1

let's say we have a lot of microservices in backend. There is gateway API service that authorize user to execute some action done in UI. Than that's microservice (MicroBackend1) calls next microservice(MicroBackend2) and next one calls next one. What JWT should be passed to authorize between MicroBackend1 and MicroBackend2? Which approach i the right one:

  1. JWT from UI user is passed only to first MicroBackend1. Than it passed his own JWT to MicroBackend2. Context knows context of user that executed action in UI is not available in MicroBackend2.

  2. MicroBackend1 does the ActAs token request to STS and then passes new JWT to MicroBackend2. This means user context is known to MicroBackend2.

  3. MicroBackend1 directly passes JWT that he got from UI to MicroBackend2 therefore it has user context.

What are the pros and cons of such solutions? Which one you have tried and which one should we choose?

Improve this question

2 Answers 2

Reset to default
1

To start with I will say there is still another option and this is strip auth token in the api gateway itself and if need be bloat the header with the user context and pass it to downstream. We tend to do this as we consider any service that you access after the api gateway to part of our secured zone. we put all our defenses before or at api gateway. This allow service to talk to each other freely. However we also loose authorization bit here. If you can live with that this works best as it reduce some overhead and this is what I tend to use most often.

However before this I used to get JWT token from the UI and it was verified by our node layer (BFF) and in turn exchange for what we used to call a node access token. Essentially we have a user at the node level for which we used to generate this token and pass along. This token has authorization for pretty much everything (which happened gradually and ultimately we end up giving up authorization for downstream services) It helped us because we could ensure that user access token has little use for our downstream services, and if the call is made to downstream directly with user token it will be discarded. Downside to generating our own token was that we ended up giving access to all the services and all the apis to this one token.

If you pass the token from UI to the downstream, pros and cons are some what reversed. Also giving proper roles to the user becomes difficult.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Third approach does the work and solves the problem without any extra effort.

Second approach is not recommended as it will result in access traffic to your token service and thus will increase the response time.

However JWT scoping rules ask every microservice to create its own token to talk to any other microservice. This has an advantage of more secure microservices and higher level of tracking but it comes with an overhead of complex Public Key Infrastructure and extra processing in creation of new JWT itself.

In the end, your security requirements and request-response SLAs will decide which approach keeps a balance between them and is closest to solving your requirements.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.