Reputation: 5237
I was reading upon JWT which can be used to verify the authenticity of the user. From my understanding there a couple of ways JWT can be used in a micro-service architecture. When a user logins in for the first time, the request is sent to a server which generates a token and is sent to the user. Now this token is used whenever it is trying to contact the various micro-services.
Now the micro-services can verify if the token is valid in a couple of ways: 1) Use a shared secret key. 2) Use a public key sharing mechanism amongst the various micro-services and only trust the tokens which are coming from these trusted public keys.
I am not able to find out information on which one is the preferred method. If I use a shared secret key, what is the best way to store the secret key? Should it be part of an environment variable? I am using Tomcat to run my webservice.
Upvotes: 1
Views: 2887
Reputation: 39301
Since you have a authentication infraestructure with a centralized server issuing tokens, I think that sharing the key only for verification purposes is not a good choice because sharing incurs in a security risk that you can avoid easily using an asymmetric key
I suggest to generate a keypair (you only need one key). Keep the private key secure and accesible only in the authentication server, and publish the public key. Verify the signature of JWT in each server using the public key
Upvotes: 1