AndrewMcLagan AndrewMcLagan - 6 months ago 84
Node.js Question

JWT Authentication within a Micro Service architecture


Question how is it possible to create an authentication service within a micro-service application and have other services check against that token (JWT) and retrieve a user?

Possible Solution

My current thinking is based around the auth service inserting

{ token, user }
into Redis once a user is authenticated. All other service can check against the user's
Authorization: Bearer kdI8$dj$nD&...
header token within Redis.

  • If
    is present in Redis, user is authenticated.

  • If
    is not present in Redis, user is not authenticated.

enter image description here

  1. User sends
    { username, password }
    to auth service

  2. Auth service authenticates credentials and retrieves
    { token, user }

  3. Auth service inserts
    { token, user }
    into Redis

  4. User makes request to
    { token }

  5. Service-1
    loooks for
    { token }
    in Redis and retrieves
    { token, user }

  6. Service-1
    does its thing and sends back
    { data }

Are there any possible security, logic or architectural problems with this approach?


It's not really clear why you would want to store tokens in Redis. The security token typically contains information about the user (claims data) already. If you need information about the user that is not stored in the token, you should be able to look that up by a simple database query on the user id claim.

Each service can validate the incoming token by checking its digital signature (only needs the public key of the signing certificate for this), lifetime (when does the token expire), audience (who is the token for) etc. If the caller presents a valid token, the user is authenticated.