Hi VR team,
Per the two questions at the end of today’s meeting that I didn’t have great answers to, let me share some more thoughts and snippets after skimming the relevant chapters in Sam Newman’s Building Microservices book. (Also, if you haven’t read this book, you should.)
The first two section headings under “Versioning” are:
Defer It for as Long as Possible
Catch Breaking Changes Early
“Once you realize you are going to break a consumer, you have the choice to either try to avoid the break altogether or else embrace it and start having the right conversations with the people looking after the consuming services”.
As to specifically how to do versioning in Spring Data REST, this stackoverflow topic agrees with my two suggestions: (1) as a hacky approach you can put the version number in the resource itself, and (2) it may actually be cleaner to run the old and new versions of your service side-by-side.
About authentication, the book suggests OpenID Connect for SSO, and suggests that a Gateway is an approach that a lot of people take (though it mentions a few downsides, there aren’t really better options.) There’s also a section on service-to-service authentication, that mentions API keys.
I’m curious to hear the TW China team’s thoughts on how to approach auth +/- SSO in our new microservice world. Do we have an auth service (ideally something off-the-shelf), and a gateway that decorates HTTP requests with auth details before forwarding them to the actual services?