I've been working on a login system which works with JWT. Nothing fancy, you send a valid pair user+password and then you get a signed token to identify yourself on further requests. It is build on Java. For signing the tokens, the application generates a public/private pair of keys on run time, and exposes the public key on a given URL. This was made this way because there is a wide, and growing, number of services that need to validate the tokens, and makes it easier to distribute the public key.
The issue I'm facing now is that this application will be deployed on more than just one node, for redundancy and downtime prevention. In this context, if every instance of the application generates a pair of keys, then the whole system breaks apart. So I need to make sure one node generates a pair, and then shares it with the others.
So far, my ideas had gone around saving them somewhere in the database, or use the shared values on a Zookeeper cluster, but I'm not sure it is the right approach.
To sum up... the context:
- JWT signing with private/public key pairs generated on run time
- Multiple nodes, needs to be aware of same pair
the question:
- Is there something in the idea severely wrong that makes this nonviable?
- Is there a standard way of doing this?
- Are there any better ideas than using the database?
Thanks in advance!