Most modern applications comprise a front end user interface (UI) that may access a series of backend services. The front end may be a native application on a mobile device, a Javascript™ application in a browser, a traditional web application, and so on. The front end may make application programming interface (API) calls to access or otherwise consume resources managed in the various backend services, which may in turn call other services. Access to these resources may require authentication.
Applications may need to make API calls to several services to accomplish work for user. However, each application and service typically makes its own authorization decisions based on user attributes—usually by mapping them to a set of internal roles or permissions that the application and service maintains. This can increase the complexity in systems comprising composite applications consisting of a front end and potentially many backend services, since each component performs its own authentication processing. Some solutions have been proposed to simplify the authentication task. OAuth2, for example, is a standard framework set forth by the Internet Engineering Task Force (IETF) for abstracting authentication away from the application to an authorization service which delivers tokens to the front end UI that can be used for API calls to other services.