Reputation: 4068
Pass decoded JWT payload to micro services
We are changing our application authentification architecture to switch to Json Web Token.
Actually, incoming requests first pass through an API Gateway that dispatch requests to various micro services of our stack.
The authentification and verification of the JWT passed in each request is done in the Gateway.
After authentification what would you do with the JWT ?
- Pass it 'as it' to the subsequent micro services ?
- Decode it in the gateway and only pass the decoded payload to the services ?
I see pro and cons in both solutions:
Pro: we keep a standard Authentification http header all the way. Cons: We have to decode the token in each service.
Pro: Token is already decoded and directly usable in services. Cons: We must use a non standard http header to pass the decoded payload.
Is there any 'standard' way in that situation ?
What's your opinion ?
Thanks !
Upvotes: 4
Views: 867
Answers (1)
Reputation: 21
Pass JWT as is. Overhead of decoding is negligible but you make your system a bit more secure in case your gateway is bypassed for some reason. Or maybe you decide in the future to directly communicate with your microservices.
Upvotes: 2
Related Questions
- Use JWT to authenticate separate API Microservice
- JWT Authorisation through multiple microservices
- Authentication between microservice approach
- Microservice Authentication and Authorization using JWT
- How to consume a JWT secured microservice from another microservice Java
- How to pass a JWT for a microservice and for a user
- Passing user identity and authorization between microservices
- How do I use an API Gateway in conjunction with microservices and JWTs?
- Handling JWT and Refresh token flow
- Client authentication in microservices using JWT and OpenID Connect