Microservices authorization. How to prevent user with valid JWT access other users resources?

Question

I have a number of stateless Microservices behind API Gateway and I want to make sure that a user request containing valid Authorization JWT token cannot access resources of other users.

Currently, my API Gateway only validates if the JWT is not expired and is valid.

To prevent a user request with valid JWT access resources of other users, I was going to use Spring's Method Level Security and check if the principal user id matches the userId in the request URL path. But that means that, in each microservice, I need to add Spring Security, create an authorization filter, and create a security context based on the information I read from JWT. I will need to recreate the Spring Security Context in every single Microservice.

Is it a correct way to do it? If not, what is another way to prevent a user request containing valid JWT to access the resources of other users?

Please advise me.

Answer 1

How you’re handling it is usually the correct approach. In order for each service to remain de-coupled from others it’s important it is able to determine which methods/endpoints care about the user scope and which ones don’t. More rules and logic in the gateway means more restrictions on what individual services can do.

That being said, if you have globally predictable rules that apply to all services you have a case for putting the logic in the gateway. Something like JWT verification is an example of such a rule that is standardized enough that you can make assumptions about what underlying services would want to do with the token upon receiving it (verify it). If you have a rule you can safely apply globally, you can pull it out of the services and put it in the gateway. Otherwise, you’re better off with a bit of duplication so that you don’t create hurdles that would prevent services from handling input differently.