stackoom
  简体   繁体   中英

Is there a way to secure microservice endpoints with Jwt without using an APi Gateway architecture

 原文  2021-09-26 07:27:22       c#/ spring-boot/ spring-security/ jwt/ microservices

Question

I am working on a spring-boot microservice application, user management module and The AuditTrail service module to be specific and I am tasked to create and Secure endpoints with jwt and other microservices (which can be .net, Django etc) are to use this token to secure endpoints. i have finished building the user management system but now i'm stuck cause I don't know how to go about validating jwt on other microservice systems and i have been instructed not to use the Api gateway architecture.

I am thinking to expose maybe an api/vi/auth/authenticate endpoint that other microservices can call but I'm not sure if there is a better way. maybe share the jwt secret and algo used to create token with the other microservices and every microservice just validates a token by it self. the later approach involves writing boilerplate code as far as I can see but I don't know if these are my only options and what flaws they might have to see if it is something I am able to manage.

2 answers

solution1
 1  2021-09-26 08:32:11

As long as you sign the JWT with an asymmetric algorithm (eg RSA ECDSA etc.) can have the auth server save the private key to itself, and only share the public one with the services

do note that if you don't go to the server, you have a risk of a token being revoked and the service not knowing that - so you want to keep the token expiration short

solution2
 0  2021-11-29 20:49:53

To manage authentication in the microservice ecosystem you need an independent microservice authentication which could be SSO (single sign-on). The best practice and most secure way is using Oath and OpenId for this approach and To not invent the wheel from scratch, you can use some standard production like IdentityServer4 (more complicated but full-featured) of OpenIdDict (more simple) and lots of other, which provide both of authentication and authorization in a secure and standard way for you.

They provide an Access token which is JWT with lots of claims to handle your scenarios easily. Also, they have a standard URL address that exposes their URLs (for example URL/.well-known/openid-configuration which you can see here to seereal result ) . I suggest to implement a serious project following the standards of the industry.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JWT-based authorization in microservice architecture with dedicated identity service Microservice : How can you deploy your Microservices project using an API gateway on windows server How does API Gateway validates the JWT token? Using Microsoft Graph token to secure ASP.NET Core Web API with Jwt Bearer tokens ASP.NET Core Web API - How to secure Web Service using JWT Is it possible to send a secure (signed) request to an Amazon API gateway using C#? Microservice architecture Database rollback How to secure endpoints on api resource based on client in identityserver Using Citrix StoreFront API endpoints? C# .NET Code to validate WSO2 API Gateway JWT signature, using SHA256withRSA algorithm
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM