Great question! Would love to see this thread grow.
I can kick it off --
We've been using Nameko in production at
Student.com for ~2 years.
In our setup we have:
* Domain services, which look after the data and logic related to specific domains in our business (we do student accommodation, so one service manages properties and rooms, another handles prices and availability, and so on)
* Facade services, which aggregate several domain services into APIs for a specific customer (e.g. there is a facade for our website, another for our content management system)
Facade APIs all RESTful HTTP, and they call the domain services over RPC.
For auth, there are two approaches I've taken in the past:
1. Authenticate at the boundary (i.e. facade) and have domain services just trust their callers (simple, but weak security)
2. Also generate a JWT that contains permissions/roles for that identity, and pass that along with every call so each downstream service can perform its own authorization checks.
We should try to add auth into the example app. The JWT approach sounds complex but it's actually quite simple.
Hope that helps. I'd love to see some other folks adding their experiences here too.