One of the troublesome issues of implementing API is “authentication / authorization”(AuthN/Z). This talk explains a concrete method of implementing HTTP handler monolithically. In particular, I describe points that require to ensure testability because of processing flow of AuthN/Z.
One of the troublesome issues of implementing API is “authentication / authorization”(AuthN/Z). There is an option to use SaaS or to create additional AuthN/Z server, but there is also an option to be monolithic depending on the size of the service. In fact, I chose the option to implement the http handler for AuthN/Z monolithically.
However, at that time, the lack of shared practical knowledge about AuthN/Z request handler implementation led to a great deal of research and trial and error. This talk aims to solve those problems.
Concretely, I will talk about selected authorization types from OAuth 2.0, and practical implementation example to archive it. In particular, OAuth 2.0 request handlers need to be devised to ensure testability because they have processed such as access token issuance, token expiration verification and so on. Therefore, I will explain not only the implementation of behavioral code, but also how to make it possible to write tests.
I hope that through this talk, I will be able to present the audience with one concrete option regarding the troublesome considerations when implementing the API.
I presented this theme at “golang tokyo” in Japan. The materials are listed here for reference.