I am contributing a CRUD microservice written in Phoenix to a project. The specs I got required it to have built-in authentication, which it does. I used phx.gen.auth to create it, since it’s a small public sector project with few security-related qualms (so, no need of something enterprise-grade like Ory or Authentik).
The customer is now asking whether I can extend the auth functionality to other microservices – meaning that other microservices would use my Phoenix app to authenticate – and even an SPA frontend for admins. I am honestly a bit lost on (a) whether this is a good idea and (b) how to implement it.
Currently, my app is very simple: You request to perform a CRUD operation and, depending on auth roles, it either fails or the operation gets forwarded to a series of validators, which then determine its success.
If you can afford to not use microservices, do that, you will get rid of a lot of problems you don’t want to deal with at this stage of the product.
If not, then it is the same old story. You can either use OTP distribution or a more classical way like http/grpc requests for RPC calls between your services. Needlessly to say this takes much more time to get right and has a lot of caveats you need to take into consideration if you want your services to be reliable.