consumes APIs provided by Service A with IAM authentication by assuming a service role, and exposes internet facing API via API gateway for a web app to consume.
Service B should be able to get the end user's identity info. My question is, how can I easily and securely pass this identity info from Service B to service A?
The options we've considered are:
Encrypting the end user identity using KMS and then pass as request header when Service B calls Service A.
Signing the end user identity as a JWT and then pass as request header when Service B calls Service A.
Both approaches are a bit complicated. I am wondering if there is such feature out of the box?
I am not familiar with Cognito. According to this doc the client app will get credentials to sign requests, but it should have access to the JWT too. I will do a bit more research.
Why you don't send the JWT tokens issued by Cognito?
Many thanks @Tarit_G, that's a good idea.
I am not familiar with Cognito. According to this doc the client app will get credentials to sign requests, but it should have access to the JWT too. I will do a bit more research.