What do you need to do to ensure that JWT spreads effectively across microservices?

API gateway unified verification scheme

The biggest difference between API gateway unified verification and server-side verification is that JWT’s verification request is initiated at the API gateway level, and user and permission data returned from the authentication center are added in the routing process. Other operation steps are identical with scheme 1.

In the microservice architecture, there is usually a separate service Auth to manage related authentication. For security, users will not directly access a service, and an entrance service will be opened as the gateway gateway, only allowing the external gateway. All requests will first access the Gateway, and the gateway will route the request to each service. Therefore, we usually conduct request interception in the gateway to ensure the security of the project (asymmetric encryption algorithm is adopted to encrypt the private key in AuTH and decrypt the public key in the gateway, so as to reduce the pressure on Auth).

API gateway unified validation is suitable for traditional enterprise applications, allowing programmers to focus on business logic while making applications easier to maintain.

JWT authorization process is as follows:

  1. After the end user logs in, the client application sends an authentication request to the API Gateway or any third-party JWT publisher to obtain a JWT token.
  2. If the API Gateway is the JWT publisher, it will authenticate the user or application. If the user or application credentials are valid, the API Gateway generates a JSON token using the private key specified in the JWT configuration and sends the generated token to the client.
  3. The client sends the JSON token generated in the HTTP authorization request header as a bearer token to access the protected API in the API Gateway.
  4. The API Gateway first identifies the application based on a claim from THE JWT, then authenticates the JWT with the public certificate of the issuer (which can be either the API Gateway or a third-party issuer) and provides access to the protected resource.

If validation fails, the API Gateway returns a specific error response.

Note: If the API Gateway has generated a JSON token, it will use the public certificate specified in the JWT configuration to verify the signature. Otherwise, if the HTTP request is sent from a third-party JWT publisher, the API Gateway uses the publisher’s public certificate or JWKS URI to authenticate the token.