简体繁体 English

有没有办法在不使用 API 网关架构的情况下使用 Jwt 保护微服务端点

[英]Is there a way to secure microservice endpoints with Jwt without using an APi Gateway architecture

原文 2021-09-26 07:27:22 8 2 c#/ spring-boot/ spring-security/ jwt/ microservices

I am working on a spring-boot microservice application, user management module and The AuditTrail service module to be specific and I am tasked to create and Secure endpoints with jwt and other microservices (which can be .net, Django etc) are to use this token to secure endpoints.我正在开发一个 spring-boot 微服务应用程序、用户管理模块和特定的 AuditTrail 服务模块，我的任务是使用 jwt 创建和保护端点，其他微服务（可以是 .net、Django 等）将使用这个令牌以保护端点。 i have finished building the user management system but now i'm stuck cause I don't know how to go about validating jwt on other microservice systems and i have been instructed not to use the Api gateway architecture.我已经完成了用户管理系统的构建，但现在我被卡住了，因为我不知道如何在其他微服务系统上验证 jwt，而且我被指示不要使用 Api 网关架构。

I am thinking to expose maybe an api/vi/auth/authenticate endpoint that other microservices can call but I'm not sure if there is a better way.我正在考虑公开其他微服务可以调用的api/vi/auth/authenticate端点，但我不确定是否有更好的方法。 maybe share the jwt secret and algo used to create token with the other microservices and every microservice just validates a token by it self.也许与其他微服务共享用于创建令牌的 jwt 秘密和算法，并且每个微服务只是自己验证令牌。 the later approach involves writing boilerplate code as far as I can see but I don't know if these are my only options and what flaws they might have to see if it is something I am able to manage.后一种方法涉及编写我所看到的样板代码，但我不知道这些是否是我唯一的选择，以及他们可能必须查看哪些缺陷，如果这是我能够管理的东西。

2 个解决方案

As long as you sign the JWT with an asymmetric algorithm (eg RSA ECDSA etc.) can have the auth server save the private key to itself, and only share the public one with the services只要您使用非对称算法（例如 RSA ECDSA 等）对 JWT 进行签名，就可以让身份验证服务器将私钥保存给自己，并且只与服务共享公钥

do note that if you don't go to the server, you have a risk of a token being revoked and the service not knowing that - so you want to keep the token expiration short请注意，如果您不去服务器，则有令牌被撤销而服务不知道这一点的风险 - 因此您希望保持令牌过期时间较短

To manage authentication in the microservice ecosystem you need an independent microservice authentication which could be SSO (single sign-on).要在微服务生态系统中管理身份验证，您需要一个独立的微服务身份验证，它可以是 SSO（单点登录）。 The best practice and most secure way is using Oath and OpenId for this approach and To not invent the wheel from scratch, you can use some standard production like IdentityServer4 (more complicated but full-featured) of OpenIdDict (more simple) and lots of other, which provide both of authentication and authorization in a secure and standard way for you.最佳实践和最安全的方法是将 Oath 和 OpenId 用于这种方法，为了不从头开始发明轮子，您可以使用一些标准产品，如OpenIdDict （更简单）的IdentityServer4 （更复杂但功能齐全）和许多其他产品，它以安全和标准的方式为您提供身份验证和授权。

They provide an Access token which is JWT with lots of claims to handle your scenarios easily.他们提供了一个访问令牌，它是 JWT，有很多声明可以轻松处理您的场景。 Also, they have a standard URL address that exposes their URLs (for example URL/.well-known/openid-configuration which you can see here to seereal result ) .此外，他们有一个标准的 URL 地址来公开他们的 URL（例如URL/.well-known/openid-configuration ，您可以在此处查看以查看真实结果）。 I suggest to implement a serious project following the standards of the industry.我建议按照行业标准实施一个严肃的项目。