Reputation: 5237
Best way to use JWT and how to store the secret key
I was reading upon JWT which can be used to verify the authenticity of the user. From my understanding there a couple of ways JWT can be used in a micro-service architecture. When a user logins in for the first time, the request is sent to a server which generates a token and is sent to the user. Now this token is used whenever it is trying to contact the various micro-services.
Now the micro-services can verify if the token is valid in a couple of ways: 1) Use a shared secret key. 2) Use a public key sharing mechanism amongst the various micro-services and only trust the tokens which are coming from these trusted public keys.
I am not able to find out information on which one is the preferred method. If I use a shared secret key, what is the best way to store the secret key? Should it be part of an environment variable? I am using Tomcat to run my webservice.
Upvotes: 1
Views: 2887
Answers (1)
Reputation: 39301
Since you have a authentication infraestructure with a centralized server issuing tokens, I think that sharing the key only for verification purposes is not a good choice because sharing incurs in a security risk that you can avoid easily using an asymmetric key
I suggest to generate a keypair (you only need one key). Keep the private key secure and accesible only in the authentication server, and publish the public key. Verify the signature of JWT in each server using the public key
Upvotes: 1
Related Questions
- What is secret key for JWT based authentication and how to generate it?
- How to safely store & process secret key for JWT
- What is the best practice to store jwt token in client side?
- Where to store a JWT token properly and safely in a web based application?
- What to store in a JWT?
- Where and how save token JWT ? (Best Practice)
- Where to store JWT
- Storing and Using JWT & Secret Key
- where to store information after the authentication using JWT
- What is the correct workflow for JWT?