Fixes to Overcome Circular Dependency in Authorization Flow

-


Fixes to Overcome Circular Dependency in Authorization Flow


We are building a Spring Boot microservices project with multiple services like:

  • user-service (manages user info)
  • merchant-service (manages merchant info)
  • Other services...

 Security Setup

  • All services share a common library that:
             Validates tokens
             Loads user and merchant info by calling other services (user-service, merchant-service)

The Problem: Circular Calls

Here’s what’s going wrong:

  • The common library in a service (e.g., merchant-service) calls the user-service to get user info.
  • But user-service also uses the same common library, and it needs merchant info → so it calls back the merchant-service.

This creates a circular REST call between services:

merchant→ user → merchant→ user... 

This can lead to failures or stuck calls.


 Options You Proposed

 Option 1: Exclude endpoints from security

 Pros: Quick fix.

 Cons:

  • Security risk: Unsecured internal endpoints might be accidentally exposed.
  • Makes security logic inconsistent across services.

 Option 2: Use Redis for caching merchant/user info

 How it works:

  • Cache the user/merchant data in Redis.
  • On subsequent calls, common module loads from Redis, avoiding REST calls.

 Pros:

  • Fast
  • Avoids circular calls
  • Good for read-heavy data (e.g., merchant config/user role)

 Cons:

  • Cache invalidation is hard — what if user/merchant is updated?
  • Need proper cache expiry or invalidation strategy
  • Adds operational complexity (maintain Redis cluster)

Recommended when:

  • You have many services relying on shared user/merchant context
  • You can tolerate short-lived stale data or have invalidation hooks


Option 3: Use API Gateway with token translation (Best Option)

 How it works:

  •    All external calls go through a gateway service
  •    Gateway does full security validation using common util
  •    Gateway generates a new internal token (JWT, opaque, etc.)
  •    This token is passed to downstream services
  •    Each downstream service only needs to:

                               Validate internal token

                               Extract merchant/user info without REST calls


 Pros:

  • Avoids circular REST calls entirely
  • Clean separation of concerns (security handled only at gateway)
  • Internal calls are lightweight
  • Easy to track/trace requests from gateway

 Cons:

  • Slightly more complex setup
  • Need to manage 2-token system: external JWT and internal token

Highly Recommended for enterprise-grade microservices

 (especially with 5+ services depending on same context)


Final Recommendation

Option 1  ->  Not recommended->Security loopholes, temp fix only

Option 2 -> Good-> If performance is critical and cache invalidation is manageable 

Option 3 -> Best ->Clean, scalable, secure approach for microservice architectures 


 Bonus Suggestion:

Use Spring Cloud Gateway or Netflix Zuul as your API Gateway, with 'spring-security' and custom 'AuthenticationManager' to handle token translation.


----------------------------------------------------------------------------------------------------------------------


 Quick Recap: What is Option 2?

You store user/merchant data in Redis after login 

Later, all services use Redis to get that data instead of calling user/merchant service again.

Negative Points of Using Redis (Explained Simply)


 1. Stale Data (Old data issue)

Problem: Data in Redis doesn't update automatically if the database changes.

 Example:

  1. User name is '"Alice"' — cached in Redis.
  2. Admin updates her name to '"Alicia"' in the DB.
  3. But Redis still has '"Alice"' unless we manually clear/update the cache.
  4. Services continue showing old name '"Alice"'.

 Result: Users see outdated info — unless you build complex cache refresh logic.


 2. Extra Complexity (More code, more bugs)

 Problem: Now your app must handle:

  •  When to add to Redis 
  •  When to update Redis after DB changes 
  •  When to delete data (expire/evict) 

 Example:

If merchant info changes (e.g., plan, settings), you must:

  •  Detect the change
  •  Update Redis at the right time
  •  Or invalidate Redis key

 Result: More things to maintain = more bugs 


 3. Security Risk (If not handled properly)

Problem: You’re storing sensitive info in Redis (user roles, permissions).

If Redis access is not secure:  Hackers might read/edit merchant/user data from Redis.

Result: Leads to serious data leaks or privilege escalation.


 4. Redis Goes Down = Problems

 Problem: If Redis is unavailable or crashes, services depending on it may:

  •  Fail
  •  Return null/missing user info
  •  Block processing

 Result: Service instability unless you write fallback logic (more work).


 5. Memory Pressure in Redis

Redis stores data in memory (RAM)

If you cache too much (1000s of users/merchant :

  •  Redis uses more memory
  •  Might slow down or crash



Comments

Post a Comment

Popular posts from this blog

Database - Topics

-
Image
 Topics  01. Steps in SQL Query Execution 02. How does the database create a query plan 03. How Query Plan Caching Works 04. What is the need for an execution plan? 05. How Do Query/ Query Plan Execute (Inside MySQL Server) 06. Importance Of Undo Log 07. How Row Lock Is Handle When Query On The Table Row 08. Technique to recover the committed changes 09. Auditing technique 10. Query cache 11. DB connection pool 12. What is ACID? 13. Optimizing SQL queries
Read more

02. Spring – Creating spring project clone it with GIT step by step.

-
Image
  Creating spring project clone it with GIT step by step. 01. Create an empty GIT repository and select a repository name. 02.   Check to add README.md and technology to add it inside the gitignire file0- it will include all the generated class when we complete the application. 03.      Copy the github repository URL. 04 . Open eclipse and go to,             Window – Show View – Other - Type git on the folder and select git repositories. 05.   Now clone this repository at your desired location in which we are going to keep the project specific file . a)         a)  Step One.             b)  Step  Two .          c)    Step Three. Both projects are generated as bellows           d) Step Four  Open the gitingnore file and ignore the target folder of the project. All the class files which are ...
Read more

01. Steps in SQL Query Execution (MySQL)

-
Image
Steps in SQL Query Execution (MySQL) 1. Client Sends Query to Server The SQL statement is sent to the MySQL server over a connection (e.g., via JDBC or a query tool like MySQL Workbench). 2. Parser / Syntax Check The parser checks the SQL syntax.If there are any syntax errors, it throws an error immediately. 3. Pre-processor Verifies privileges and permissions for the user executing the query. Resolves object names (like table or column aliases). 4. Query Optimization The optimizer evaluates multiple strategies to execute the query. It considers: Which indexes to use. Join order (for multi-table queries). Whether to use temporary tables. Cost of different execution paths. The optimizer chooses select the most efficient query plan (Cost effective -> memory, CPU etc). 5. Query Execution Plan (Most cost effective query plan) The query plan is a blueprint of how MySQL will fetch the data. You can view this with the EXPLAIN keyword in front of your query. 6. Query Execution The storage e...
Read more