AkkaHttp and OAuth2 authorization code flow (logical http session? on cassandra?)

[Nicolae Marasoiu]

Hi,

We need to implement OAuth2 authorization code flow in an AkkaHttp microservice.

The way that I know it traditionally works needs a logical session managed with a cookie or similar: the microservice does the flow, obtains the access/refresh tokens and caches the tokens for future use until they need to be re-emitted due to expiration approaching.

This logical session would be in cassandra ideally for us, to enable scalability. I guess this is why the http session is no longer offered by AkkaHttp itself, but there are separate authors offering http session implementations for AkkaHttp.

As a background where I am coming from, in a Servlet/Spring environment, at one time Spring-Session offered support to transparently store session in certain dbs.

The only alternative I see is to manually manage a cookie from my code and work with Cassandra. I can check how a cookie like the traditional JSESSIONID is configured (e.g. HttpOnly).

The second alternative is to go to authorization server every request and it will issue new tokens, or offered a cached version of them if it does, but seems overkill.

Please advise how would you do, what alternatives do you see,

Thanks,

Nicu Marasoiu