stackoom
  简体   繁体   中英

What if token is expired between services?

 原文  2018-04-04 09:00:29       authentication/ jwt/ microservices/ soa

Question

I've been reading up on communication between services/microservices.

The API Gateway authenticates the request and passes an access token (eg JSON Web Token) that securely identifies the requestor in each request to the services. A service can include the access token in requests it makes to other services.

via http://microservices.io

And I'm passing access-token of a user to downstream services, So it looks more or less like this:

在此输入图像描述

But what if a token is expired between microservices?

There are plenty of ways to solve this problem, those seem reasonable:

  • Validate access-token of a user and create short-lived JWT in API Gateway (kind of internal tokens)

  • Each microservice validates the JWT and generates its own JWT to communicates with other microservices according to scope rules

在此输入图像描述

So we would have Auth service to validate or request tokens.

The questing is:

In order to be sure if token will be not expired during the journey through services we can just make a check in API Gateway layer: if a token is expired in n(~1) minutes reject it, so user have to use refresh token to obtain a new access token. It means token always will be valid for the time necessary to complete the request. What are pros and cons of this approach?

1 answers

solution1
 2  2018-12-04 11:08:39

I have the same question, so Google lead me to here. I hope it's not too late to response this question after half year.

I cant say this is an "Answer", but I hope my idea may inspire anyone something. So it's a kind of "idea sharing".

I think there are two ways to deal with this issue:

  1. if the token will expire in 10 minutes, refresh it at 6 minutes (just an example). So make sure the situation you said will never happen by adjusting expire time and refresh time.

  2. Another way is adjust the system architecture. Split APIs into internal and external. All external's token will be check at API Gateway, then there is no token within internal services.

I think we have a lot of methods to avoid the issue mentioned by this question. Based on different particular project requirement, we should consider to use different security design. So there is no "silver bullet".

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What to do if token expired What is the difference between a token and a digest? What is the best way to pass security token to non IIS services JWT Token is always received as expired while parsing Dealing with expired auth token android account manager Keycloak and nodeJS : Unable to refresh with expired refresh token How to check if auth token is expired and force logout? Spring Security for URL with permitAll() and expired Auth Token SuiteCRM Token Expired / Revoked Immediately After creating it oAuth token for multiple services
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM