Pass authorization from microservice to microservice

Hi guys,

this is my scenario. I have a frontend (cockpit). This talks to my microservice. This microservice should talk to the datahub microservice. To do this I need something to authorise against the datahub microservice.

My first idea was to extract the Authorization-Token from HTTP-Request and use this for query the datahub service. This was working good when I local send some request with the Authorization-Token against my microservice. But now I see the request that the frontend send don’t use Authorization-Token. Instead it use a cookie.

So now I’m experimenting with the MicroserviceSubscriptionsService and the ContextService from cumulocity but I don’t find a away to pass the authorization from my microservice to the datahub microservice.

Any ideas how to make it?

What do you mean with “datahub microservice” ? It that a own implemented microservice? Does it expose any REST endpoints? Or is the just the API documented here: Cumulocity IoT DataHub - OpenAPI Specification

Normally a service user is used to access the API but I understood your use case that you want to use the user-authenticated context, correct?

You can retrieve the context information using the context service

    private ContextService<UserCredentials> contextService;

These credentials can be passed to a REST endpoint (Auth Header) that is provided by your datahub microservice. Finally you have that context information and can make your calls.

Using service user you don’t need that complex architecture at all. You would just use the service user of your data-hub microservice to access the data-hub API.


yes I mean the datahub microservice of Software AG that is documented here: Cumulocity IoT DataHub - OpenAPI Specification

What do you mean with service user? Do you mean the bootstrap user of my microservice?

When I try what is describt here Authentication with the credentials of my bootstrap user I get a HTTP 403 back when I request the datehub microservice. When I do this with my normal credentials I get the date I expect back.

Do I have to give my microservice some special roles that he can request the datahub microservice with the bootstrap user?


ok, you could just use the service user of the microservice then. The service user is a generated user which is created when you subscribe a microservice to a tenant. The bootstrap user is just a user to retrieve the service user. In your cumulocity.json manifest you have to define which roles this service user has. Here you need to add DATAHUB_ADMINISTRATOR OR DATAHUB_MANAGER OR DATAHUB_READER.

General aspects - Cumulocity IoT documentation see required roles.
Now you only need to make sure you are running in a service user context using MicroserviceSubscriptionService (service user credenrtials will be fetched automatically, you don’t need to authenticate etc.)

subscriptionsService.runForEachTenant(() -> {
<calling Data Hub API using RestConnector>

or you follow the approach above which will use the user you authenticated with in Cumulocity and call the data hub API with that

    @Autowired(required = true)
    private Platform platformApi;

The problem that I have with RestConnector or with RestOperation is that its return a ResourceRepresentation and I expect only a JSON String. So I try to use the RestTemplate from spring but there I have problems to authorize against the microservice.

Hi David,

if you want to use RestTemplate, you can get the credentials as a header:

subscriptionsService.runForEachTenant(() -> {
     String credentials = subscriptionsService.getCredentials(subscriptionsService.getTenant()).get().toCumulocityCredentials().getAuthenticationString();
     HttpHeaders headers = new HttpHeaders();
     headers.add("Authorization", credentials);
     HttpEntity<String> request = new HttpEntity<String>(headers);
     // do the POST request using the headers

In addition to Haralds post: The example posted is using the service user with the roles you have defined in your manifest. So make sure Datahub roles are part of it.

The way that @Harald_Meyer mentioned works for me but I know its not the best practices way. It would be intresting to know how to get the credentials for the service user but I guess this is not so easy.

Hi @David.Richter

actually this is the service user. If you skip the “getAuthenticationString()” at the end you get a CumulocityCredentials object that you can work with.

1 Like

Ah thanks for the clarification. Then everything works how it should.
Thank you

1 Like