4

We have been investigating proper mechanism to secure microservises that we are going to provide as API endpoints via API manager application.

Fundamentally we need stateless security mechanism like JWT to secure each API endpoint.

We thought to have separate service called "Auth service" to issue tokens and validate them.

We came up with following approach

enter image description here

But it seems every request must go trough Auth Server and then it will become very busy place.Are there any standard mechanism to overcome this situation.We heard about providing separate access token to client instead of original Auth token but have issues with validating the access token from microservice level.Any solutions would be really appreciated.

Thanks in advance.

Nuwan Attanayake
  • 141
  • 1
  • 3

1 Answers1

2

Why are you saying that every request must go through Auth Server ? Only the first request (login request) until the JWT token is expired is handled by Auth Server. After that your API must be able to validate the JWT claims using the signed part of it.

You should have a short live access token and a long live refresh token. Take a look into this article.

JWT Flow

David Magalhães
  • 176
  • 5