Reputation: 53
How do I implement session authentication across microservices?
I'm working on a project for which I have planned the following architecture:
auth.example.com: Provides login, registration, and password-reset functionalities.
accounts.example.com: Allows users to update their account data.
example.com: Provides other services.
I have figured out the following solution for maintaining authentication across all domains:
Authenticate user on
auth.example.comand set a cookie containing JWT token (signed token with shared key) which contains the user data and its domain is set to.example.com.Once the user is authenticated, redirect them to
example.com/dashboardand verify the JWT token present in the cookie. If the token is valid, present the service to the user else redirect toauth.example.com.
Now, I have the following doubts:
Suppose if a user updates his name on
accounts.example.com, how do I make all other services use the updated user data?If I want to ban a user or delete their account or terminate all active sessions, how would I let other services that the user shall not be authenticated?
Is there any better approach to solve this problem?
Upvotes: 2
Views: 857
Answers (2)
Reputation: 655
Club JWT token, protocols like oauth and openid and store the session in redis/memcache. This redis/memcache will be single point of contact for all your microservices. Say microservice m1, m2, ... are independent and using restapi gets connected to microservice called mR which checks the session in redis/memcache.
Upvotes: 0
Reputation: 4002
JWT tokens are generally stateful means they have everything to be authenticated, once issued they can be used and there is no way we can revoke them. However there are few approaches that we can use.
Normally we keep the life time (expiry) of token short (e.g. 15 mins) and refresh the access after X minutes using Refresh Token (Know the difference between Refresh and Access Token).
Say the token is about to get expired then we will re-issue the access token (refresh token will do that without user sign in again). Refresh tokens are long lived token and have to be handled carefully. If we have to revoke the access then we need to revoke Refresh token and after X mins user is not able to get access token since Refresh token is revoked already.
During the time when you revoked the refresh token , any access token issued is still valid until reaches its expiry. If you want to invalidate the token before that then you may have to blacklist the token and maintain the list of such tokens that will stop the user from login using that particular token.
I have found very nice explanation here Check Revoke Token
Upvotes: 2
Related Questions
- Microservices authentication
- Microservice Authentication strategy
- Authentication between microservice approach
- Proper Inter-service authorization
- Authentication and Authorization with Microservices and Gateways
- Microservice Authentication Architecture
- Authentication/Authorization mechanism for microservices
- Building authentication with Microservices Architecture
- How to make available the identity of a user across multiple microservices?
- Cross-Microservice Authorization and Authentication